docker-bench-security/docker-bench-security.sh

#!/bin/sh
# ------------------------------------------------------------------------------
# Docker Bench for Security v1.0.0
#
# Docker, Inc. (c) 2015
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker 1.6 Benchmark:
# https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf
#
# ------------------------------------------------------------------------------

# Load dependencies
. ./output_lib.sh
. ./helper_lib.sh

# Setup the paths
this_path=$(abspath "$0")       ## Path of this file including filenamel
myname=$(basename "${this_path}")     ## file name of this script.

export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/
logger="${myname}.log"

# Check for required program(s)
req_progs='awk docker grep netstat stat'
for p in $req_progs; do
  command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; }
done

# Ensure we can connect to docker daemon
docker ps -q >/dev/null 2>&1
if [ $? -ne 0 ]; then
  printf "Error connecting to docker daemon (does docker ps work?)\n"
  exit 1
fi

usage () {
  printf "
  usage: %s [options]

  -h           optional  Print this help message\n" "$myname"
  exit 1
}

yell "# ------------------------------------------------------------------------------
# Docker Bench for Security v1.0.0
#
# Docker, Inc. (c) 2015
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker 1.6 Benchmark:
# https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf
# ------------------------------------------------------------------------------"

logit "Initializing $(date)\n"

# Warn if not root
ID=$(id -u)
if [ "x$ID" != "x0" ]; then
    warn "Some tests might require root to run"
    sleep 3
fi

# Get the flags
while getopts :hlfi: args
do
  case $args in
  h) usage ;;
  l) logger="$OPTARG" ;;
  *) usage ;;
  esac
done

# Load all the tests from tests/ and run them
main () {
  # List all running containers
  containers=$(docker ps -q)
  # If there is a container with label docker-bench-security, memorize it:
  benchcont="nil"
  for c in $containers; do
    labels=$(docker inspect --format '{{ .Config.Labels }}' "$c")
    contains "$labels" "docker_bench_security" && benchcont="$c"
  done
  # List all running containers except docker-bench (use names to improve readability in logs)
  containers=$(docker ps | sed '1d' |  awk '{print $NF}' | grep -v "$benchcont")

  for test in tests/*.sh
  do
     . ./"$test"
  done
}

main "$@"
First version of the CIS Docker Benchmark v1.0.0 2015-05-11 06:08:28 +02:00			`#!/bin/sh`
			`# ------------------------------------------------------------------------------`
Change the scripts header to mention Docker Benchmark for Security 2015-06-28 20:04:53 +02:00			`# Docker Bench for Security v1.0.0`
First version of the CIS Docker Benchmark v1.0.0 2015-05-11 06:08:28 +02:00			`#`
			`# Docker, Inc. (c) 2015`
			`#`
Change the scripts header to mention Docker Benchmark for Security 2015-06-28 20:04:53 +02:00			`# Checks for dozens of common best-practices around deploying Docker containers in production.`
			`# Inspired by the CIS Docker 1.6 Benchmark:`
First version of the CIS Docker Benchmark v1.0.0 2015-05-11 06:08:28 +02:00			`# https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf`
			`#`
			`# ------------------------------------------------------------------------------`

			`# Load dependencies`
			`. ./output_lib.sh`
			`. ./helper_lib.sh`

			`# Setup the paths`
Double quote to prevent globbing and word splitting. Do not use legacy backticks. Proper use of printf Do not use wc -l with grep, instead use grep -c Use pgrep Signed-off-by: Werner Buck <wernerbuck@gmail.com> 2015-05-29 13:42:34 +02:00			`this_path=$(abspath "$0") ## Path of this file including filenamel`
			`myname=$(basename "${this_path}") ## file name of this script.`
First version of the CIS Docker Benchmark v1.0.0 2015-05-11 06:08:28 +02:00
add /usr/sbin/ Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> 2015-05-31 01:40:23 +02:00			`export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/`
Double quote to prevent globbing and word splitting. Do not use legacy backticks. Proper use of printf Do not use wc -l with grep, instead use grep -c Use pgrep Signed-off-by: Werner Buck <wernerbuck@gmail.com> 2015-05-29 13:42:34 +02:00			`logger="${myname}.log"`
First version of the CIS Docker Benchmark v1.0.0 2015-05-11 06:08:28 +02:00
			`# Check for required program(s)`
add stat. reorder Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> 2015-06-17 23:23:59 +02:00			`req_progs='awk docker grep netstat stat'`
First version of the CIS Docker Benchmark v1.0.0 2015-05-11 06:08:28 +02:00			`for p in $req_progs; do`
Double quote to prevent globbing and word splitting. Do not use legacy backticks. Proper use of printf Do not use wc -l with grep, instead use grep -c Use pgrep Signed-off-by: Werner Buck <wernerbuck@gmail.com> 2015-05-29 13:42:34 +02:00			`command -v "$p" >/dev/null 2>&1 \|\| { printf "%s command not found.\n" "$p"; exit 1; }`
First version of the CIS Docker Benchmark v1.0.0 2015-05-11 06:08:28 +02:00			`done`

			`# Ensure we can connect to docker daemon`
Double quote to prevent globbing and word splitting. Do not use legacy backticks. Proper use of printf Do not use wc -l with grep, instead use grep -c Use pgrep Signed-off-by: Werner Buck <wernerbuck@gmail.com> 2015-05-29 13:42:34 +02:00			`docker ps -q >/dev/null 2>&1`
First version of the CIS Docker Benchmark v1.0.0 2015-05-11 06:08:28 +02:00			`if [ $? -ne 0 ]; then`
			`printf "Error connecting to docker daemon (does docker ps work?)\n"`
			`exit 1`
			`fi`

