2015-05-11 06:08:28 +02:00
|
|
|
#!/bin/sh
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_5() {
|
2021-03-10 20:47:52 +01:00
|
|
|
logit ""
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5"
|
|
|
|
local desc="Container Runtime"
|
2021-03-10 20:47:52 +01:00
|
|
|
checkHeader="$id - $desc"
|
|
|
|
info "$checkHeader"
|
2021-03-09 11:42:48 +01:00
|
|
|
startsectionjson "$id" "$desc"
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_running_containers() {
|
|
|
|
# If containers is empty, there are no running containers
|
|
|
|
if [ -z "$containers" ]; then
|
2019-08-28 12:14:35 +02:00
|
|
|
info " * No containers running, skipping Section 5"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
|
|
|
# Make the loop separator be a new-line in POSIX compliant fashion
|
|
|
|
set -f; IFS=$'
|
|
|
|
'
|
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
check_5_1() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.1"
|
|
|
|
local desc="Ensure that, if applicable, an AppArmor Profile is enabled (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
no_apparmor_containers=""
|
2015-05-14 04:22:39 +02:00
|
|
|
for c in $containers; do
|
2015-05-29 13:42:34 +02:00
|
|
|
policy=$(docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' "$c")
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2020-03-06 21:24:24 +01:00
|
|
|
if [ "$policy" = "AppArmorProfile=" ] || [ "$policy" = "AppArmorProfile=[]" ] || [ "$policy" = "AppArmorProfile=<no value>" ] || [ "$policy" = "AppArmorProfile=unconfined" ]; then
|
2015-05-11 06:08:28 +02:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2015-05-14 04:22:39 +02:00
|
|
|
warn " * No AppArmorProfile Found: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
no_apparmor_containers="$no_apparmor_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=1
|
|
|
|
else
|
2015-05-14 04:22:39 +02:00
|
|
|
warn " * No AppArmorProfile Found: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
no_apparmor_containers="$no_apparmor_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
# We went through all the containers and found none without AppArmor
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers with no AppArmorProfile" "$no_apparmor_containers"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_2() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.2"
|
|
|
|
local desc="Ensure that, if applicable, SELinux security options are set (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
no_securityoptions_containers=""
|
2015-05-14 04:22:39 +02:00
|
|
|
for c in $containers; do
|
2015-05-29 13:42:34 +02:00
|
|
|
policy=$(docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' "$c")
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2018-11-01 10:24:36 +01:00
|
|
|
if [ "$policy" = "SecurityOpt=" ] || [ "$policy" = "SecurityOpt=[]" ] || [ "$policy" = "SecurityOpt=<no value>" ]; then
|
2015-05-11 06:08:28 +02:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2015-05-14 04:22:39 +02:00
|
|
|
warn " * No SecurityOptions Found: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
no_securityoptions_containers="$no_securityoptions_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=1
|
|
|
|
else
|
2015-05-14 04:22:39 +02:00
|
|
|
warn " * No SecurityOptions Found: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
no_securityoptions_containers="$no_securityoptions_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
# We went through all the containers and found none without SELinux
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers with no SecurityOptions" "$no_securityoptions_containers"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_3() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.3"
|
|
|
|
local desc="Ensure that Linux kernel capabilities are restricted within containers (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
caps_containers=""
|
2015-05-14 04:22:39 +02:00
|
|
|
for c in $containers; do
|
2017-01-25 12:07:14 +01:00
|
|
|
container_caps=$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' "$c")
|
|
|
|
caps=$(echo "$container_caps" | tr "[:lower:]" "[:upper:]" | \
|
|
|
|
sed 's/CAPADD/CapAdd/' | \
|
|
|
|
sed -r "s/AUDIT_WRITE|CHOWN|DAC_OVERRIDE|FOWNER|FSETID|KILL|MKNOD|NET_BIND_SERVICE|NET_RAW|SETFCAP|SETGID|SETPCAP|SETUID|SYS_CHROOT|\s//g")
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2018-11-01 10:24:36 +01:00
|
|
|
if [ "$caps" != 'CapAdd=' ] && [ "$caps" != 'CapAdd=[]' ] && [ "$caps" != 'CapAdd=<no value>' ] && [ "$caps" != 'CapAdd=<nil>' ]; then
|
2015-05-11 06:08:28 +02:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2015-05-14 04:22:39 +02:00
|
|
|
warn " * Capabilities added: $caps to $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
caps_containers="$caps_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=1
|
|
|
|
else
|
2015-05-14 04:22:39 +02:00
|
|
|
warn " * Capabilities added: $caps to $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
caps_containers="$caps_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
# We went through all the containers and found none with extra capabilities
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Capabilities added for containers" "$caps_containers"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_4() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.4"
