mirror of
https://github.com/docker/docker-bench-security.git
synced 2025-01-18 16:22:33 +01:00
Add option to specify trusted users. Add option to disable the printing of remediation measures.
This commit is contained in:
Razvan Stoica
parent
9722e5d89a
commit
091b4b954a
1 changed files with 24 additions and 18 deletions
|
|
@ -10,8 +10,8 @@
|
||||||
version='1.3.5'
|
version='1.3.5'
|
||||||
|
|
||||||
# Load dependencies
|
# Load dependencies
|
||||||
. ./functions_lib.sh
|
. ./functions/functions_lib.sh
|
||||||
. ./helper_lib.sh
|
. ./functions/helper_lib.sh
|
||||||
|
|
||||||
# Setup the paths
|
# Setup the paths
|
||||||
this_path=$(abspath "$0") ## Path of this file including filename
|
this_path=$(abspath "$0") ## Path of this file including filename
|
||||||
|
|
@ -24,7 +24,7 @@ readonly myname
|
||||||
export PATH="$PATH:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/"
|
export PATH="$PATH:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/"
|
||||||
|
|
||||||
# Check for required program(s)
|
# Check for required program(s)
|
||||||
req_progs='awk docker grep stat tee tail wc xargs truncate'
|
req_progs='awk docker grep stat tee tail wc xargs truncate sed'
|
||||||
for p in $req_progs; do
|
for p in $req_progs; do
|
||||||
command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; }
|
command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; }
|
||||||
done
|
done
|
||||||
|
|
@ -64,13 +64,15 @@ Options:
|
||||||
-b optional Do not print colors
|
-b optional Do not print colors
|
||||||
-h optional Print this help message
|
-h optional Print this help message
|
||||||
-l FILE optional Log output in FILE, inside container if run using docker
|
-l FILE optional Log output in FILE, inside container if run using docker
|
||||||
-c CHECK optional Comma delimited list of specific check(s)
|
-u USERS optional Comma delimited list of trusted docker user(s)
|
||||||
-e CHECK optional Comma delimited list of specific check(s) to exclude
|
-c CHECK optional Comma delimited list of specific check(s) id
|
||||||
|
-e CHECK optional Comma delimited list of specific check(s) id to exclude
|
||||||
-i INCLUDE optional Comma delimited list of patterns within a container or image name to check
|
-i INCLUDE optional Comma delimited list of patterns within a container or image name to check
|
||||||
-x EXCLUDE optional Comma delimited list of patterns within a container or image name to exclude from check
|
-x EXCLUDE optional Comma delimited list of patterns within a container or image name to exclude from check
|
||||||
-n LIMIT optional In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).
|
-n LIMIT optional In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).
|
||||||
|
-p PRINT optional Disable the printing of remediation measures. Default: print remediation measures.
|
||||||
|
|
||||||
Complete list of checks: <https://github.com/docker/docker-bench-security/blob/master/functions_lib.sh>
|
Complete list of checks: <https://github.com/docker/docker-bench-security/blob/master/tests/>
|
||||||
Full documentation: <https://github.com/docker/docker-bench-security>
|
Full documentation: <https://github.com/docker/docker-bench-security>
|
||||||
Released under the Apache-2.0 License.
|
Released under the Apache-2.0 License.
