2015-05-11 06:08:28 +02:00
|
|
|
#!/bin/sh
|
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3() {
|
2021-03-10 20:47:52 +01:00
|
|
|
logit ""
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3"
|
|
|
|
local desc="Docker daemon configuration files"
|
2021-03-10 20:47:52 +01:00
|
|
|
checkHeader="$id - $desc"
|
|
|
|
info "$checkHeader"
|
2021-03-09 11:42:48 +01:00
|
|
|
startsectionjson "$id" "$desc"
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_1() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.1"
|
|
|
|
local desc="Ensure that the docker.service file ownership is set to root:root (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2020-04-10 15:26:25 +02:00
|
|
|
file="$(get_service_file docker.service)"
|
2018-01-16 13:46:49 +01:00
|
|
|
if [ -f "$file" ]; then
|
|
|
|
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
warn " * Wrong ownership for $file"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong ownership for $file"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
info " * File not found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "File not found"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_2() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.2"
|
|
|
|
local desc="Ensure that docker.service file permissions are appropriately set (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2020-04-10 15:26:25 +02:00
|
|
|
file="$(get_service_file docker.service)"
|
2018-01-16 13:46:49 +01:00
|
|
|
if [ -f "$file" ]; then
|
2021-01-15 11:29:11 +01:00
|
|
|
if [ "$(stat -c %a $file)" -le 644 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
warn " * Wrong permissions for $file"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong permissions for $file"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
info " * File not found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "File not found"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_3() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.3"
|
|
|
|
local desc="Ensure that docker.socket file ownership is set to root:root (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2020-04-10 15:26:25 +02:00
|
|
|
file="$(get_service_file docker.socket)"
|
2018-01-16 13:46:49 +01:00
|
|
|
if [ -f "$file" ]; then
|
|
|
|
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
warn " * Wrong ownership for $file"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong ownership for $file"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
info " * File not found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "File not found"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_4() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.4"
|
|
|
|
local desc="Ensure that docker.socket file permissions are set to 644 or more restrictive (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2020-04-10 15:26:25 +02:00
|
|
|
file="$(get_service_file docker.socket)"
|
2018-01-16 13:46:49 +01:00
|
|
|
if [ -f "$file" ]; then
|
2021-01-15 12:20:59 +01:00
|
|
|
if [ "$(stat -c %a $file)" -le 644 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
warn " * Wrong permissions for $file"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong permissions for $file"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
info " * File not found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "File not found"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_5() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.5"
|
|
|
|
local desc="Ensure that the /etc/docker directory ownership is set to root:root (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
directory="/etc/docker"
|
|
|
|
if [ -d "$directory" ]; then
|
|
|
|
if [ "$(stat -c %u%g $directory)" -eq 00 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
warn " * Wrong ownership for $directory"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong ownership for $directory"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
info " * Directory not found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "Directory not found"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_6() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.6"
|
|
|
|
local desc="Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
directory="/etc/docker"
|
|
|
|
if [ -d "$directory" ]; then
|
2021-01-15 12:20:59 +01:00
|
|
|
if [ "$(stat -c %a $directory)" -le 755 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
warn " * Wrong permissions for $directory"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong permissions for $directory"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
info " * Directory not found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "Directory not found"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_7() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.7"
|
|
|
|
local desc="Ensure that registry certificate file ownership is set to root:root (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
directory="/etc/docker/certs.d/"
|
|
|
|
if [ -d "$directory" ]; then
|
|
|
|
fail=0
|
|
|
|
owners=$(find "$directory" -type f -name '*.crt')
|
|
|
|
for p in $owners; do
|
|
|
|
if [ "$(stat -c %u $p)" -ne 0 ]; then
|
|
|
|
fail=1
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
if [ $fail -eq 1 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
warn " * Wrong ownership for $directory"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong ownership for $directory"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
info " * Directory not found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "Directory not found"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_8() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.8"
|
|
|
|
local desc="Ensure that registry certificate file permissions are set to 444 or more restrictively (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
directory="/etc/docker/certs.d/"
|
|
|
|
if [ -d "$directory" ]; then
|
|
|
|
fail=0
|
|
|
|
perms=$(find "$directory" -type f -name '*.crt')
|
|
|
|
for p in $perms; do
|
2021-01-15 12:20:59 +01:00
|
|
|
if [ "$(stat -c %a $p)" -gt 444 ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
fail=1
|
|
|
|
fi
|
|
|
|
done
|
|
|
|
if [ $fail -eq 1 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
warn " * Wrong permissions for $directory"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong permissions for $directory"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