|
|
|
|
local desc="Ensure that privileged containers are not used (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
privileged_containers=""
|
2015-05-14 04:22:39 +02:00
|
|
|
for c in $containers; do
|
2015-05-29 13:42:34 +02:00
|
|
|
privileged=$(docker inspect --format '{{ .HostConfig.Privileged }}' "$c")
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2015-05-15 05:26:32 +02:00
|
|
|
if [ "$privileged" = "true" ]; then
|
2015-05-11 06:08:28 +02:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2015-05-14 04:22:39 +02:00
|
|
|
warn " * Container running in Privileged mode: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
privileged_containers="$privileged_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=1
|
|
|
|
else
|
2015-05-14 04:22:39 +02:00
|
|
|
warn " * Container running in Privileged mode: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
privileged_containers="$privileged_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
# We went through all the containers and found no privileged containers
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers running in privileged mode" "$privileged_containers"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_5() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.5"
|
|
|
|
local desc="Ensure sensitive host system directories are not mounted on containers (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2015-05-14 04:22:39 +02:00
|
|
|
# List of sensitive directories to test for. Script uses new-lines as a separator.
|
|
|
|
# Note the lack of identation. It needs it for the substring comparison.
|
2017-02-13 11:36:16 +01:00
|
|
|
sensitive_dirs='/
|
|
|
|
/boot
|
2015-05-14 04:22:39 +02:00
|
|
|
/dev
|
|
|
|
/etc
|
|
|
|
/lib
|
|
|
|
/proc
|
|
|
|
/sys
|
|
|
|
/usr'
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
sensitive_mount_containers=""
|
2015-05-14 04:22:39 +02:00
|
|
|
for c in $containers; do
|
2017-01-24 15:26:19 +01:00
|
|
|
if docker inspect --format '{{ .VolumesRW }}' "$c" 2>/dev/null 1>&2; then
|
2015-12-22 19:46:32 +01:00
|
|
|
volumes=$(docker inspect --format '{{ .VolumesRW }}' "$c")
|
|
|
|
else
|
|
|
|
volumes=$(docker inspect --format '{{ .Mounts }}' "$c")
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
# Go over each directory in sensitive dir and see if they exist in the volumes
|
|
|
|
for v in $sensitive_dirs; do
|
2015-05-14 04:22:39 +02:00
|
|
|
sensitive=0
|
2020-03-09 15:48:10 +01:00
|
|
|
if echo "$volumes" | grep -e "{.*\s$v\s.*true\s.*}" 2>/tmp/null 1>&2; then
|
2017-02-10 15:35:06 +01:00
|
|
|
sensitive=1
|
|
|
|
fi
|
2015-05-14 04:22:39 +02:00
|
|
|
if [ $sensitive -eq 1 ]; then
|
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2015-05-14 04:22:39 +02:00
|
|
|
warn " * Sensitive directory $v mounted in: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
sensitive_mount_containers="$sensitive_mount_containers $c:$v"
|
2015-05-14 04:22:39 +02:00
|
|
|
fail=1
|
|
|
|
else
|
|
|
|
warn " * Sensitive directory $v mounted in: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
sensitive_mount_containers="$sensitive_mount_containers $c:$v"
|
2015-05-14 04:22:39 +02:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
|
|
|
done
|
|
|
|
done
|
|
|
|
# We went through all the containers and found none with sensitive mounts
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers with sensitive directories mounted" "$sensitive_mount_containers"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_6() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.6"
|
|
|
|
local desc="Ensure sshd is not run within containers (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
ssh_exec_containers=""
|
2015-08-13 22:06:03 +02:00
|
|
|
printcheck=0
|
2015-05-14 04:22:39 +02:00
|
|
|
for c in $containers; do
|
|
|
|
|
2015-05-29 13:42:34 +02:00
|
|
|
processes=$(docker exec "$c" ps -el 2>/dev/null | grep -c sshd | awk '{print $1}')
|
2015-06-21 23:11:23 +02:00
|
|
|
if [ "$processes" -ge 1 ]; then
|
2015-05-11 06:08:28 +02:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2015-05-14 04:22:39 +02:00
|
|
|
warn " * Container running sshd: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
ssh_exec_containers="$ssh_exec_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=1
|
2017-10-23 15:40:52 +02:00
|
|
|
printcheck=1
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2015-05-14 04:22:39 +02:00
|
|
|
warn " * Container running sshd: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
ssh_exec_containers="$ssh_exec_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
|
|
|
fi
|
2015-08-13 22:06:03 +02:00
|
|
|
|
|
|
|
exec_check=$(docker exec "$c" ps -el 2>/dev/null)
|
|
|
|
if [ $? -eq 255 ]; then
|
|
|
|
if [ $printcheck -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2017-10-23 15:40:52 +02:00
|
|
|
printcheck=1
|
2015-08-13 22:06:03 +02:00
|
|
|
fi
|
|
|
|
warn " * Docker exec fails: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
ssh_exec_containers="$ssh_exec_containers $c"
|
2015-08-13 22:06:03 +02:00
|
|
|
fail=1
|
|
|
|
fi
|
|
|
|
|
2015-05-11 06:08:28 +02:00
|
|
|
done
|
|
|
|
# We went through all the containers and found none with sshd
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers with sshd/docker exec failures" "$ssh_exec_containers"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_7() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.7"
