2015-05-11 06:08:28 +02:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_1() {
|
|
|
|
|
logit ""
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="1"
|
|
|
|
|
local desc="Host Configuration"
|
|
|
|
|
local check="$id - $desc"
|
|
|
|
|
info "$check"
|
|
|
|
|
startsectionjson "$id" "$desc"
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_1_1() {
|
2019-08-26 14:37:25 +02:00
|
|
|
logit ""
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="1.1"
|
|
|
|
|
local desc="General Configuration"
|
|
|
|
|
local check="$id - $desc"
|
|
|
|
|
info "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2019-08-26 14:37:25 +02:00
|
|
|
# 1.1.1
|
|
|
|
|
check_1_1_1() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="1.1.1"
|
|
|
|
|
local desc="Ensure the container host has been Hardened (Not Scored)"
|
|
|
|
|
local check="$id - $desc"
|
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
2021-03-09 11:42:48 +01:00
|
|
|
note "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO"
|
2018-07-01 20:04:20 +02:00
|
|
|
currentScore=$((currentScore + 0))
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2019-08-26 14:37:25 +02:00
|
|
|
# 1.1.2
|
|
|
|
|
check_1_1_2() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="1.1.2"
|
|
|
|
|
local desc="Ensure that the version of Docker is up to date (Not Scored)"
|
|
|
|
|
local check="$id - $desc"
|
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
|
|
|
|
|
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,')
|
|
|
|
|
docker_current_version="$(date +%y.%m.0 -d @$(( $(date +%s) - 2592000)))"
|
|
|
|
|
do_version_check "$docker_current_version" "$docker_version"
|
|
|
|
|
if [ $? -eq 11 ]; then
|
2021-03-09 11:42:48 +01:00
|
|
|
info "$check"
|
2019-08-26 15:13:50 +02:00
|
|
|
info " * Using $docker_version, verify is it up to date as deemed necessary"
|
|
|
|
|
info " * Your operating system vendor may provide support and security maintenance for Docker"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "Using $docker_version"
|
2018-07-01 20:04:20 +02:00
|
|
|
currentScore=$((currentScore + 0))
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
2019-08-26 15:13:50 +02:00
|
|
|
info " * Using $docker_version which is current"
|
|
|
|
|
info " * Check with your operating system vendor for support and security maintenance for Docker"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS" "Using $docker_version"
|
2018-07-01 20:04:20 +02:00
|
|
|
currentScore=$((currentScore + 0))
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
|
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2019-08-26 14:37:25 +02:00
|
|
|
check_1_2() {
|
|
|
|
|
logit ""
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="1.2"
|
|
|
|
|
local desc="Linux Hosts Specific Configuration"
|
|
|
|
|
local check="$id - $desc"
|
|
|
|
|
info "$check"
|
2019-08-26 14:37:25 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# 1.2.1
|
|
|
|
|
check_1_2_1() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="1.2.1"
|
|
|
|
|
local desc="Ensure a separate partition for containers has been created (Scored)"
|
|
|
|
|
local check="$id - $desc"
|
|
|
|
|
starttestjson "$id" "$desc"
|
2019-08-26 14:37:25 +02:00
|
|
|
|
|
|
|
|
totalChecks=$((totalChecks + 1))
|
2020-09-29 12:41:25 +02:00
|
|
|
docker_root_dir=$(docker info -f '{{ .DockerRootDir }}')
|
|
|
|
|
if docker info | grep -q userns ; then
|
|
|
|
|
docker_root_dir=$(readlink -f "$docker_root_dir/..")