|
||||||
EOF
|
EOF
|
||||||
|
|
@ -79,22 +81,28 @@ EOF
|
||||||
# Get the flags
|
# Get the flags
|
||||||
# If you add an option here, please
|
# If you add an option here, please
|
||||||
# remember to update usage() above.
|
# remember to update usage() above.
|
||||||
while getopts bhl:c:e:i:x:t:n: args
|
while getopts bhl:u:c:e:i:x:t:n:p args
|
||||||
do
|
do
|
||||||
case $args in
|
case $args in
|
||||||
b) nocolor="nocolor";;
|
b) nocolor="nocolor";;
|
||||||
h) usage; exit 0 ;;
|
h) usage; exit 0 ;;
|
||||||
l) logger="$OPTARG" ;;
|
l) logger="$OPTARG" ;;
|
||||||
|
u) dockertrustusers="$OPTARG" ;;
|
||||||
c) check="$OPTARG" ;;
|
c) check="$OPTARG" ;;
|
||||||
e) checkexclude="$OPTARG" ;;
|
e) checkexclude="$OPTARG" ;;
|
||||||
i) include="$OPTARG" ;;
|
i) include="$OPTARG" ;;
|
||||||
x) exclude="$OPTARG" ;;
|
x) exclude="$OPTARG" ;;
|
||||||
n) limit="$OPTARG" ;;
|
n) limit="$OPTARG" ;;
|
||||||
|
p) printremediation="0" ;;
|
||||||
*) usage; exit 1 ;;
|
*) usage; exit 1 ;;
|
||||||
esac
|
esac
|
||||||
done
|
done
|
||||||
|
|
||||||
|
# Default values
|
||||||
if [ -z "$logger" ]; then
|
if [ -z "$logger" ]; then
|
||||||
|
if [ ! -d log ]; then
|
||||||
|
mkdir log
|
||||||
|
fi
|
||||||
logger="log/${myname}.log"
|
logger="log/${myname}.log"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
@ -102,15 +110,19 @@ if [ -z "$limit" ]; then
|
||||||
limit=0
|
limit=0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [ -z "$printremediation" ]; then
|
||||||
|
printremediation="1"
|
||||||
|
fi
|
||||||
|
|
||||||
# Load output formating
|
# Load output formating
|
||||||
. ./output_lib.sh
|
. ./functions/output_lib.sh
|
||||||
|
|
||||||
yell_info
|
yell_info
|
||||||
|
|
||||||
# Warn if not root
|
# Warn if not root
|
||||||
ID=$(id -u)
|
ID=$(id -u)
|
||||||
if [ "x$ID" != "x0" ]; then
|
if [ "x$ID" != "x0" ]; then
|
||||||
warn "Some tests might require root to run"
|
warn "$(yell 'Some tests might require root to run')\n"
|
||||||
sleep 3
|
sleep 3
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
@ -163,12 +175,6 @@ main () {
|
||||||
images=$(docker images -q | grep -v "$benchcont")
|
images=$(docker images -q | grep -v "$benchcont")
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$containers" ]; then
|
|
||||||
running_containers=0
|
|
||||||
else
|
|
||||||
running_containers=1
|
|
||||||
fi
|
|
||||||
|
|
||||||
for test in tests/*.sh; do
|
for test in tests/*.sh; do
|
||||||
. ./"$test"
|
. ./"$test"
|
||||||
done
|
done
|
||||||
|
|
@ -178,7 +184,7 @@ main () {
|
||||||
cis
|
cis
|
||||||
elif [ -z "$check" ]; then
|
elif [ -z "$check" ]; then
|
||||||
# No check defined but excludes defined set to calls in cis() function
|
# No check defined but excludes defined set to calls in cis() function
|
||||||
check=$(sed -ne "/cis() {/,/}/{/{/d; /}/d; p}" functions_lib.sh)
|
check=$(sed -ne "/cis() {/,/}/{/{/d; /}/d; p}" functions/functions_lib.sh)
|
||||||
fi
|
fi
|
||||||
|
|
||||||
for c in $(echo "$check" | sed "s/,/ /g"); do
|
for c in $(echo "$check" | sed "s/,/ /g"); do
|
||||||
|
|
@ -198,7 +204,7 @@ main () {
|
||||||
continue
|
continue
|
||||||
elif echo "$c" | grep -vE 'check_[0-9]|check_[a-z]' 2>/dev/null 1>&2; then
|
elif echo "$c" | grep -vE 'check_[0-9]|check_[a-z]' 2>/dev/null 1>&2; then
|
||||||
# Function not a check, fill loop_checks with all check from function
|
# Function not a check, fill loop_checks with all check from function
|
||||||
loop_checks="$(sed -ne "/$c() {/,/}/{/{/d; /}/d; p}" functions_lib.sh)"
|
loop_checks="$(sed -ne "/$c() {/,/}/{/{/d; /}/d; p}" functions/functions_lib.sh)"
|
||||||
else
|
else
|
||||||
# Just one check
|
# Just one check
|
||||||
loop_checks="$c"
|
loop_checks="$c"
|
||||||
|
|
@ -213,7 +219,7 @@ main () {
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ -n "${globalRemediation}" ]; then
|
if [ -n "${globalRemediation}" ] && [ "$printremediation" = "1" ]; then
|
||||||
logit "\n\n${bldylw}Section B - Remediation measures${txtrst}"
|
logit "\n\n${bldylw}Section B - Remediation measures${txtrst}"
|
||||||
logit "${globalRemediation}"
|
logit "${globalRemediation}"
|
||||||
fi
|
fi
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue