GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-31 14:22:33 +01:00
Code Issues Projects Releases Packages Wiki Activity

convert all tests to functions, add 't' argument, add functions_lib.sh

Browse source 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
This commit is contained in:
Thomas Sjögren 2016-01-31 21:33:14 +01:00
parent cfa653d8d8
commit 0c4944dc50
9 changed files with 1072 additions and 693 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
docker-bench-security.sh
View file

@ -13,6 +13,7 @@
# Load dependencies # Load dependencies
. ./output_lib.sh . ./output_lib.sh
. ./helper_lib.sh . ./helper_lib.sh
. ./functions_lib.sh
# Setup the paths # Setup the paths
this_path=$(abspath "$0") ## Path of this file including filenamel this_path=$(abspath "$0") ## Path of this file including filenamel
@ -45,11 +46,12 @@ EOF
# Get the flags # Get the flags
# If you add an option here, please # If you add an option here, please
# remember to update usage() above. # remember to update usage() above.
while getopts hl: args while getopts hlt: args
do do
case $args in case $args in
h) usage; exit 0 ;; h) usage; exit 0 ;;
l) logger="$OPTARG" ;; l) logger="$OPTARG" ;;
t) tests="$OPTARG";;
*) usage; exit 1 ;; *) usage; exit 1 ;;
esac esac
done done
@ -97,3 +99,10 @@ main () {
} }
main "$@" main "$@"
if [ -z "$tests" ]; then
cis_checks
else
"$tests"
fi

122
functions_lib.sh Normal file
View file

@ -0,0 +1,122 @@
#!/bin/sh
host_configuration() {
check_1
check_1_1
check_1_2
check_1_5
check_1_6
check_1_7
check_1_8
check_1_9
check_1_10
check_1_11
check_1_12
check_1_13
check_1_14
check_1_15
check_1_16
check_1_17
check_1_18
}
docker_daemon_configuration() {
check_2
check_2_1
check_2_2
check_2_3
check_2_4
check_2_5
check_2_6
check_2_7
check_2_8
check_2_9
check_2_10
}
docker_daemon_files() {
check_3
check_3_1
check_3_2
check_3_3
check_3_4
check_3_5
check_3_6
check_3_7
check_3_8
check_3_9
check_3_10
check_3_11
check_3_12
check_3_13
check_3_14
check_3_15
check_3_16
check_3_17
check_3_18
check_3_19
check_3_20
check_3_21
check_3_22
check_3_23
check_3_24
check_3_25
check_3_26
}
container_images() {
check_4
check_4_1
}
container_runtime() {
check_5
check_running_containers
check_5_1
check_5_2
check_5_3
check_5_4
check_5_5
check_5_6
check_5_8
check_5_8
check_5_10
check_5_11
check_5_12
check_5_12
check_5_14
check_5_15
check_5_16
check_5_17
check_5_18
check_5_19
}
docker_security_operations() {
check_6
check_6_5
check_6_6
check_6_7
}
# CIS
cis() {
host_configuration
docker_daemon_configuration
docker_daemon_files
container_images
container_runtime
docker_security_operations
}
# Community contributed
community() {
check_community
check_community_1
}
# All
all() {
cis
community
}

