2015-05-11 06:08:28 +02:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3() {
|
|
|
|
|
logit "\n"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_3="3"
|
|
|
|
|
desc_3="Docker daemon configuration files"
|
|
|
|
|
check_3="$id_3 - $desc_3"
|
|
|
|
|
info "$check_3"
|
|
|
|
|
startsectionjson "$id_3" "$desc_3"
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
|
|
|
|
# 3.1
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_1() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_3_1="3.1"
|
|
|
|
|
desc_3_1="Ensure that docker.service file ownership is set to root:root"
|
|
|
|
|
check_3_1="$id_3_1 - $desc_3_1"
|
|
|
|
|
starttestjson "$id_3_1" "$desc_3_1"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
file="$(get_systemd_service_file docker.service)"
|
|
|
|
|
if [ -f "$file" ]; then
|
|
|
|
|
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
|
|
|
|
|
pass "$check_3_1"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
|
|
|
|
warn "$check_3_1"
|
|
|
|
|
warn " * Wrong ownership for $file"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "Wrong ownership for $file"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
info "$check_3_1"
|
|
|
|
|
info " * File not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "File not found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
|
|
|
|
# 3.2
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_2() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_3_2="3.2"
|
2019-08-27 15:13:19 +02:00
|
|
|
desc_3_2="Ensure that docker.service file permissions are appropriately set"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
check_3_2="$id_3_2 - $desc_3_2"
|
|
|
|
|
starttestjson "$id_3_2" "$desc_3_2"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
file="$(get_systemd_service_file docker.service)"
|
|
|
|
|
if [ -f "$file" ]; then
|
2018-11-01 10:24:36 +01:00
|
|
|
if [ "$(stat -c %a $file)" -eq 644 ] || [ "$(stat -c %a $file)" -eq 600 ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
pass "$check_3_2"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
|
|
|
|
warn "$check_3_2"
|
|
|
|
|
warn " * Wrong permissions for $file"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "Wrong permissions for $file"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
info "$check_3_2"
|
|
|
|
|
info " * File not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "File not found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
|
|
|
|
# 3.3
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_3() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_3_3="3.3"
|
|
|
|
|
desc_3_3="Ensure that docker.socket file ownership is set to root:root"
|
|
|
|
|
check_3_3="$id_3_3 - $desc_3_3"
|
|
|
|
|
starttestjson "$id_3_3" "$desc_3_3"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
file="$(get_systemd_service_file docker.socket)"
|
|
|
|
|
if [ -f "$file" ]; then
|
|
|
|
|
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
|
|
|
|
|
pass "$check_3_3"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
|
|
|
|
warn "$check_3_3"
|
|
|
|
|
warn " * Wrong ownership for $file"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "Wrong ownership for $file"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
info "$check_3_3"
|
|
|
|
|
info " * File not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "File not found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
|
|
|
|
# 3.4
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_4() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_3_4="3.4"
|
|
|
|
|
desc_3_4="Ensure that docker.socket file permissions are set to 644 or more restrictive"
|
|
|
|
|
check_3_4="$id_3_4 - $desc_3_4"
|
|
|
|
|
starttestjson "$id_3_4" "$desc_3_4"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
file="$(get_systemd_service_file docker.socket)"
|
|
|
|
|
if [ -f "$file" ]; then
|
2018-11-01 10:24:36 +01:00
|
|
|
if [ "$(stat -c %a $file)" -eq 644 ] || [ "$(stat -c %a $file)" -eq 600 ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
pass "$check_3_4"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
|
|
|
|
warn "$check_3_4"
|
|
|
|
|
warn " * Wrong permissions for $file"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "Wrong permissions for $file"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
info "$check_3_4"
|
|
|
|
|
info " * File not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "File not found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
|
|
|
|
# 3.5
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_5() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_3_5="3.5"
|
|
|
|
|
desc_3_5="Ensure that /etc/docker directory ownership is set to root:root"
|
|
|
|
|
check_3_5="$id_3_5 - $desc_3_5"
|
|
|
|
|
starttestjson "$id_3_5" "$desc_3_5"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
directory="/etc/docker"
|
|
|
|
|
if [ -d "$directory" ]; then
|
|
|
|
|
if [ "$(stat -c %u%g $directory)" -eq 00 ]; then
|
|
|
|
|
pass "$check_3_5"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
|
|
|
|
warn "$check_3_5"
|
|
|
|
|