info " * Directory not found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "Directory not found"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_9() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.9"
|
|
|
|
local desc="Ensure that TLS CA certificate file ownership is set to root:root (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2019-10-16 09:49:18 +02:00
|
|
|
if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
tlscacert=$(get_docker_configuration_file_args 'tlscacert')
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
if [ -f "$tlscacert" ]; then
|
|
|
|
if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
warn " * Wrong ownership for $tlscacert"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong ownership for $tlscacert"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2018-01-16 13:46:49 +01:00
|
|
|
info " * No TLS CA certificate found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "No TLS CA certificate found"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_10() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.10"
|
|
|
|
local desc="Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2019-10-16 09:49:18 +02:00
|
|
|
if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
tlscacert=$(get_docker_configuration_file_args 'tlscacert')
|
|
|
|
else
|
|
|
|
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
|
|
|
fi
|
|
|
|
if [ -f "$tlscacert" ]; then
|
2021-01-15 12:20:59 +01:00
|
|
|
if [ "$(stat -c %a $tlscacert)" -le 444 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
warn " * Wrong permissions for $tlscacert"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong permissions for $tlscacert"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
info " * No TLS CA certificate found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "No TLS CA certificate found"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_11() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.11"
|
|
|
|
local desc="Ensure that Docker server certificate file ownership is set to root:root (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2019-10-16 09:49:18 +02:00
|
|
|
if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
tlscert=$(get_docker_configuration_file_args 'tlscert')
|
|
|
|
else
|
|
|
|
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
|
|
|
fi
|
|
|
|
if [ -f "$tlscert" ]; then
|
|
|
|
if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
warn " * Wrong ownership for $tlscert"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong ownership for $tlscert"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
info " * No TLS Server certificate found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "No TLS Server certificate found"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_12() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.12"
|
|
|
|
local desc="Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2019-10-16 09:49:18 +02:00
|
|
|
if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
tlscert=$(get_docker_configuration_file_args 'tlscert')
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
if [ -f "$tlscert" ]; then
|
2021-01-15 12:20:59 +01:00
|
|
|
if [ "$(stat -c %a $tlscert)" -le 444 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
warn " * Wrong permissions for $tlscert"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong permissions for $tlscert"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
info " * No TLS Server certificate found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "No TLS Server certificate found"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_13() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.13"
|
|
|
|
local desc="Ensure that the Docker server certificate key file ownership is set to root:root (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2019-10-16 09:49:18 +02:00
|
|
|
if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
tlskey=$(get_docker_configuration_file_args 'tlskey')
|
|
|
|
else
|
|
|
|
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
|
|
|
fi
|
|
|
|
if [ -f "$tlskey" ]; then
|
|
|
|
if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
warn " * Wrong ownership for $tlskey"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong ownership for $tlskey"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
info " * No TLS Key found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "No TLS Key found"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_14() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.14"
|
|
|
|
local desc="Ensure that the Docker server certificate key file permissions are set to 400 (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2019-10-16 09:49:18 +02:00
|
|
|
if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then
|
2018-01-16 13:46:49 +01:00
|
|
|
tlskey=$(get_docker_configuration_file_args 'tlskey')
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2018-01-16 13:46:49 +01:00
|
|
|
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
if [ -f "$tlskey" ]; then
|
|
|
|
if [ "$(stat -c %a $tlskey)" -eq 400 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
warn " * Wrong permissions for $tlskey"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong permissions for $tlskey"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
info " * No TLS Key found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "No TLS Key found"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_15() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.15"
|
|
|
|
local desc="Ensure that the Docker socket file ownership is set to root:docker (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
file="/var/run/docker.sock"
|
|
|
|
if [ -S "$file" ]; then
|
|
|
|
if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
warn " * Wrong ownership for $file"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong ownership for $file"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
info " * File not found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "File not found"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2015-05-11 06:08:28 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_16() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.16"
|
|
|
|