|
|
|
|
local desc="Ensure privileged ports are not mapped within containers (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
privileged_port_containers=""
|
2015-05-11 06:08:28 +02:00
|
|
|
for c in $containers; do
|
2015-06-18 12:21:57 +02:00
|
|
|
# Port format is private port -> ip: public port
|
|
|
|
ports=$(docker port "$c" | awk '{print $0}' | cut -d ':' -f2)
|
2015-05-14 04:22:39 +02:00
|
|
|
|
2015-06-09 04:15:41 +02:00
|
|
|
# iterate through port range (line delimited)
|
|
|
|
for port in $ports; do
|
2019-10-16 09:49:18 +02:00
|
|
|
if [ -n "$port" ] && [ "$port" -lt 1024 ]; then
|
2015-06-09 04:15:41 +02:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2015-06-09 04:15:41 +02:00
|
|
|
warn " * Privileged Port in use: $port in $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
privileged_port_containers="$privileged_port_containers $c:$port"
|
2015-06-09 04:15:41 +02:00
|
|
|
fail=1
|
|
|
|
else
|
|
|
|
warn " * Privileged Port in use: $port in $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
privileged_port_containers="$privileged_port_containers $c:$port"
|
2015-06-09 04:15:41 +02:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2015-06-09 04:15:41 +02:00
|
|
|
done
|
2015-05-11 06:08:28 +02:00
|
|
|
done
|
|
|
|
# We went through all the containers and found no privileged ports
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers using privileged ports" "$privileged_port_containers"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_8() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.8"
|
|
|
|
local desc="Ensure that only needed ports are open on the container (Not Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2021-03-16 09:05:49 +01:00
|
|
|
note -c "$check"
|
|
|
|
logcheckresult "NOTE"
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_9() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2017-01-23 17:06:10 +01:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.9"
|
|
|
|
local desc="Ensure that the host's network namespace is not shared (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
net_host_containers=""
|
2015-05-14 04:22:39 +02:00
|
|
|
for c in $containers; do
|
2015-05-29 13:42:34 +02:00
|
|
|
mode=$(docker inspect --format 'NetworkMode={{ .HostConfig.NetworkMode }}' "$c")
|
2015-05-14 04:22:39 +02:00
|
|
|
|
2015-05-15 05:26:32 +02:00
|
|
|
if [ "$mode" = "NetworkMode=host" ]; then
|
2015-05-11 06:08:28 +02:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2015-05-14 04:22:39 +02:00
|
|
|
warn " * Container running with networking mode 'host': $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
net_host_containers="$net_host_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=1
|
|
|
|
else
|
2015-05-14 04:22:39 +02:00
|
|
|
warn " * Container running with networking mode 'host': $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
net_host_containers="$net_host_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
# We went through all the containers and found no Network Mode host
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers running with networking mode 'host'" "$net_host_containers"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_10() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.10"
|
|
|
|
local desc="Ensure that the memory usage for containers is limited (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
mem_unlimited_containers=""
|
2015-05-14 04:22:39 +02:00
|
|
|
for c in $containers; do
|
2017-01-27 10:59:57 +01:00
|
|
|
if docker inspect --format '{{ .Config.Memory }}' "$c" 2> /dev/null 1>&2; then
|
2015-12-22 19:46:32 +01:00
|
|
|
memory=$(docker inspect --format '{{ .Config.Memory }}' "$c")
|
|
|
|
else
|
|
|
|
memory=$(docker inspect --format '{{ .HostConfig.Memory }}' "$c")
|
|
|
|
fi
|
2015-05-14 04:22:39 +02:00
|
|
|
|
2015-05-29 13:42:34 +02:00
|
|
|
if [ "$memory" = "0" ]; then
|
2015-05-11 06:08:28 +02:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
|
|
|
warn " * Container running without memory restrictions: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
mem_unlimited_containers="$mem_unlimited_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=1
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn " * Container running without memory restrictions: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
mem_unlimited_containers="$mem_unlimited_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
# We went through all the containers and found no lack of Memory restrictions
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Container running without memory restrictions" "$mem_unlimited_containers"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_11() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.11"
|
|
|
|
local desc="Ensure that CPU priority is set appropriately on containers (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
cpu_unlimited_containers=""
|
2015-05-14 04:22:39 +02:00
|
|
|
for c in $containers; do
|
2017-01-27 10:59:57 +01:00
|
|
|
if docker inspect --format '{{ .Config.CpuShares }}' "$c" 2> /dev/null 1>&2; then
|
2015-12-22 19:46:32 +01:00
|
|
|
shares=$(docker inspect --format '{{ .Config.CpuShares }}' "$c")