warn " * Wrong ownership for $directory"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "Wrong ownership for $directory"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
info "$check_3_5"
|
|
|
|
|
info " * Directory not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "Directory not found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2016-04-14 22:57:25 +02:00
|
|
|
# 3.6
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_6() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_3_6="3.6"
|
|
|
|
|
desc_3_6="Ensure that /etc/docker directory permissions are set to 755 or more restrictive"
|
|
|
|
|
check_3_6="$id_3_6 - $desc_3_6"
|
|
|
|
|
starttestjson "$id_3_6" "$desc_3_6"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
directory="/etc/docker"
|
|
|
|
|
if [ -d "$directory" ]; then
|
2018-11-01 10:24:36 +01:00
|
|
|
if [ "$(stat -c %a $directory)" -eq 755 ] || [ "$(stat -c %a $directory)" -eq 700 ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
pass "$check_3_6"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
|
|
|
|
warn "$check_3_6"
|
|
|
|
|
warn " * Wrong permissions for $directory"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "Wrong permissions for $directory"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
info "$check_3_6"
|
|
|
|
|
info " * Directory not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "Directory not found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2016-04-14 22:57:25 +02:00
|
|
|
# 3.7
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_7() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_3_7="3.7"
|
|
|
|
|
desc_3_7="Ensure that registry certificate file ownership is set to root:root"
|
|
|
|
|
check_3_7="$id_3_7 - $desc_3_7"
|
|
|
|
|
starttestjson "$id_3_7" "$desc_3_7"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
directory="/etc/docker/certs.d/"
|
|
|
|
|
if [ -d "$directory" ]; then
|
|
|
|
|
fail=0
|
|
|
|
|
owners=$(find "$directory" -type f -name '*.crt')
|
|
|
|
|
for p in $owners; do
|
|
|
|
|
if [ "$(stat -c %u $p)" -ne 0 ]; then
|
|
|
|
|
fail=1
|
|
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
if [ $fail -eq 1 ]; then
|
|
|
|
|
warn "$check_3_7"
|
|
|
|
|
warn " * Wrong ownership for $directory"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "Wrong ownership for $directory"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
else
|
|
|
|
|
pass "$check_3_7"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
|
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
info "$check_3_7"
|
|
|
|
|
info " * Directory not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "Directory not found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2016-04-14 22:57:25 +02:00
|
|
|
# 3.8
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_8() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_3_8="3.8"
|
|
|
|
|
desc_3_8="Ensure that registry certificate file permissions are set to 444 or more restrictive"
|
|
|
|
|
check_3_8="$id_3_8 - $desc_3_8"
|
|
|
|
|
starttestjson "$id_3_8" "$desc_3_8"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
directory="/etc/docker/certs.d/"
|
|
|
|
|
if [ -d "$directory" ]; then
|
|
|
|
|
fail=0
|
|
|
|
|
perms=$(find "$directory" -type f -name '*.crt')
|
|
|
|
|
for p in $perms; do
|
2018-11-01 10:24:36 +01:00
|
|
|
if [ "$(stat -c %a $p)" -ne 444 ] && [ "$(stat -c %a $p)" -ne 400 ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
fail=1
|
|
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
if [ $fail -eq 1 ]; then
|
|
|
|
|
warn "$check_3_8"
|
|
|
|
|
warn " * Wrong permissions for $directory"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "Wrong permissions for $directory"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
else
|
|
|
|
|
pass "$check_3_8"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
|
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
info "$check_3_8"
|
|
|
|
|
info " * Directory not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "Directory not found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2016-04-14 22:57:25 +02:00
|
|
|
# 3.9
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_9() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_3_9="3.9"
|
|
|
|
|
desc_3_9="Ensure that TLS CA certificate file ownership is set to root:root"
|
|
|
|
|
check_3_9="$id_3_9 - $desc_3_9"
|
|
|
|
|
starttestjson "$id_3_9" "$desc_3_9"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then
|
|
|
|
|
tlscacert=$(get_docker_configuration_file_args 'tlscacert')
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
if [ -f "$tlscacert" ]; then
|
|
|
|
|
if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
|
|
|
|
|
pass "$check_3_9"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
|
|
|
|
warn "$check_3_9"
|
|
|
|
|
warn " * Wrong ownership for $tlscacert"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "Wrong ownership for $tlscacert"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
|
|
|
|
else
|
|
|
|
|
info "$check_3_9"
|
|
|
|
|
info " * No TLS CA certificate found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "No TLS CA certificate found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
