2015-05-11 06:08:28 +02:00
#!/bin/sh
2018-01-16 13:46:49 +01:00
check_2( ) {
2021-03-10 20:47:52 +01:00
logit ""
2021-03-09 11:42:48 +01:00
local id = "2"
local desc = "Docker daemon configuration"
2021-03-10 20:47:52 +01:00
checkHeader = " $id - $desc "
info " $checkHeader "
2021-03-09 11:42:48 +01:00
startsectionjson " $id " " $desc "
2018-01-16 13:46:49 +01:00
}
2015-05-11 06:08:28 +02:00
2018-01-16 13:46:49 +01:00
check_2_1( ) {
2021-03-09 11:42:48 +01:00
local id = "2.1"
local desc = "Ensure network traffic is restricted between containers on the default bridge (Scored)"
2021-03-16 09:05:49 +01:00
local remediation = "Edit the Docker daemon configuration file to ensure that inter-container communication is disabled: icc: false."
2021-03-10 20:47:52 +01:00
local remediationImpact = "Inter-container communication is disabled on the default network bridge. If any communication between containers on the same host is desired, it needs to be explicitly defined using container linking or custom networks."
2021-03-09 11:42:48 +01:00
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2017-02-20 11:21:18 +01:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2017-02-20 11:21:18 +01:00
fi
2018-01-16 13:46:49 +01:00
}
check_2_2( ) {
2021-03-09 11:42:48 +01:00
local id = "2.2"
local desc = "Ensure the logging level is set to 'info' (Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
if get_docker_configuration_file_args 'log-level' >/dev/null 2>& 1; then
if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
elif [ -z " $( get_docker_configuration_file_args 'log-level' ) " ] ; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
fi
elif get_docker_effective_command_line_args '-l' ; then
if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
fi
else
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2016-09-28 23:20:51 +02:00
fi
2018-01-16 13:46:49 +01:00
}
2015-05-11 06:08:28 +02:00
2018-01-16 13:46:49 +01:00
check_2_3( ) {
2021-03-09 11:42:48 +01:00
local id = "2.3"
local desc = "Ensure Docker is allowed to make changes to iptables (Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
fi
}
2015-05-11 06:08:28 +02:00
2018-01-16 13:46:49 +01:00
check_2_4( ) {
2021-03-09 11:42:48 +01:00
local id = "2.4"
local desc = "Ensure insecure registries are not used (Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
elif ! [ -z " $( get_docker_configuration_file_args 'insecure-registries' ) " ] ; then
if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
fi
else
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2017-02-20 11:21:18 +01:00
fi
2018-01-16 13:46:49 +01:00
}
2015-05-11 06:08:28 +02:00
2018-01-16 13:46:49 +01:00
check_2_5( ) {
2021-03-09 11:42:48 +01:00
local id = "2.5"
local desc = "Ensure aufs storage driver is not used (Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2020-03-03 13:51:49 +01:00
if docker info 2>/dev/null | grep -e " ^\sStorage Driver:\s*aufs\s* $" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
fi
}
2015-05-11 06:08:28 +02:00
2018-01-16 13:46:49 +01:00
check_2_6( ) {
2021-03-09 11:42:48 +01:00
local id = "2.6"
local desc = "Ensure TLS authentication for Docker daemon is configured (Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2019-12-17 15:03:54 +01:00
if [ $( get_docker_configuration_file_args 'tcp://' ) ] || \
2018-07-10 15:35:30 +02:00
[ $( get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' ) >/dev/null 2>& 1 ] ; then
if [ $( get_docker_configuration_file_args '"tlsverify":' | grep 'true' ) ] || \
[ $( get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify' ) >/dev/null 2>& 1 ] ; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-07-10 15:35:30 +02:00
elif [ $( get_docker_configuration_file_args '"tls":' | grep 'true' ) ] || \
[ $( get_docker_cumulative_command_line_args '--tls' | grep 'tls$' ) >/dev/null 2>& 1 ] ; then
2021-03-16 09:05:49 +01:00
warn -s " $check "
2018-07-10 15:35:30 +02:00
warn " * Docker daemon currently listening on TCP with TLS, but no verification"
2021-03-16 09:05:49 +01:00
logcheckresult "WARN" "Docker daemon currently listening on TCP with TLS, but no verification"
2016-09-25 02:42:39 +02:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
2018-01-16 13:46:49 +01:00
warn " * Docker daemon currently listening on TCP without TLS"
2021-03-16 09:05:49 +01:00
logcheckresult "WARN" "Docker daemon currently listening on TCP without TLS"
2016-09-25 02:42:39 +02:00
fi
2016-04-14 22:25:11 +02:00
else
2021-03-16 09:05:49 +01:00
info -c " $check "
2018-01-16 13:46:49 +01:00
info " * Docker daemon not listening on TCP"
2021-03-16 09:05:49 +01:00
logcheckresult "INFO" "Docker daemon not listening on TCP"
2016-04-14 22:25:11 +02:00
fi
2018-01-16 13:46:49 +01:00
}
2016-09-25 02:42:39 +02:00
2018-01-16 13:46:49 +01:00
check_2_7( ) {
2021-03-09 11:42:48 +01:00
local id = "2.7"
local desc = "Ensure the default ulimit is configured appropriately (Not Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -c " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -c " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
info -c " $check "
2018-01-16 13:46:49 +01:00
info " * Default ulimit doesn't appear to be set"
2021-03-16 09:05:49 +01:00
logcheckresult "INFO" "Default ulimit doesn't appear to be set"
2018-01-16 13:46:49 +01:00
fi
}
2015-05-11 06:08:28 +02:00