			`usage () {`
			`printf "`
Double quote to prevent globbing and word splitting. Do not use legacy backticks. Proper use of printf Do not use wc -l with grep, instead use grep -c Use pgrep Signed-off-by: Werner Buck <wernerbuck@gmail.com> 2015-05-29 13:42:34 +02:00			`usage: %s [options]`
First version of the CIS Docker Benchmark v1.0.0 2015-05-11 06:08:28 +02:00
Double quote to prevent globbing and word splitting. Do not use legacy backticks. Proper use of printf Do not use wc -l with grep, instead use grep -c Use pgrep Signed-off-by: Werner Buck <wernerbuck@gmail.com> 2015-05-29 13:42:34 +02:00			`-h optional Print this help message\n" "$myname"`
First version of the CIS Docker Benchmark v1.0.0 2015-05-11 06:08:28 +02:00			`exit 1`
			`}`

			`yell "# ------------------------------------------------------------------------------`
Change the scripts header to mention Docker Benchmark for Security 2015-06-28 20:04:53 +02:00			`# Docker Bench for Security v1.0.0`
First version of the CIS Docker Benchmark v1.0.0 2015-05-11 06:08:28 +02:00			`#`
			`# Docker, Inc. (c) 2015`
			`#`
Change the scripts header to mention Docker Benchmark for Security 2015-06-28 20:04:53 +02:00			`# Checks for dozens of common best-practices around deploying Docker containers in production.`
			`# Inspired by the CIS Docker 1.6 Benchmark:`
First version of the CIS Docker Benchmark v1.0.0 2015-05-11 06:08:28 +02:00			`# https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf`
			`# ------------------------------------------------------------------------------"`

Double quote to prevent globbing and word splitting. Do not use legacy backticks. Proper use of printf Do not use wc -l with grep, instead use grep -c Use pgrep Signed-off-by: Werner Buck <wernerbuck@gmail.com> 2015-05-29 13:42:34 +02:00			`logit "Initializing $(date)\n"`
First version of the CIS Docker Benchmark v1.0.0 2015-05-11 06:08:28 +02:00
			`# Warn if not root`
Double quote to prevent globbing and word splitting. Do not use legacy backticks. Proper use of printf Do not use wc -l with grep, instead use grep -c Use pgrep Signed-off-by: Werner Buck <wernerbuck@gmail.com> 2015-05-29 13:42:34 +02:00			`ID=$(id -u)`
Make ifs style be consistent 2015-05-15 05:26:32 +02:00			`if [ "x$ID" != "x0" ]; then`
First version of the CIS Docker Benchmark v1.0.0 2015-05-11 06:08:28 +02:00			`warn "Some tests might require root to run"`
			`sleep 3`
			`fi`

			`# Get the flags`
			`while getopts :hlfi: args`
			`do`
			`case $args in`
			`h) usage ;;`
			`l) logger="$OPTARG" ;;`
			`*) usage ;;`
			`esac`
			`done`

			`# Load all the tests from tests/ and run them`
			`main () {`
Fixed the script to ignore containers with label security-benchmark 2015-05-14 02:08:12 +02:00			`# List all running containers`
Double quote to prevent globbing and word splitting. Do not use legacy backticks. Proper use of printf Do not use wc -l with grep, instead use grep -c Use pgrep Signed-off-by: Werner Buck <wernerbuck@gmail.com> 2015-05-29 13:42:34 +02:00			`containers=$(docker ps -q)`
consistent labeling Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> 2015-06-19 23:31:44 +02:00			`# If there is a container with label docker-bench-security, memorize it:`
Fixed the script to ignore containers with label security-benchmark 2015-05-14 02:08:12 +02:00			`benchcont="nil"`
			`for c in $containers; do`
Double quote to prevent globbing and word splitting. Do not use legacy backticks. Proper use of printf Do not use wc -l with grep, instead use grep -c Use pgrep Signed-off-by: Werner Buck <wernerbuck@gmail.com> 2015-05-29 13:42:34 +02:00			`labels=$(docker inspect --format '{{ .Config.Labels }}' "$c")`
label rule for 1.8 Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> 2015-07-25 14:20:56 +02:00			`contains "$labels" "docker_bench_security" && benchcont="$c"`
Fixed the script to ignore containers with label security-benchmark 2015-05-14 02:08:12 +02:00			`done`
Get all running containers by name instead of by shor-uuid to improve readability in logs Signed-off-by: alberto <alberto@tutum.co> 2015-07-23 11:14:13 +02:00			`# List all running containers except docker-bench (use names to improve readability in logs)`
			`containers=$(docker ps \| sed '1d' \| awk '{print $NF}' \| grep -v "$benchcont")`
Added filtering to ignore security-benchmark container 2015-05-14 04:22:39 +02:00
First version of the CIS Docker Benchmark v1.0.0 2015-05-11 06:08:28 +02:00			`for test in tests/*.sh`
			`do`
Double quote to prevent globbing and word splitting. Do not use legacy backticks. Proper use of printf Do not use wc -l with grep, instead use grep -c Use pgrep Signed-off-by: Werner Buck <wernerbuck@gmail.com> 2015-05-29 13:42:34 +02:00			`. ./"$test"`
First version of the CIS Docker Benchmark v1.0.0 2015-05-11 06:08:28 +02:00			`done`
			`}`

			`main "$@"`