|
|
|
|
fi
|
|
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2016-04-14 22:57:25 +02:00
|
|
|
# 3.10
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_10() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_3_10="3.10"
|
|
|
|
|
desc_3_10="Ensure that TLS CA certificate file permissions are set to 444 or more restrictive"
|
|
|
|
|
check_3_10="$id_3_10 - $desc_3_10"
|
|
|
|
|
starttestjson "$id_3_10" "$desc_3_10"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then
|
|
|
|
|
tlscacert=$(get_docker_configuration_file_args 'tlscacert')
|
|
|
|
|
else
|
|
|
|
|
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
|
|
|
|
fi
|
|
|
|
|
if [ -f "$tlscacert" ]; then
|
2018-11-01 10:24:36 +01:00
|
|
|
if [ "$(stat -c %a $tlscacert)" -eq 444 ] || [ "$(stat -c %a $tlscacert)" -eq 400 ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
pass "$check_3_10"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
|
|
|
|
warn "$check_3_10"
|
|
|
|
|
warn " * Wrong permissions for $tlscacert"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "Wrong permissions for $tlscacert"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
info "$check_3_10"
|
|
|
|
|
info " * No TLS CA certificate found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "No TLS CA certificate found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2016-04-14 22:57:25 +02:00
|
|
|
# 3.11
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_11() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_3_11="3.11"
|
|
|
|
|
desc_3_11="Ensure that Docker server certificate file ownership is set to root:root"
|
|
|
|
|
check_3_11="$id_3_11 - $desc_3_11"
|
|
|
|
|
starttestjson "$id_3_11" "$desc_3_11"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then
|
|
|
|
|
tlscert=$(get_docker_configuration_file_args 'tlscert')
|
|
|
|
|
else
|
|
|
|
|
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
|
|
|
|
fi
|
|
|
|
|
if [ -f "$tlscert" ]; then
|
|
|
|
|
if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
|
|
|
|
|
pass "$check_3_11"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
|
|
|
|
warn "$check_3_11"
|
|
|
|
|
warn " * Wrong ownership for $tlscert"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "Wrong ownership for $tlscert"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
info "$check_3_11"
|
|
|
|
|
info " * No TLS Server certificate found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "No TLS Server certificate found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2016-04-14 22:57:25 +02:00
|
|
|
# 3.12
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_12() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_3_12="3.12"
|
|
|
|
|
desc_3_12="Ensure that Docker server certificate file permissions are set to 444 or more restrictive"
|
|
|
|
|
check_3_12="$id_3_12 - $desc_3_12"
|
|
|
|
|
starttestjson "$id_3_12" "$desc_3_12"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then
|
|
|
|
|
tlscert=$(get_docker_configuration_file_args 'tlscert')
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
if [ -f "$tlscert" ]; then
|
2018-11-01 10:24:36 +01:00
|
|
|
if [ "$(stat -c %a $tlscert)" -eq 444 ] || [ "$(stat -c %a $tlscert)" -eq 400 ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
pass "$check_3_12"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
|
|
|
|
warn "$check_3_12"
|
|
|
|
|
warn " * Wrong permissions for $tlscert"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "Wrong permissions for $tlscert"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
|
|
|
|
else
|
|
|
|
|
info "$check_3_12"
|
|
|
|
|
info " * No TLS Server certificate found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "No TLS Server certificate found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
|
|
|
|
fi
|
|
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2016-04-14 22:57:25 +02:00
|
|
|
# 3.13
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_13() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_3_13="3.13"
|
|
|
|
|
desc_3_13="Ensure that Docker server certificate key file ownership is set to root:root"
|
|
|
|
|
check_3_13="$id_3_13 - $desc_3_13"
|
|
|
|
|
starttestjson "$id_3_13" "$desc_3_13"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then
|
|
|
|
|
tlskey=$(get_docker_configuration_file_args 'tlskey')
|
|
|
|
|
else
|
|
|
|
|
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
|
|
|
|
fi
|
|
|
|
|
if [ -f "$tlskey" ]; then
|
|
|
|
|
if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
|
|
|
|
|
pass "$check_3_13"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
|
|
|
|
warn "$check_3_13"
|
|
|
|
|
warn " * Wrong ownership for $tlskey"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "Wrong ownership for $tlskey"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
info "$check_3_13"
|
|
|
|
|
info " * No TLS Key found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "No TLS Key found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2016-04-14 22:57:25 +02:00
|
|
|