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
if mountpoint -q -- "$docker_root_dir" >/dev/null 2>&1; then
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
2019-08-26 14:37:25 +02:00
|
|
|
resulttestjson "PASS"
|
|
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
warn "$check"
|
2019-08-26 14:37:25 +02:00
|
|
|
resulttestjson "WARN"
|
|
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# 1.2.2
|
|
|
|
|
check_1_2_2() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="1.2.2"
|
|
|
|
|
local desc="Ensure only trusted users are allowed to control Docker daemon (Scored)"
|
|
|
|
|
local check="$id - $desc"
|
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
2020-05-08 13:09:52 +02:00
|
|
|
if command -v getent >/dev/null 2>&1; then
|
|
|
|
|
docker_users=$(getent group docker)
|
|
|
|
|
else
|
|
|
|
|
docker_users=$(grep 'docker' /etc/group)
|
|
|
|
|
fi
|
2021-03-09 11:42:48 +01:00
|
|
|
info "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
for u in $docker_users; do
|
2019-08-26 15:13:50 +02:00
|
|
|
info " * $u"
|
2018-01-16 13:46:49 +01:00
|
|
|
done
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "users" "$docker_users"
|
2018-07-01 20:04:20 +02:00
|
|
|
currentScore=$((currentScore + 0))
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2019-08-26 14:37:25 +02:00
|
|
|
# 1.2.3
|
|
|
|
|
check_1_2_3() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="1.2.3"
|
|
|
|
|
local desc="Ensure auditing is configured for the Docker daemon (Scored)"
|
|
|
|
|
local check="$id - $desc"
|
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
2019-10-16 09:49:18 +02:00
|
|
|
file="/usr/bin/dockerd"
|
2018-01-16 13:46:49 +01:00
|
|
|
if command -v auditctl >/dev/null 2>&1; then
|
|
|
|
|
if auditctl -l | grep "$file" >/dev/null 2>&1; then
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
warn "$check"
|
|
|
|
|
warn " * Install auditd"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
|
|
|
|
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2017-10-23 15:39:18 +02:00
|
|
|
currentScore=$((currentScore + 1))
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
warn "$check"
|
|
|
|
|
warn " * Install auditd"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN"
|
2017-10-23 15:39:18 +02:00
|
|
|
currentScore=$((currentScore - 1))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2019-08-26 14:37:25 +02:00
|
|
|
# 1.2.4
|
|
|
|
|
check_1_2_4() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="1.2.4"
|
|
|
|
|
local desc="Ensure auditing is configured for Docker files and directories - /var/lib/docker (Scored)"
|
|
|
|
|
local check="$id - $desc"
|
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
directory="/var/lib/docker"
|
|
|
|
|
if [ -d "$directory" ]; then
|
|
|
|
|
if command -v auditctl >/dev/null 2>&1; then
|
|
|
|
|
if auditctl -l | grep $directory >/dev/null 2>&1; then
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
warn "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
|
|
|
|
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2017-10-23 15:39:18 +02:00
|
|
|
currentScore=$((currentScore + 1))
|
2016-04-14 21:15:33 +02:00
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
warn "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN"
|
2017-10-23 15:39:18 +02:00
|
|
|
currentScore=$((currentScore - 1))
|
2016-04-14 21:15:33 +02:00
|
|
|
fi
|
|
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
info "$check"
|
2019-08-26 15:13:50 +02:00
|
|
|
info " * Directory not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "Directory not found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2016-04-14 21:15:33 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2016-04-14 21:15:33 +02:00
|
|
|
|
2019-08-26 14:37:25 +02:00
|
|
|
# 1.2.5
|
|
|
|
|
check_1_2_5() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="1.2.5"
|
|
|
|
|
local desc="Ensure auditing is configured for Docker files and directories - /etc/docker (Scored)"
|
|
|
|
|
local check="$id - $desc"
|
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
directory="/etc/docker"
|
|
|
|
|
if [ -d "$directory" ]; then
|
|
|
|
|
if command -v auditctl >/dev/null 2>&1; then
|
|
|
|
|
if auditctl -l | grep $directory >/dev/null 2>&1; then
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
warn "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
|
|
|
|
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2017-10-23 15:39:18 +02:00
|
|
|
currentScore=$((currentScore + 1))
|
2015-06-11 02:17:14 +02:00
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
warn "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN"
|
2017-10-23 15:39:18 +02:00
|
|
|
currentScore=$((currentScore - 1))
|
2015-06-11 02:17:14 +02:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
