2015-05-11 06:08:28 +02:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
|
|
logit "\n"
|
|
|
|
info "4 - Container Images and Build Files"
|
|
|
|
|
|
|
|
# 4.1
|
|
|
|
check_4_1="4.1 - Create a user for the container"
|
|
|
|
|
|
|
|
# If container_users is empty, there are no running containers
|
2015-05-15 05:26:32 +02:00
|
|
|
if [ -z "$containers" ]; then
|
2015-05-11 06:08:28 +02:00
|
|
|
info "$check_4_1"
|
|
|
|
info " * No containers running"
|
|
|
|
else
|
|
|
|
# We have some containers running, set failure flag to 0. Check for Users.
|
|
|
|
fail=0
|
|
|
|
# Make the loop separator be a new-line in POSIX compliant fashion
|
|
|
|
set -f; IFS=$'
|
|
|
|
'
|
2015-05-14 04:22:39 +02:00
|
|
|
for c in $containers; do
|
2015-05-29 13:42:34 +02:00
|
|
|
user=$(docker inspect --format 'User={{.Config.User}}' "$c")
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2015-05-15 05:26:32 +02:00
|
|
|
if [ "$user" = "User=" -o "$user" = "User=[]" -o "$user" = "User=<no value>" ]; then
|
2015-05-11 06:08:28 +02:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
|
|
|
warn "$check_4_1"
|
2015-05-14 04:22:39 +02:00
|
|
|
warn " * Running as root: $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=1
|
|
|
|
else
|
2015-05-14 04:22:39 +02:00
|
|
|
warn " * Running as root: $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
# We went through all the containers and found none running as root
|
|
|
|
if [ $fail -eq 0 ]; then
|
|
|
|
pass "$check_4_1"
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
# Make the loop separator go back to space
|
|
|
|
set +f; unset IFS
|
2016-04-14 23:15:16 +02:00
|
|
|
|
2016-12-20 16:01:58 +01:00
|
|
|
images=$(docker images -q)
|
|
|
|
|
2017-01-23 17:06:10 +01:00
|
|
|
# 4.2
|
|
|
|
check_4_2="4.2 - Use trusted base images for containers"
|
|
|
|
info "$check_4_2"
|
|
|
|
|
|
|
|
# 4.3
|
|
|
|
check_4_3="4.3 - Do not install unnecessary packages in the container"
|
|
|
|
info "$check_4_3"
|
|
|
|
|
|
|
|
# 4.4
|
|
|
|
check_4_4="4.4 - Scan and rebuild the images to include security patches"
|
|
|
|
info "$check_4_4"
|
|
|
|
|
2016-04-14 23:15:16 +02:00
|
|
|
# 4.5
|
|
|
|
check_4_5="4.5 - Enable Content trust for Docker"
|
|
|
|
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
|
|
|
|
pass "$check_4_5"
|
|
|
|
else
|
|
|
|
warn "$check_4_5"
|
|
|
|
fi
|
2016-12-20 16:01:58 +01:00
|
|
|
|
|
|
|
# 4.6
|
|
|
|
check_4_6="4.6 - Add HEALTHCHECK instruction to the container image"
|
|
|
|
fail=0
|
|
|
|
for img in $images; do
|
2017-02-17 15:03:29 +01:00
|
|
|
if docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1; then
|
2016-12-20 16:01:58 +01:00
|
|
|
if [ $fail -eq 0 ]; then
|
|
|
|
fail=1
|
|
|
|
warn "$check_4_6"
|
|
|
|
fi
|
2017-01-23 12:52:31 +01:00
|
|
|
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
|
2017-01-23 16:16:02 +01:00
|
|
|
if ! [ "$imgName" = '[]' ]; then
|
|
|
|
warn " * No Healthcheck found: $imgName"
|
|
|
|
fi
|
2016-12-20 16:01:58 +01:00
|
|
|
fi
|
|
|
|
done
|
|
|
|
if [ $fail -eq 0 ]; then
|
|
|
|
pass "$check_4_6"
|
|
|
|
fi
|
|
|
|
|
|
|
|
# 4.7
|
|
|
|
check_4_7="4.7 - Do not use update instructions alone in the Dockerfile"
|
|
|
|
fail=0
|
|
|
|
for img in $images; do
|
2017-02-17 15:03:29 +01:00
|
|
|
if docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1; then
|
2016-12-20 16:01:58 +01:00
|
|
|
if [ $fail -eq 0 ]; then
|
|
|
|
fail=1
|
|
|
|
info "$check_4_7"
|
|
|
|
fi
|
2017-01-23 12:52:31 +01:00
|
|
|
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
|
2017-01-23 16:16:02 +01:00
|
|
|
if ! [ "$imgName" = '[]' ]; then
|
|
|
|
info " * Update instruction found: $imgName"
|
|
|
|
fi
|
2016-12-20 16:01:58 +01:00
|
|
|
fi
|
|
|
|
done
|
|
|
|
if [ $fail -eq 0 ]; then
|
|
|
|
pass "$check_4_7"
|
|
|
|
fi
|
|
|
|
|
2017-01-23 17:06:10 +01:00
|
|
|
# 4.8
|
|
|
|
check_4_8="4.8 - Remove setuid and setgid permissions in the images"
|
|
|
|
info "$check_4_8"
|
|
|
|
|
2016-12-20 16:01:58 +01:00
|
|
|
# 4.9
|
|
|
|
check_4_9="4.9 - Use COPY instead of ADD in Dockerfile"
|
|
|
|
fail=0
|
|
|
|
for img in $images; do
|
2017-01-23 12:52:31 +01:00
|
|
|
docker history "$img" 2> /dev/null | grep 'ADD' >/dev/null 2>&1
|
2016-12-20 16:01:58 +01:00
|
|
|
if [ $? -eq 0 ]; then
|
|
|
|
if [ $fail -eq 0 ]; then
|
|
|
|
fail=1
|
|
|
|
info "$check_4_9"
|
|
|
|
fi
|
2017-01-23 12:52:31 +01:00
|
|
|
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
|
2017-01-23 16:16:02 +01:00
|
|
|
if ! [ "$imgName" = '[]' ]; then
|
|
|
|
info " * ADD in image history: $imgName"
|
|
|
|
fi
|
2016-12-20 16:01:58 +01:00
|
|
|
fi
|
|
|
|
done
|
|
|
|
if [ $fail -eq 0 ]; then
|
|
|
|
pass "$check_4_9"
|
|
|
|
fi
|
2017-01-23 17:06:10 +01:00
|
|
|
|
|
|
|
# 4.10
|
|
|
|
check_4_10="4.10 - Do not store secrets in Dockerfiles"
|
|
|
|
info "$check_4_10"
|
|
|
|
|
|
|
|
# 4.11
|
|
|
|
check_4_11="4.11 - Install verified packages only"
|
|
|
|
info "$check_4_11"
|