# 3.14
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_14() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_3_14="3.14"
|
|
|
|
|
desc_3_14="Ensure that Docker server certificate key file permissions are set to 400"
|
|
|
|
|
check_3_14="$id_3_14 - $desc_3_14"
|
|
|
|
|
starttestjson "$id_3_14" "$desc_3_14"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then
|
|
|
|
|
tlskey=$(get_docker_configuration_file_args 'tlskey')
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
if [ -f "$tlskey" ]; then
|
|
|
|
|
if [ "$(stat -c %a $tlskey)" -eq 400 ]; then
|
|
|
|
|
pass "$check_3_14"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
|
|
|
|
warn "$check_3_14"
|
|
|
|
|
warn " * Wrong permissions for $tlskey"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "Wrong permissions for $tlskey"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
|
|
|
|
else
|
|
|
|
|
info "$check_3_14"
|
|
|
|
|
info " * No TLS Key found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "No TLS Key found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
|
|
|
|
fi
|
|
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2016-04-14 22:57:25 +02:00
|
|
|
# 3.15
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_15() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_3_15="3.15"
|
|
|
|
|
desc_3_15="Ensure that Docker socket file ownership is set to root:docker"
|
|
|
|
|
check_3_15="$id_3_15 - $desc_3_15"
|
|
|
|
|
starttestjson "$id_3_15" "$desc_3_15"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
file="/var/run/docker.sock"
|
|
|
|
|
if [ -S "$file" ]; then
|
|
|
|
|
if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then
|
|
|
|
|
pass "$check_3_15"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
|
|
|
|
warn "$check_3_15"
|
|
|
|
|
warn " * Wrong ownership for $file"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "Wrong ownership for $file"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
info "$check_3_15"
|
|
|
|
|
info " * File not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "File not found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2016-04-14 22:57:25 +02:00
|
|
|
# 3.16
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_16() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_3_16="3.16"
|
|
|
|
|
desc_3_16="Ensure that Docker socket file permissions are set to 660 or more restrictive"
|
|
|
|
|
check_3_16="$id_3_16 - $desc_3_16"
|
|
|
|
|
starttestjson "$id_3_16" "$desc_3_16"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
file="/var/run/docker.sock"
|
|
|
|
|
if [ -S "$file" ]; then
|
2018-11-01 10:24:36 +01:00
|
|
|
if [ "$(stat -c %a $file)" -eq 660 ] || [ "$(stat -c %a $file)" -eq 600 ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
pass "$check_3_16"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
|
|
|
|
warn "$check_3_16"
|
|
|
|
|
warn " * Wrong permissions for $file"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "Wrong permissions for $file"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
2016-04-14 22:57:25 +02:00
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
info "$check_3_16"
|
|
|
|
|
info " * File not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "File not found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2016-04-14 22:57:25 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2016-04-14 22:57:25 +02:00
|
|
|
|
|
|
|
|
# 3.17
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_17() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_3_17="3.17"
|
|
|
|
|
desc_3_17="Ensure that daemon.json file ownership is set to root:root"
|
|
|
|
|
check_3_17="$id_3_17 - $desc_3_17"
|
|
|
|
|
starttestjson "$id_3_17" "$desc_3_17"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
file="/etc/docker/daemon.json"
|
|
|
|
|
if [ -f "$file" ]; then
|
|
|
|
|
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
|
|
|
|
|
pass "$check_3_17"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
|
|
|
|
warn "$check_3_17"
|
|
|
|
|
warn " * Wrong ownership for $file"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "Wrong ownership for $file"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
2016-04-14 22:57:25 +02:00
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
info "$check_3_17"
|
|
|
|
|
info " * File not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "File not found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2016-04-14 22:57:25 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2016-04-14 22:57:25 +02:00
|
|
|
|
|
|
|
|
# 3.18
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_18() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_3_18="3.18"
|
|
|
|
|
desc_3_18="Ensure that daemon.json file permissions are set to 644 or more restrictive"
|
|
|
|
|
check_3_18="$id_3_18 - $desc_3_18"
|
|
|
|
|
starttestjson "$id_3_18" "$desc_3_18"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
file="/etc/docker/daemon.json"
|
|
|
|
|
if [ -f "$file" ]; then
|
2018-11-01 10:24:36 +01:00
|
|
|
if [ "$(stat -c %a $file)" -eq 644 ] || [ "$(stat -c %a $file)" -eq 640 ] || [ "$(stat -c %a $file)" -eq 600 ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
pass "$check_3_18"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
|
|
|
|
warn "$check_3_18"
|
|
|
|
|
warn " * Wrong permissions for $file"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "Wrong permissions for $file"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
2016-04-14 22:57:25 +02:00
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
info "$check_3_18"
|
|
|
|
|
info " * File not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "File not found"
|
2018-07-01 20:04:20 +02:00
|
|
|
currentScore=$((currentScore + 0))
|
2016-04-14 22:57:25 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2016-04-14 22:57:25 +02:00
|
|
|
|
|
|
|
|
# 3.19
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_19() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_3_19="3.19"
|
|
|
|
|
desc_3_19="Ensure that /etc/default/docker file ownership is set to root:root"
|
|
|
|
|
check_3_19="$id_3_19 - $desc_3_19"
|
|
|
|
|
starttestjson "$id_3_19" "$desc_3_19"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
file="/etc/default/docker"
|
|
|
|
|
if [ -f "$file" ]; then
|
|
|
|
|
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
|
|
|
|
|
pass "$check_3_19"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
|
|
|
|
warn "$check_3_19"
|
|
|
|
|
warn " * Wrong ownership for $file"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "Wrong ownership for $file"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
2016-04-14 22:57:25 +02:00
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
info "$check_3_19"
|
|
|
|
|
info " * File not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "File not found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2016-04-14 22:57:25 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2016-04-14 22:57:25 +02:00
|
|
|
|
|
|
|
|
# 3.20
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_20() {
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
id_3_20="3.20"
|
2019-08-27 15:13:19 +02:00
|
|
|
desc_3_20="Ensure that the /etc/sysconfig/docker file ownership is set to root:root"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
check_3_20="$id_3_20 - $desc_3_20"
|
|
|
|
|
starttestjson "$id_3_20" "$desc_3_20"
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
2019-08-27 15:13:19 +02:00
|
|
|
file="/etc/sysconfig/docker"
|
2018-01-16 13:46:49 +01:00
|
|
|
if [ -f "$file" ]; then
|
2019-08-27 15:13:19 +02:00
|
|
|
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
pass "$check_3_20"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
|
|
|
|
warn "$check_3_20"
|
2019-08-27 15:13:19 +02:00
|
|
|
warn " * Wrong ownership for $file"
|
|
|
|
|
resulttestjson "WARN" "Wrong ownership for $file"
|
|
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
|
|
|
|
else
|
|
|
|
|
info "$check_3_20"
|
|
|
|
|
info " * File not found"
|
|
|
|
|
resulttestjson "INFO" "File not found"
|
|
|
|
|
currentScore=$((currentScore + 0))
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# 3.21
|
|
|
|
|
check_3_21() {
|
|
|
|
|
id_3_21="3.21"
|
|
|
|
|
desc_3_21="Ensure that /etc/default/docker file permissions are set to 644 or more restrictive"
|
|
|
|
|
check_3_21="$id_3_21 - $desc_3_21"
|
|
|
|
|
starttestjson "$id_3_21" "$desc_3_21"
|
|
|
|
|
|
|
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
file="/etc/default/docker"
|
|
|
|
|
if [ -f "$file" ]; then
|
|
|
|
|
if [ "$(stat -c %a $file)" -eq 644 ] || [ "$(stat -c %a $file)" -eq 600 ]; then
|
|
|
|
|
pass "$check_3_21"
|
|
|
|
|
resulttestjson "PASS"
|
|
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
|
|
|
|
warn "$check_3_21"
|
2018-01-16 13:46:49 +01:00
|
|
|
warn " * Wrong permissions for $file"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN" "Wrong permissions for $file"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2019-08-27 15:13:19 +02:00
|
|
|
info "$check_3_21"
|
|
|
|
|
info " * File not found"
|
|
|
|
|
resulttestjson "INFO" "File not found"
|
|
|
|
|
currentScore=$((currentScore + 0))
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# 3.22
|
|
|
|
|
check_3_22() {
|
|
|
|
|
id_3_22="3.22"
|
|
|
|
|
desc_3_22="Ensure that /etc/default/docker file permissions are set to 644 or more restrictive"
|
|
|
|
|
check_3_22="$id_3_22 - $desc_3_22"
|
|
|
|
|
starttestjson "$id_3_22" "$desc_3_22"
|
|
|
|
|
|
|
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
file="/etc/default/docker"
|
|
|
|
|
if [ -f "$file" ]; then
|
|
|
|
|
if [ "$(stat -c %a $file)" -eq 644 ] || [ "$(stat -c %a $file)" -eq 600 ]; then
|
|
|
|
|
pass "$check_3_22"
|
|
|
|
|
resulttestjson "PASS"
|
|
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
|
|
|
|
warn "$check_3_22"
|
|
|
|
|
warn " * Wrong permissions for $file"
|
|
|
|
|
resulttestjson "WARN" "Wrong permissions for $file"
|
|
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
|
|
|
|
else
|
|
|
|
|
info "$check_3_22"
|
2018-01-16 13:46:49 +01:00
|
|
|
info " * File not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "File not found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
|
|
|
|
check_3_end() {
|
|
|
|
|
endsectionjson
|
|
|
|
|
}
|