info "$check"
|
2019-08-26 15:13:50 +02:00
|
|
|
info " * Directory not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "Directory not found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2019-08-26 14:37:25 +02:00
|
|
|
# 1.2.6
|
|
|
|
|
check_1_2_6() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="1.2.6"
|
|
|
|
|
local desc="Ensure auditing is configured for Docker files and directories - docker.service (Scored)"
|
|
|
|
|
local check="$id - $desc"
|
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
2020-04-10 15:26:25 +02:00
|
|
|
file="$(get_service_file docker.service)"
|
2018-01-16 13:46:49 +01:00
|
|
|
if [ -f "$file" ]; then
|
|
|
|
|
if command -v auditctl >/dev/null 2>&1; then
|
|
|
|
|
if auditctl -l | grep "$file" >/dev/null 2>&1; then
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
warn "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
|
|
|
|
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2017-10-23 15:39:18 +02:00
|
|
|
currentScore=$((currentScore + 1))
|
2015-06-11 02:17:14 +02:00
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
warn "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN"
|
2017-10-23 15:39:18 +02:00
|
|
|
currentScore=$((currentScore - 1))
|
2015-06-11 02:17:14 +02:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
info "$check"
|
2019-08-26 15:13:50 +02:00
|
|
|
info " * File not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "File not found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2019-08-26 14:37:25 +02:00
|
|
|
# 1.2.7
|
|
|
|
|
check_1_2_7() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="1.2.7"
|
|
|
|
|
local desc="Ensure auditing is configured for Docker files and directories - docker.socket (Scored)"
|
|
|
|
|
local check="$id - $desc"
|
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
2020-04-10 15:26:25 +02:00
|
|
|
file="$(get_service_file docker.socket)"
|
2018-01-16 13:46:49 +01:00
|
|
|
if [ -e "$file" ]; then
|
|
|
|
|
if command -v auditctl >/dev/null 2>&1; then
|
|
|
|
|
if auditctl -l | grep "$file" >/dev/null 2>&1; then
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
warn "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
|
|
|
|
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2017-10-23 15:39:18 +02:00
|
|
|
currentScore=$((currentScore + 1))
|
2015-06-11 02:17:14 +02:00
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
warn "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN"
|
2017-10-23 15:39:18 +02:00
|
|
|
currentScore=$((currentScore - 1))
|
2015-06-11 02:17:14 +02:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
info "$check"
|
2019-08-26 15:13:50 +02:00
|
|
|
info " * File not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "File not found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2019-08-26 14:37:25 +02:00
|
|
|
# 1.2.8
|
|
|
|
|
check_1_2_8() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="1.2.8"
|
|
|
|
|
local desc="Ensure auditing is configured for Docker files and directories - /etc/default/docker (Scored)"
|
|
|
|
|
local check="$id - $desc"
|
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
file="/etc/default/docker"
|
|
|
|
|
if [ -f "$file" ]; then
|
|
|
|
|
if command -v auditctl >/dev/null 2>&1; then
|
|
|
|
|
if auditctl -l | grep $file >/dev/null 2>&1; then
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
warn "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
|
|
|
|
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2017-10-23 15:39:18 +02:00
|
|
|
currentScore=$((currentScore + 1))
|
2015-06-11 02:17:14 +02:00
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
warn "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN"
|
2017-10-23 15:39:18 +02:00
|
|
|
currentScore=$((currentScore - 1))
|
2015-06-11 02:17:14 +02:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
info "$check"
|
2019-08-26 15:13:50 +02:00
|
|
|
info " * File not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "File not found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2019-08-26 14:41:37 +02:00
|
|
|
# 1.2.9
|
|
|
|
|
check_1_2_9() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="1.2.9"
|
|
|
|
|
local desc="Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Scored)"
|
|
|
|
|
local check="$id - $desc"
|
|
|
|
|
starttestjson "$id" "$desc"
|
2019-08-26 14:41:37 +02:00
|
|
|
|
|
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
file="/etc/sysconfig/docker"
|
|
|
|
|
if [ -f "$file" ]; then
|
|
|
|
|
if command -v auditctl >/dev/null 2>&1; then
|
|
|
|
|
if auditctl -l | grep $file >/dev/null 2>&1; then
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
2019-08-26 14:41:37 +02:00
|
|
|
resulttestjson "PASS"
|
|
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