|
|
|
|
else
|
|
|
|
shares=$(docker inspect --format '{{ .HostConfig.CpuShares }}' "$c")
|
|
|
|
fi
|
2015-05-14 04:22:39 +02:00
|
|
|
|
2015-05-15 05:26:32 +02:00
|
|
|
if [ "$shares" = "0" ]; then
|
2015-05-11 06:08:28 +02:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
|
|
|
warn " * Container running without CPU restrictions: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
cpu_unlimited_containers="$cpu_unlimited_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=1
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn " * Container running without CPU restrictions: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
cpu_unlimited_containers="$cpu_unlimited_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
# We went through all the containers and found no lack of CPUShare restrictions
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers running without CPU restrictions" "$cpu_unlimited_containers"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_12() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.12"
|
|
|
|
local desc="Ensure that the container's root filesystem is mounted as read only (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
fsroot_mount_containers=""
|
2015-05-14 04:22:39 +02:00
|
|
|
for c in $containers; do
|
2015-05-29 13:42:34 +02:00
|
|
|
read_status=$(docker inspect --format '{{ .HostConfig.ReadonlyRootfs }}' "$c")
|
2015-05-14 04:22:39 +02:00
|
|
|
|
2015-05-15 05:26:32 +02:00
|
|
|
if [ "$read_status" = "false" ]; then
|
2015-05-11 06:08:28 +02:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
|
|
|
warn " * Container running with root FS mounted R/W: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
fsroot_mount_containers="$fsroot_mount_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=1
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn " * Container running with root FS mounted R/W: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
fsroot_mount_containers="$fsroot_mount_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
# We went through all the containers and found no R/W FS mounts
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers running with root FS mounted R/W" "$fsroot_mount_containers"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_13() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.13"
|
|
|
|
local desc="Ensure that incoming container traffic is bound to a specific host interface (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
incoming_unbound_containers=""
|
2015-05-11 06:08:28 +02:00
|
|
|
for c in $containers; do
|
2015-06-15 20:26:13 +02:00
|
|
|
for ip in $(docker port "$c" | awk '{print $3}' | cut -d ':' -f1); do
|
|
|
|
if [ "$ip" = "0.0.0.0" ]; then
|
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
|
|
|
warn " * Port being bound to wildcard IP: $ip in $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
incoming_unbound_containers="$incoming_unbound_containers $c:$ip"
|
2015-06-15 20:26:13 +02:00
|
|
|
fail=1
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn " * Port being bound to wildcard IP: $ip in $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
incoming_unbound_containers="$incoming_unbound_containers $c:$ip"
|
2015-06-15 20:26:13 +02:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2015-06-15 20:26:13 +02:00
|
|
|
done
|
2015-05-11 06:08:28 +02:00
|
|
|
done
|
|
|
|
# We went through all the containers and found no ports bound to 0.0.0.0
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers with port bound to wildcard IP" "$incoming_unbound_containers"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_14() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.14"
|
|
|
|
local desc="Ensure that the 'on-failure' container restart policy is set to '5' (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
maxretry_unset_containers=""
|
2015-05-14 04:22:39 +02:00
|
|
|
for c in $containers; do
|
2016-04-15 00:12:00 +02:00
|
|
|
policy=$(docker inspect --format MaximumRetryCount='{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2016-04-15 00:12:00 +02:00
|
|
|
if [ "$policy" != "MaximumRetryCount=5" ]; then
|
2015-05-11 06:08:28 +02:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
|
|
|
warn " * MaximumRetryCount is not set to 5: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
maxretry_unset_containers="$maxretry_unset_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=1
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn " * MaximumRetryCount is not set to 5: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
maxretry_unset_containers="$maxretry_unset_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
2016-04-15 00:12:00 +02:00
|
|
|
# We went through all the containers and they all had MaximumRetryCount=5
|
2015-05-11 06:08:28 +02:00
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5" "$maxretry_unset_containers"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_15() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.15"
|
|
|
|
local desc="Ensure that the host's process namespace is not shared (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
pidns_shared_containers=""
|
2015-05-14 04:22:39 +02:00
|
|
|
for c in $containers; do
|
2015-05-29 13:42:34 +02:00
|
|
|