local desc="Ensure that the Docker socket file permissions are set to 660 or more restrictively (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
file="/var/run/docker.sock"
|
|
|
|
if [ -S "$file" ]; then
|
2021-01-15 12:20:59 +01:00
|
|
|
if [ "$(stat -c %a $file)" -le 660 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
warn " * Wrong permissions for $file"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong permissions for $file"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
2016-04-14 22:57:25 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
info " * File not found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "File not found"
|
2016-04-14 22:57:25 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2016-04-14 22:57:25 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_17() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.17"
|
|
|
|
local desc="Ensure that the daemon.json file ownership is set to root:root (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
file="/etc/docker/daemon.json"
|
|
|
|
if [ -f "$file" ]; then
|
|
|
|
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
warn " * Wrong ownership for $file"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong ownership for $file"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
2016-04-14 22:57:25 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
info " * File not found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "File not found"
|
2016-04-14 22:57:25 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2016-04-14 22:57:25 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_18() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.18"
|
|
|
|
local desc="Ensure that daemon.json file permissions are set to 644 or more restrictive (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
file="/etc/docker/daemon.json"
|
|
|
|
if [ -f "$file" ]; then
|
2021-01-15 12:20:59 +01:00
|
|
|
if [ "$(stat -c %a $file)" -le 644 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
warn " * Wrong permissions for $file"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong permissions for $file"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
2016-04-14 22:57:25 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
info " * File not found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "File not found"
|
2016-04-14 22:57:25 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2016-04-14 22:57:25 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_19() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.19"
|
|
|
|
local desc="Ensure that the /etc/default/docker file ownership is set to root:root (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
file="/etc/default/docker"
|
|
|
|
if [ -f "$file" ]; then
|
|
|
|
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
warn " * Wrong ownership for $file"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong ownership for $file"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
2016-04-14 22:57:25 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
info " * File not found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "File not found"
|
2016-04-14 22:57:25 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
2016-04-14 22:57:25 +02:00
|
|
|
|
2018-01-16 13:46:49 +01:00
|
|
|
check_3_20() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.20"
|
|
|
|
local desc="Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
2019-08-27 15:13:19 +02:00
|
|
|
file="/etc/sysconfig/docker"
|
2018-01-16 13:46:49 +01:00
|
|
|
if [ -f "$file" ]; then
|
2019-08-27 15:13:19 +02:00
|
|
|
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2018-01-16 13:46:49 +01:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
warn " * Wrong ownership for $file"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong ownership for $file"
|
2019-08-27 15:13:19 +02:00
|
|
|
fi
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
info " * File not found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "File not found"
|
2019-08-27 15:13:19 +02:00
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
check_3_21() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.21"
|
|
|
|
local desc="Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
2019-08-27 15:13:19 +02:00
|
|
|
|
2019-10-04 14:50:48 +02:00
|
|
|
file="/etc/sysconfig/docker"
|
2019-08-27 15:13:19 +02:00
|
|
|
if [ -f "$file" ]; then
|
2021-01-15 12:20:59 +01:00
|
|
|
if [ "$(stat -c %a $file)" -le 644 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2019-08-27 15:13:19 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
warn " * Wrong permissions for $file"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong permissions for $file"
|
2018-01-16 13:46:49 +01:00
|
|
|
fi
|
2015-05-11 06:08:28 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
info " * File not found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "File not found"
|
2019-08-27 15:13:19 +02:00
|
|
|
fi
|
|
|
|
}
|
|
|
|
|
|
|
|
check_3_22() {
|
2021-03-09 11:42:48 +01:00
|
|
|
local id="3.22"
|
|
|
|
local desc="Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Scored)"
|
|
|
|
local check="$id - $desc"
|
|
|
|
starttestjson "$id" "$desc"
|
2019-08-27 15:13:19 +02:00
|
|
|
|
|
|
|
file="/etc/default/docker"
|
|
|
|
if [ -f "$file" ]; then
|
2021-01-15 12:20:59 +01:00
|
|
|
if [ "$(stat -c %a $file)" -le 644 ]; then
|
2021-03-16 09:05:49 +01:00
|
|
|
pass -s "$check"
|
|
|
|
logcheckresult "PASS"
|
2019-08-27 15:13:19 +02:00
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
warn -s "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
warn " * Wrong permissions for $file"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "WARN" "Wrong permissions for $file"
|
2019-08-27 15:13:19 +02:00
|
|
|
fi
|
|
|
|
else
|
2021-03-16 09:05:49 +01:00
|
|
|
info -c "$check"
|
2019-08-28 12:14:35 +02:00
|
|
|
info " * File not found"
|
2021-03-16 09:05:49 +01:00
|
|
|
logcheckresult "INFO" "File not found"
|
2015-05-11 06:08:28 +02:00
|
|
|
fi
|
2018-01-16 13:46:49 +01:00
|
|
|
}
|
Improve docker-bench-security json output
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.
Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.
Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.
All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().
Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
2018-07-12 03:02:12 +02:00
|
|
|
|
|
|
|
check_3_end() {
|
|
|
|
endsectionjson
|
|
|
|
}
|