warn "$check"
|
2019-08-26 14:41:37 +02:00
|
|
|
resulttestjson "WARN"
|
|
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
|
|
|
|
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
2019-08-26 14:41:37 +02:00
|
|
|
resulttestjson "PASS"
|
|
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
warn "$check"
|
2019-08-26 14:41:37 +02:00
|
|
|
resulttestjson "WARN"
|
|
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
|
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
info "$check"
|
2019-08-26 15:13:50 +02:00
|
|
|
info " * File not found"
|
2019-08-26 14:41:37 +02:00
|
|
|
resulttestjson "INFO" "File not found"
|
|
|
|
|
currentScore=$((currentScore + 0))
|
|
|
|
|
fi
|
|
|
|
|
}
|
2019-08-26 14:37:25 +02:00
|
|
|
|
|
|
|
|
# 1.2.10
|
|
|
|
|
check_1_2_10() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="1.2.10"
|
|
|
|
|
local desc="Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json (Scored)"
|
|
|
|
|
local check="$id - $desc"
|
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
file="/etc/docker/daemon.json"
|
|
|
|
|
if [ -f "$file" ]; then
|
|
|
|
|
if command -v auditctl >/dev/null 2>&1; then
|
|
|
|
|
if auditctl -l | grep $file >/dev/null 2>&1; then
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
warn "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
|
|
|
|
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2017-10-23 15:39:18 +02:00
|
|
|
currentScore=$((currentScore + 1))
|
2015-06-11 02:17:14 +02:00
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
warn "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN"
|
2017-10-23 15:39:18 +02:00
|
|
|
currentScore=$((currentScore - 1))
|
2015-06-11 02:17:14 +02:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
info "$check"
|
2019-08-26 15:13:50 +02:00
|
|
|
info " * File not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "File not found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2019-08-26 14:37:25 +02:00
|
|
|
# 1.2.11
|
|
|
|
|
check_1_2_11() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="1.2.11"
|
|
|
|
|
local desc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Scored)"
|
|
|
|
|
local check="$id - $desc"
|
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
2019-08-26 14:37:25 +02:00
|
|
|
file="/usr/bin/containerd"
|
2018-01-16 13:46:49 +01:00
|
|
|
if [ -f "$file" ]; then
|
|
|
|
|
if command -v auditctl >/dev/null 2>&1; then
|
|
|
|
|
if auditctl -l | grep $file >/dev/null 2>&1; then
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
warn "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
|
|
|
|
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2017-10-23 15:39:18 +02:00
|
|
|
currentScore=$((currentScore + 1))
|
2015-06-11 02:17:14 +02:00
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
warn "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN"
|
2017-10-23 15:39:18 +02:00
|
|
|
currentScore=$((currentScore - 1))
|
2015-06-11 02:17:14 +02:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
info "$check"
|
2019-08-26 15:13:50 +02:00
|
|
|
info " * File not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "File not found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2019-08-26 14:37:25 +02:00
|
|
|
# 1.2.12
|
|
|
|
|
check_1_2_12() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="1.2.12"
|
|
|
|
|
local desc="Ensure auditing is configured for Docker files and directories - /usr/sbin/runc (Scored)"
|
|
|
|
|
local check="$id - $desc"
|
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
2019-08-26 14:37:25 +02:00
|
|
|
file="/usr/sbin/runc"
|
2018-01-16 13:46:49 +01:00
|
|
|
if [ -f "$file" ]; then
|
|
|
|
|
if command -v auditctl >/dev/null 2>&1; then
|
|
|
|
|
if auditctl -l | grep $file >/dev/null 2>&1; then
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 1))
|
|
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
warn "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore - 1))
|
|
|
|
|
fi
|
|
|
|
|
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
|
2021-03-09 11:42:48 +01:00
|
|
|
pass "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "PASS"
|
2017-10-23 15:39:18 +02:00
|
|
|
currentScore=$((currentScore + 1))
|
2015-06-11 02:17:14 +02:00
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
warn "$check"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "WARN"
|
2017-10-23 15:39:18 +02:00
|
|
|
currentScore=$((currentScore - 1))
|
2015-06-11 02:17:14 +02:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
info "$check"
|
2019-08-26 15:13:50 +02:00
|
|
|
info " * File not found"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "File not found"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
|
|
|
|
check_1_end() {
|
|
|
|
|
endsectionjson
|
|
|
|
|
}
|