mode=$(docker inspect --format 'PidMode={{.HostConfig.PidMode }}' "$c")
|
2015-05-14 04:22:39 +02:00
|
|
|
|
2015-05-15 05:26:32 +02:00
|
|
|
if [ "$mode" = "PidMode=host" ]; then
|
2015-05-11 06:08:28 +02:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
|
|
|
warn " * Host PID namespace being shared with: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
pidns_shared_containers="$pidns_shared_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=1
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn " * Host PID namespace being shared with: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
pidns_shared_containers="$pidns_shared_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
# We went through all the containers and found none with PidMode as host
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers sharing host PID namespace" "$pidns_shared_containers"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_16() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.16"
|
|
|
|
local desc="Ensure that the host's IPC namespace is not shared (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
ipcns_shared_containers=""
|
2015-05-14 04:22:39 +02:00
|
|
|
for c in $containers; do
|
2015-05-29 13:42:34 +02:00
|
|
|
mode=$(docker inspect --format 'IpcMode={{.HostConfig.IpcMode }}' "$c")
|
2015-05-14 04:22:39 +02:00
|
|
|
|
2015-05-15 05:26:32 +02:00
|
|
|
if [ "$mode" = "IpcMode=host" ]; then
|
2015-05-11 06:08:28 +02:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
|
|
|
warn " * Host IPC namespace being shared with: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
ipcns_shared_containers="$ipcns_shared_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=1
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn " * Host IPC namespace being shared with: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
ipcns_shared_containers="$ipcns_shared_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
# We went through all the containers and found none with IPCMode as host
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers sharing host IPC namespace" "$ipcns_shared_containers"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_17() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.17"
|
|
|
|
local desc="Ensure that host devices are not directly exposed to containers (Not Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
hostdev_exposed_containers=""
|
2015-05-14 04:22:39 +02:00
|
|
|
for c in $containers; do
|
2015-05-29 13:42:34 +02:00
|
|
|
devices=$(docker inspect --format 'Devices={{ .HostConfig.Devices }}' "$c")
|
2015-05-14 04:22:39 +02:00
|
|
|
|
2018-11-01 10:24:36 +01:00
|
|
|
if [ "$devices" != "Devices=" ] && [ "$devices" != "Devices=[]" ] && [ "$devices" != "Devices=<no value>" ]; then
|
2015-05-11 06:08:28 +02:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
|
|
|
info " * Container has devices exposed directly: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
hostdev_exposed_containers="$hostdev_exposed_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=1
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info " * Container has devices exposed directly: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
hostdev_exposed_containers="$hostdev_exposed_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
# We went through all the containers and found none with devices
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -c "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "Containers with host devices exposed directly" "$hostdev_exposed_containers"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_18() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.18"
|
|
|
|
local desc="Ensure that the default ulimit is overwritten at runtime if needed (Not Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
no_ulimit_containers=""
|
2015-05-14 04:22:39 +02:00
|
|
|
for c in $containers; do
|
2015-05-29 13:42:34 +02:00
|
|
|
ulimits=$(docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' "$c")
|
2015-05-14 04:22:39 +02:00
|
|
|
|
2018-11-01 10:24:36 +01:00
|
|
|
if [ "$ulimits" = "Ulimits=" ] || [ "$ulimits" = "Ulimits=[]" ] || [ "$ulimits" = "Ulimits=<no value>" ]; then
|
2015-05-11 06:08:28 +02:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
|
|
|
info " * Container no default ulimit override: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
no_ulimit_containers="$no_ulimit_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fail=1
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info " * Container no default ulimit override: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
no_ulimit_containers="$no_ulimit_containers $c"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
# We went through all the containers and found none without Ulimits
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -c "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "Containers with no default ulimit override" "$no_ulimit_containers"
|
2016-04-15 00:12:00 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_19() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2016-04-15 00:12:00 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.19"
|
|
|
|
local desc="Ensure mount propagation mode is not set to shared (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2016-04-15 00:12:00 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