2018-01-16 13:46:49 +01:00
check_2_8( ) {
2021-03-09 11:42:48 +01:00
local id = "2.8"
local desc = "Enable user namespace support (Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
if get_docker_configuration_file_args 'userns-remap' | grep -v '""' ; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
fi
}
2015-05-11 06:08:28 +02:00
2018-01-16 13:46:49 +01:00
check_2_9( ) {
2021-03-09 11:42:48 +01:00
local id = "2.9"
local desc = "Ensure the default cgroup usage has been confirmed (Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2019-02-21 17:11:01 +01:00
if get_docker_configuration_file_args 'cgroup-parent' | grep -v '' ; then
2021-03-16 09:05:49 +01:00
warn -s " $check "
2018-01-16 13:46:49 +01:00
info " * Confirm cgroup usage"
2021-03-16 09:05:49 +01:00
logcheckresult "WARN" "Confirm cgroup usage"
2018-01-16 13:46:49 +01:00
elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
warn -s " $check "
2018-01-16 13:46:49 +01:00
info " * Confirm cgroup usage"
2021-03-16 09:05:49 +01:00
logcheckresult "WARN" "Confirm cgroup usage"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
fi
}
2015-05-11 06:08:28 +02:00
2018-01-16 13:46:49 +01:00
check_2_10( ) {
2021-03-09 11:42:48 +01:00
local id = "2.10"
local desc = "Ensure base device size is not changed until needed (Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
fi
}
2016-04-14 22:25:11 +02:00
2018-01-16 13:46:49 +01:00
check_2_11( ) {
2021-03-09 11:42:48 +01:00
local id = "2.11"
local desc = "Ensure that authorization for Docker client commands is enabled (Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]' ; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
fi
}
2015-06-22 21:36:56 +02:00
2018-01-16 13:46:49 +01:00
check_2_12( ) {
2021-03-09 11:42:48 +01:00
local id = "2.12"
local desc = "Ensure centralized and remote logging is configured (Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
fi
}
2016-04-14 22:25:11 +02:00
2018-01-16 13:46:49 +01:00
check_2_13( ) {
2021-03-09 11:42:48 +01:00
local id = "2.13"
local desc = "Ensure live restore is enabled (Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2019-08-27 14:54:08 +02:00
if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2019-08-27 14:54:08 +02:00
else
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check (Incompatible with swarm mode) "
logcheckresult "PASS"
2019-08-27 14:54:08 +02:00
elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-07-01 20:53:20 +02:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-07-01 20:53:20 +02:00
fi
2018-01-16 13:46:49 +01:00
fi
}
2016-12-20 16:01:58 +01:00
2018-01-16 13:46:49 +01:00
check_2_14( ) {
2021-03-09 11:42:48 +01:00
local id = "2.14"
local desc = "Ensure Userland Proxy is Disabled (Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2019-08-27 14:54:08 +02:00
if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2019-08-27 14:54:08 +02:00
elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2017-01-23 13:13:48 +01:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2017-01-23 13:13:48 +01:00
fi
2018-01-16 13:46:49 +01:00
}
2016-12-20 16:01:58 +01:00
2018-01-16 13:46:49 +01:00
check_2_15( ) {
2021-03-09 11:42:48 +01:00
local id = "2.15"
local desc = "Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Not Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2019-08-27 14:54:08 +02:00
if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>& 2; then
2021-03-16 09:05:49 +01:00
pass -c " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
info -c " $check "
logcheckresult "INFO"
2018-01-16 13:46:49 +01:00
fi
}
2016-12-20 16:01:58 +01:00
2018-01-16 13:46:49 +01:00
check_2_16( ) {
2020-10-02 16:24:14 +02:00
docker_version = $( docker version | grep -i -A2 '^server' | grep ' Version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,.' | cut -c 1-4)
2021-03-09 11:42:48 +01:00
local id = "2.16"
local desc = "Ensure that experimental features are not implemented in production (Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2020-10-02 16:24:14 +02:00
if [ " $docker_version " -le 1903 ] ; then
if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>& 2; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2020-10-02 16:24:14 +02:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2020-10-02 16:24:14 +02:00
fi
2018-01-16 13:46:49 +01:00
else
2021-03-09 11:42:48 +01:00
local desc = " $desc (Deprecated) "
local check = " $id - $desc "
2021-03-16 09:05:49 +01:00
info -c " $desc "
logcheckresult "INFO"
2018-01-16 13:46:49 +01:00
fi
}
2016-12-20 16:01:58 +01:00
2018-01-16 13:46:49 +01:00
check_2_17( ) {
2021-03-09 11:42:48 +01:00
local id = "2.17"
local desc = "Ensure containers are restricted from acquiring new privileges (Scored)"
local check = " $id - $desc "
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-02-09 11:02:04 +01:00
if get_docker_effective_command_line_args '--no-new-privileges' | grep "no-new-privileges" >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-02-09 11:02:04 +01:00
elif get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>& 1; then
2021-03-16 09:05:49 +01:00
pass -s " $check "
logcheckresult "PASS"
2018-01-16 13:46:49 +01:00
else
2021-03-16 09:05:49 +01:00
warn -s " $check "
logcheckresult "WARN"
2018-01-16 13:46:49 +01:00
fi
}
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
check_2_end( ) {
endsectionjson
}