2021-05-25 20:49:46 +02:00
#!/bin/bash
2015-05-11 06:08:28 +02:00
2018-01-16 13:46:49 +01:00
check_6( ) {
2021-03-10 20:47:52 +01:00
logit ""
2021-03-09 11:42:48 +01:00
local id = "6"
local desc = "Docker Security Operations"
2021-03-10 20:47:52 +01:00
checkHeader = " $id - $desc "
info " $checkHeader "
2021-03-09 11:42:48 +01:00
startsectionjson " $id " " $desc "
2018-01-16 13:46:49 +01:00
}
2017-01-23 17:06:10 +01:00
2018-01-16 13:46:49 +01:00
check_6_1( ) {
2021-03-09 11:42:48 +01:00
local id = "6.1"
2021-05-25 20:49:46 +02:00
local desc = "Ensure that image sprawl is avoided (Manual)"
2021-03-18 09:30:30 +01:00
local remediation = "You should keep only the images that you actually need and establish a workflow to remove old or stale images from the host. Additionally, you should use features such as pull-by-digest to get specific images from the registry."
local remediationImpact = "docker system prune -a removes all exited containers as well as all images and volumes that are not referenced by running containers, including for UCP and DTR."
2021-05-25 20:49:46 +02:00
local check = " $id - $desc "
2021-03-09 11:42:48 +01:00
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
2018-01-16 13:46:49 +01:00
images = $( docker images -q | sort -u | wc -l | awk '{print $1}' )
active_images = 0
2015-06-01 22:37:28 +02:00
2021-05-25 20:49:46 +02:00
for c in $( docker inspect --format "{{.Image}}" " $( docker ps -qa) " 2>/dev/null) ; do
2018-01-16 13:46:49 +01:00
if docker images --no-trunc -a | grep " $c " > /dev/null ; then
active_images = $(( active_images += 1 ))
fi
done
2015-06-01 22:37:28 +02:00
2021-03-16 09:05:49 +01:00
info -c " $check "
info " * There are currently: $images images "
2015-05-11 06:08:28 +02:00
2018-01-16 13:46:49 +01:00
if [ " $active_images " -lt " $(( images / 2 )) " ] ; then
info " * Only $active_images out of $images are in use "
fi
2021-03-16 09:05:49 +01:00
logcheckresult "INFO" " $active_images active/ $images in use "
2018-01-16 13:46:49 +01:00
}
2015-06-01 22:37:28 +02:00
2018-01-16 13:46:49 +01:00
check_6_2( ) {
2021-03-09 11:42:48 +01:00
local id = "6.2"
2021-05-25 20:49:46 +02:00
local desc = "Ensure that container sprawl is avoided (Manual)"
2021-03-18 09:30:30 +01:00
local remediation = "You should periodically check your container inventory on each host and clean up containers which are not in active use with the command: docker container prune"
local remediationImpact = "You should retain containers that are actively in use, and delete ones which are no longer needed."
2021-05-25 20:49:46 +02:00
local check = " $id - $desc "
2021-03-09 11:42:48 +01:00
starttestjson " $id " " $desc "
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
total_containers = $( docker info 2>/dev/null | grep "Containers" | awk '{print $2}' )
2018-01-16 13:46:49 +01:00
running_containers = $( docker ps -q | wc -l | awk '{print $1}' )
diff = " $(( total_containers - running_containers)) "
2021-03-16 09:05:49 +01:00
info -c " $check "
2018-01-16 13:46:49 +01:00
if [ " $diff " -gt 25 ] ; then
info " * There are currently a total of $total_containers containers, with only $running_containers of them currently running "
else
info " * There are currently a total of $total_containers containers, with $running_containers of them currently running "
fi
2021-03-16 09:05:49 +01:00
logcheckresult "INFO" " $total_containers total/ $running_containers running "
2018-01-16 13:46:49 +01:00
}
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
check_6_end( ) {
endsectionjson
}