2015-05-11 06:08:28 +02:00
|
|
|
#!/bin/sh
|
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_6() {
|
2021-03-10 20:47:52 +01:00
|
|
|
logit ""
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="6"
|
|
|
|
|
local desc="Docker Security Operations"
|
2021-03-10 20:47:52 +01:00
|
|
|
checkHeader="$id - $desc"
|
|
|
|
|
info "$checkHeader"
|
2021-03-09 11:42:48 +01:00
|
|
|
startsectionjson "$id" "$desc"
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2017-01-23 17:06:10 +01:00
|
|
|
|
|
|
|
|
# 6.1
|
2018-01-16 13:46:49 +01:00
|
|
|
check_6_1() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="6.1"
|
|
|
|
|
local desc="Ensure that image sprawl is avoided (Not Scored)"
|
|
|
|
|
local check="$id - $desc"
|
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
|
|
|
|
images=$(docker images -q | sort -u | wc -l | awk '{print $1}')
|
|
|
|
|
active_images=0
|
2015-06-01 22:37:28 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
for c in $(docker inspect --format "{{.Image}}" $(docker ps -qa) 2>/dev/null); do
|
|
|
|
|
if docker images --no-trunc -a | grep "$c" > /dev/null ; then
|
|
|
|
|
active_images=$(( active_images += 1 ))
|
|
|
|
|
fi
|
|
|
|
|
done
|
2015-06-01 22:37:28 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
info "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
info " * There are currently: $images images"
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
if [ "$active_images" -lt "$((images / 2))" ]; then
|
|
|
|
|
info " * Only $active_images out of $images are in use"
|
|
|
|
|
fi
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "$active_images active/$images in use"
|
2018-01-16 13:46:49 +01:00
|
|
|
currentScore=$((currentScore + 0))
|
|
|
|
|
}
|
2015-06-01 22:37:28 +02:00
|
|
|
|
2017-07-07 11:19:02 +02:00
|
|
|
# 6.2
|
2018-01-16 13:46:49 +01:00
|
|
|
check_6_2() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="6.2"
|
|
|
|
|
local desc="Ensure that container sprawl is avoided (Not Scored)"
|
|
|
|
|
local check="$id - $desc"
|
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
totalChecks=$((totalChecks + 1))
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}')
|
2018-01-16 13:46:49 +01:00
|
|
|
running_containers=$(docker ps -q | wc -l | awk '{print $1}')
|
|
|
|
|
diff="$((total_containers - running_containers))"
|
|
|
|
|
if [ "$diff" -gt 25 ]; then
|
2021-03-09 11:42:48 +01:00
|
|
|
info "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
info " * There are currently a total of $total_containers containers, with only $running_containers of them currently running"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "$total_containers total/$running_containers running"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-09 11:42:48 +01:00
|
|
|
info "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
info " * There are currently a total of $total_containers containers, with $running_containers of them currently running"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
resulttestjson "INFO" "$total_containers total/$running_containers running"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
|
|
|
|
currentScore=$((currentScore + 0))
|
|
|
|
|
}
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
|
|
|
|
check_6_end() {
|
|
|
|
|
endsectionjson
|
|
|
|
|
}
|