mountprop_shared_containers=""
|
2016-04-15 00:12:00 +02:00
|
|
|
for c in $containers; do
|
2017-01-27 11:00:25 +01:00
|
|
|
if docker inspect --format 'Propagation={{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}' "$c" | \
|
|
|
|
grep shared 2>/dev/null 1>&2; then
|
2016-04-15 00:12:00 +02:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
|
|
|
warn " * Mount propagation mode is shared: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
mountprop_shared_containers="$mountprop_shared_containers $c"
|
2016-04-15 00:12:00 +02:00
|
|
|
fail=1
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn " * Mount propagation mode is shared: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
mountprop_shared_containers="$mountprop_shared_containers $c"
|
2016-04-15 00:12:00 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
# We went through all the containers and found none with shared propagation mode
|
2017-10-23 15:40:52 +02:00
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers with shared mount propagation" "$mountprop_shared_containers"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_20() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2016-04-15 00:12:00 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.20"
|
|
|
|
local desc="Ensure that the host's UTS namespace is not shared (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2016-04-15 00:12:00 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
utcns_shared_containers=""
|
2016-04-15 00:12:00 +02:00
|
|
|
for c in $containers; do
|
|
|
|
mode=$(docker inspect --format 'UTSMode={{.HostConfig.UTSMode }}' "$c")
|
|
|
|
|
|
|
|
if [ "$mode" = "UTSMode=host" ]; then
|
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
|
|
|
warn " * Host UTS namespace being shared with: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
utcns_shared_containers="$utcns_shared_containers $c"
|
2016-04-15 00:12:00 +02:00
|
|
|
fail=1
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn " * Host UTS namespace being shared with: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
utcns_shared_containers="$utcns_shared_containers $c"
|
2016-04-15 00:12:00 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
# We went through all the containers and found none with UTSMode as host
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers sharing host UTS namespace" "$utcns_shared_containers"
|
2016-04-15 00:12:00 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_21() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2016-04-15 00:12:00 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.21"
|
|
|
|
local desc="Ensurethe default seccomp profile is not Disabled (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2016-04-15 00:12:00 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
seccomp_disabled_containers=""
|
2016-04-15 00:12:00 +02:00
|
|
|
for c in $containers; do
|
2018-01-12 11:36:14 +01:00
|
|
|
if docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | \
|
|
|
|
grep -E 'seccomp:unconfined|seccomp=unconfined' 2>/dev/null 1>&2; then
|
2016-04-15 00:12:00 +02:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
|
|
|
warn " * Default seccomp profile disabled: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
seccomp_disabled_containers="$seccomp_disabled_containers $c"
|
2016-04-15 00:12:00 +02:00
|
|
|
fail=1
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn " * Default seccomp profile disabled: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
seccomp_disabled_containers="$seccomp_disabled_containers $c"
|
2016-04-15 00:12:00 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
2016-12-20 16:01:58 +01:00
|
|
|
# We went through all the containers and found none with default secomp profile disabled
|
2016-04-15 00:12:00 +02:00
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers with default seccomp profile disabled" "$seccomp_disabled_containers"
|
2016-04-15 00:12:00 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_22() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2016-04-15 00:12:00 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.22"
|
|
|
|
local desc="Ensure that docker exec commands are not used with the privileged option (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2021-03-16 09:05:49 +01:00
|
|
|
note -c "$check"
|
|
|
|
logcheckresult "NOTE"
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_23() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2017-01-23 17:06:10 +01:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.23"
|
|
|
|
local desc="Ensure that docker exec commands are not used with the user=root option (Not Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2021-03-16 09:05:49 +01:00
|
|
|
note -c "$check"
|
|
|
|
logcheckresult "NOTE"
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_24() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2016-04-15 00:12:00 +02:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.24"
|
|
|
|
local desc="Ensure that cgroup usage is confirmed (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2016-04-15 00:12:00 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
unexpected_cgroup_containers=""
|
2016-04-15 00:12:00 +02:00
|
|
|
