2018-01-17 16:11:04 +01:00
#!/bin/sh
check_c( ) {
2021-03-10 20:47:52 +01:00
logit ""
2021-03-09 11:42:48 +01:00
local id = "99"
local desc = "Community contributed checks"
2021-03-10 20:47:52 +01:00
checkHeader = " $id - $desc "
info " $checkHeader "
2021-03-09 11:42:48 +01:00
startsectionjson " $id " " $desc "
2018-01-17 16:11:04 +01:00
}
check_c_1( ) {
2021-03-16 09:05:49 +01:00
local id = "C.1"
local desc = "This is a example check for a Scored check"
2021-03-22 08:43:56 +01:00
local remediation = "This is an example remediation measure for a Scored check"
local remediationImpact = "This is an example remediation impact for a Scored check"
2021-03-16 09:05:49 +01:00
local check = " $id - $desc "
starttestjson " $id " " $desc "
if docker info --format= '{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>& 2; then
pass -s " $check "
logcheckresult "PASS"
2021-03-29 14:22:14 +02:00
return
fi
if docker info --format= '{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>& 2; then
2021-03-16 09:05:49 +01:00
info -c " $check "
logcheckresult "INFO"
2021-03-29 14:22:14 +02:00
return
2021-03-16 09:05:49 +01:00
fi
2021-03-29 14:22:14 +02:00
warn -s " $check "
logcheckresult "WARN"
2021-03-16 09:05:49 +01:00
}
check_c_1_1( ) {
local id = "C.1.1"
local desc = "This is a example check for a Not Scored check"
2021-03-22 08:43:56 +01:00
local remediation = "This is an example remediation measure for a Not Scored check"
local remediationImpact = "This is an example remediation impact for a Not Scored check"
2021-03-16 09:05:49 +01:00
local check = " $id - $desc "
starttestjson " $id " " $desc "
2018-01-18 11:29:20 +01:00
if docker info --format= '{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>& 2; then
2021-03-16 09:05:49 +01:00
pass -c " $check "
logcheckresult "PASS"
2021-03-29 14:22:14 +02:00
return
fi
if docker info --format= '{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>& 2; then
2021-03-16 09:05:49 +01:00
info -c " $check "
logcheckresult "INFO"
2021-03-29 14:22:14 +02:00
return
2018-01-17 16:11:04 +01:00
fi
2021-03-29 14:22:14 +02:00
warn -c " $check "
logcheckresult "WARN"
2018-01-17 16:11:04 +01:00
}
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2019-08-27 14:53:42 +02:00
check_c_2( ) {
docker_version = $( docker version | grep -i -A2 '^server' | grep ' Version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,.' | cut -c 1-4)
2021-03-09 11:42:48 +01:00
local id = "C.2"
local desc = "Ensure operations on legacy registry (v1) are Disabled"
2021-03-22 08:43:56 +01:00
local remediation = "Start docker daemon with --disable-legacy-registry=false flag. Starting with Docker 17.12, support for V1 registries has been removed, and the --disable-legacy-registry flag can no longer be used."
local remediationImpact = "Prevents the docker daemon from pull, push, and login operations against v1 registries."
2021-03-09 11:42:48 +01:00
local check = " $id - $desc "
starttestjson " $id " " $desc "
2019-08-27 14:53:42 +02:00
if [ " $docker_version " -lt 1712 ] ; then
if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2021-03-29 14:22:14 +02:00
return
fi
if get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2021-03-29 14:22:14 +02:00
return
2019-08-27 14:53:42 +02:00
fi
2021-03-29 14:22:14 +02:00
warn -s " $check "
logcheckresult "WARN"
return
2019-08-27 14:53:42 +02:00
fi
2021-03-29 14:22:14 +02:00
local desc = " $desc (Deprecated) "
local check = " $id - $desc "
info -c " $check "
logcheckresult "INFO"
2019-08-27 14:53:42 +02:00
}
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
check_c_end( ) {
endsectionjson
}