for c in $containers; do
|
|
|
|
mode=$(docker inspect --format 'CgroupParent={{.HostConfig.CgroupParent }}x' "$c")
|
|
|
|
|
|
|
|
if [ "$mode" != "CgroupParent=x" ]; then
|
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
|
|
|
warn " * Confirm cgroup usage: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
unexpected_cgroup_containers="$unexpected_cgroup_containers $c"
|
2016-04-15 00:12:00 +02:00
|
|
|
fail=1
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn " * Confirm cgroup usage: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
unexpected_cgroup_containers="$unexpected_cgroup_containers $c"
|
2016-04-15 00:12:00 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
# We went through all the containers and found none with UTSMode as host
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers using unexpected cgroup" "$unexpected_cgroup_containers"
|
2016-04-15 00:12:00 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2016-04-15 00:12:00 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_5_25() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.25"
|
|
|
|
local desc="Ensure that the container is restricted from acquiring additional privileges (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2016-04-15 00:12:00 +02:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
addprivs_containers=""
|
2016-04-15 00:12:00 +02:00
|
|
|
for c in $containers; do
|
2017-01-27 11:00:36 +01:00
|
|
|
if ! docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'no-new-privileges' 2>/dev/null 1>&2; then
|
2016-04-15 00:12:00 +02:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
|
|
|
warn " * Privileges not restricted: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
addprivs_containers="$addprivs_containers $c"
|
2016-04-15 00:12:00 +02:00
|
|
|
fail=1
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn " * Privileges not restricted: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
addprivs_containers="$addprivs_containers $c"
|
2016-04-15 00:12:00 +02:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
2016-12-20 16:01:58 +01:00
|
|
|
# We went through all the containers and found none with capability to acquire additional privileges
|
2016-04-15 00:12:00 +02:00
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers without restricted privileges" "$addprivs_containers"
|
2016-04-15 00:12:00 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_26() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2016-12-20 16:01:58 +01:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.26"
|
|
|
|
local desc="Ensure that container health is checked at runtime (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2016-12-20 16:01:58 +01:00
|
|
|
fail=0
|
2021-03-10 13:58:58 +01:00
|
|
|
nohealthcheck_containers=""
|
2016-12-20 16:01:58 +01:00
|
|
|
for c in $containers; do
|
2017-01-24 15:26:19 +01:00
|
|
|
if ! docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}' "$c" 2>/dev/null 1>&2; then
|
2016-12-20 16:01:58 +01:00
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
|
|
|
warn " * Health check not set: $c"
|
2021-03-10 13:58:58 +01:00
|
|
|
nohealthcheck_containers="$nohealthcheck_containers $c"
|
2016-12-20 16:01:58 +01:00
|
|
|
fail=1
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn " * Health check not set: $c"
|
2021-03-10 13:58:58 +01:00
|
|
|
nohealthcheck_containers="$nohealthcheck_containers $c"
|
2016-12-20 16:01:58 +01:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers without health check" "$nohealthcheck_containers"
|
2016-12-20 16:01:58 +01:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_27() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2016-12-20 16:01:58 +01:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.27"
|
|
|
|
local desc="Ensure that Docker commands always make use of the latest version of their image (Not Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
|
|
|
logcheckresult "INFO"
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_28() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2017-01-23 17:06:10 +01:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.28"
|
|
|
|
local desc="Ensure that the PIDs cgroup limit is used (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2016-12-20 16:01:58 +01:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
nopids_limit_containers=""
|
2016-12-20 16:01:58 +01:00
|
|
|
for c in $containers; do
|
2019-08-28 12:59:49 +02:00
|
|
|
pidslimit="$(docker inspect --format '{{.HostConfig.PidsLimit }}' "$c")"
|
2016-12-20 16:01:58 +01:00
|
|
|
|
2019-08-28 12:59:49 +02:00
|
|
|
if [ "$pidslimit" = "0" ] || [ "$pidslimit" = "<nil>" ] || [ "$pidslimit" = "-1" ]; then
|
2016-12-20 16:01:58 +01:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
|
|
|
warn " * PIDs limit not set: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
nopids_limit_containers="$nopids_limit_containers $c"
|
2016-12-20 16:01:58 +01:00
|
|
|
fail=1
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn " * PIDs limit not set: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
nopids_limit_containers="$nopids_limit_containers $c"
|
2016-12-20 16:01:58 +01:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
# We went through all the containers and found all with PIDs limit
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers without PIDs cgroup limit" "$nopids_limit_containers"
|
2016-12-20 16:01:58 +01:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_29() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2016-12-20 16:01:58 +01:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.29"
|
|
|
|
local desc="Ensure that Docker's default bridge "docker0" is not used (Not Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2016-12-20 16:01:58 +01:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
docker_network_containers=""
|
2017-01-23 12:52:31 +01:00
|
|
|
networks=$(docker network ls -q 2>/dev/null)
|
2016-12-20 16:01:58 +01:00
|
|
|
for net in $networks; do
|
2017-01-24 15:26:19 +01:00
|
|
|
if docker network inspect --format '{{ .Options }}' "$net" 2>/dev/null | grep "com.docker.network.bridge.name:docker0" >/dev/null 2>&1; then
|
|
|
|
docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" | \
|
2018-02-27 15:43:51 +01:00
|
|
|
sed -e 's/^ //' -e 's/ /\n/g' 2>/dev/null)
|
|
|
|
|
|
|
|
if [ -n "$docker0Containers" ]; then
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2018-02-27 15:43:51 +01:00
|
|
|
fail=1
|
|
|
|
fi
|
|
|
|
for c in $docker0Containers; do
|
|
|
|
if [ -z "$exclude" ]; then
|
|
|
|
cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g')
|
|
|
|
else
|
|
|
|
pattern=$(echo "$exclude" | sed 's/,/|/g')
|
|
|
|
cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g' | grep -Ev "$pattern" )
|
|
|
|
fi
|
2019-10-16 09:49:18 +02:00
|
|
|
if [ -n "$cName" ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
info " * Container in docker0 network: $cName"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
docker_network_containers="$docker_network_containers $c:$cName"
|
2018-02-27 15:43:51 +01:00
|
|
|
fi
|
|
|
|
done
|
2016-12-20 16:01:58 +01:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
# We went through all the containers and found none in docker0 network
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -c "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "Containers using docker0 network" "$docker_network_containers"
|
2016-12-20 16:01:58 +01:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_30() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2016-12-20 16:01:58 +01:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.30"
|
|
|
|
local desc="Ensure that the host's user namespaces are not shared (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2016-12-20 16:01:58 +01:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
hostns_shared_containers=""
|
2016-12-20 16:01:58 +01:00
|
|
|
for c in $containers; do
|
2017-01-24 15:26:19 +01:00
|
|
|
if docker inspect --format '{{ .HostConfig.UsernsMode }}' "$c" 2>/dev/null | grep -i 'host' >/dev/null 2>&1; then
|
2016-12-20 16:01:58 +01:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
|
|
|
warn " * Namespace shared: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
hostns_shared_containers="$hostns_shared_containers $c"
|
2016-12-20 16:01:58 +01:00
|
|
|
fail=1
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn " * Namespace shared: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
hostns_shared_containers="$hostns_shared_containers $c"
|
2016-12-20 16:01:58 +01:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
# We went through all the containers and found none with host's user namespace shared
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers sharing host user namespace" "$hostns_shared_containers"
|
2016-12-20 16:01:58 +01:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
check_5_31() {
|
2021-03-16 09:05:49 +01:00
|
|
|
if [ -z "$containers" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
return
|
|
|
|
fi
|
2016-12-20 16:01:58 +01:00
|
|
|
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="5.31"
|
|
|
|
local desc="Ensure that the Docker socket is not mounted inside any containers (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2016-12-20 16:01:58 +01:00
|
|
|
fail=0
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
docker_sock_containers=""
|
2016-12-20 16:01:58 +01:00
|
|
|
for c in $containers; do
|
2017-01-24 15:26:19 +01:00
|
|
|
if docker inspect --format '{{ .Mounts }}' "$c" 2>/dev/null | grep 'docker.sock' >/dev/null 2>&1; then
|
2016-12-20 16:01:58 +01:00
|
|
|
# If it's the first container, fail the test
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
|
|
|
warn " * Docker socket shared: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
docker_sock_containers="$docker_sock_containers $c"
|
2016-12-20 16:01:58 +01:00
|
|
|
fail=1
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn " * Docker socket shared: $c"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
docker_sock_containers="$docker_sock_containers $c"
|
2016-12-20 16:01:58 +01:00
|
|
|
fi
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
# We went through all the containers and found none with docker.sock shared
|
|
|
|
if [ $fail -eq 0 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2017-10-23 15:40:52 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Containers sharing docker socket" "$docker_sock_containers"
|
2016-12-20 16:01:58 +01:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
|
|
|
check_5_end() {
|
|
|
|
endsectionjson
|
|
|
|
}
|