286
tests/1_host_configuration.sh
View file

@ -1,277 +1,311 @@
#!/bin/sh #!/bin/sh
check_1() {
logit "" logit ""
info "1 - Host Configuration" info "1 - Host Configuration"
}
# 1.1 # 1.1
check_1_1="1.1 - Create a separate partition for containers" check_1_1() {
grep /var/lib/docker /etc/fstab >/dev/null 2>&1 check_check_1_1="1.1 - Create a separate partition for containers"
if [ $? -eq 0 ]; then grep /var/lib/docker /etc/fstab >/dev/null 2>&1
pass "$check_1_1" if [ $? -eq 0 ]; then
else pass "$check_check_1_1"
warn "$check_1_1" else
fi warn "$check_check_1_1"
fi
}
# 1.2 # 1.2
check_1_2="1.2 - Use an updated Linux Kernel" check_1_2() {
kernel_version=$(uname -r | cut -d "-" -f 1) check_check_1_2="1.2 - Use an updated Linux Kernel"
do_version_check 3.10 "$kernel_version" kernel_version=$(uname -r | cut -d "-" -f 1)
if [ $? -eq 11 ]; then do_version_check 3.10 "$kernel_version"
warn "$check_1_2" if [ $? -eq 11 ]; then
else warn "$check_check_1_2"
pass "$check_1_2" else
fi pass "$check_check_1_2"
fi
}
# 1.5 # 1.5
check_1_5="1.5 - Remove all non-essential services from the host - Network" check_1_5() {
# Check for listening network services. check_check_1_5="1.5 - Remove all non-essential services from the host - Network"
listening_services=$(netstat -na | grep -v tcp6 | grep -v unix | grep -c LISTEN) # Check for listening network services.
if [ "$listening_services" -eq 0 ]; then listening_services=$(netstat -na | grep -v tcp6 | grep -v unix | grep -c LISTEN)
warn "1.5 - Failed to get listening services for check: $check_1_5" if [ "$listening_services" -eq 0 ]; then
else warn "1.5 - Failed to get listening services for check: $check_check_1_5"
else
if [ "$listening_services" -gt 5 ]; then if [ "$listening_services" -gt 5 ]; then
warn "$check_1_5" warn "$check_check_1_5"
warn " * Host listening on: $listening_services ports" warn " * Host listening on: $listening_services ports"
else else
pass "$check_1_5" pass "$check_check_1_5"
fi fi
fi fi
}
# 1.6 # 1.6
check_1_6="1.6 - Keep Docker up to date" check_1_6() {
docker_version=$(docker version | grep -i -A1 '^server' | grep -i 'version:' \ check_check_1_6="1.6 - Keep Docker up to date"
docker_version=$(docker version | grep -i -A1 '^server' | grep -i 'version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,') | awk '{print $NF; exit}' | tr -d '[:alpha:]-,')
docker_current_version="1.9.1" docker_current_version="1.9.1"
docker_current_date="2015-11-09" docker_current_date="2015-11-09"
do_version_check "$docker_current_version" "$docker_version" do_version_check "$docker_current_version" "$docker_version"
if [ $? -eq 11 ]; then if [ $? -eq 11 ]; then
warn "$check_1_6" warn "$check_check_1_6"
warn " * Using $docker_version, when $docker_current_version is current as of $docker_current_date" warn " * Using $docker_version, when $docker_current_version is current as of $docker_current_date"
info " * Your operating system vendor may provide support and security maintenance for docker" info " * Your operating system vendor may provide support and security maintenance for docker"
else else
pass "$check_1_6" pass "$check_check_1_6"
info " * Using $docker_version which is current as of $docker_current_date" info " * Using $docker_version which is current as of $docker_current_date"
info " * Check with your operating system vendor for support and security maintenance for docker" info " * Check with your operating system vendor for support and security maintenance for docker"
fi fi
}
# 1.7 # 1.7
check_1_7="1.7 - Only allow trusted users to control Docker daemon" check_1_7() {
docker_users=$(getent group docker) check_check_1_7="1.7 - Only allow trusted users to control Docker daemon"
info "$check_1_7" docker_users=$(getent group docker)
for u in $docker_users; do info "$check_check_1_7"
for u in $docker_users; do
info " * $u" info " * $u"
done done
}
# 1.8 # 1.8
check_1_8="1.8 - Audit docker daemon" check_1_8() {
command -v auditctl >/dev/null 2>&1 check_check_1_8="1.8 - Audit docker daemon"
if [ $? -eq 0 ]; then command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep /usr/bin/docker >/dev/null 2>&1 auditctl -l | grep /usr/bin/docker >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_8" pass "$check_check_1_8"
else else
warn "$check_1_8" warn "$check_check_1_8"
fi fi
else else
warn "1.8 - Failed to inspect: auditctl command not found." warn "1.8 - Failed to inspect: auditctl command not found."
fi fi
}
# 1.9 # 1.9
check_1_9="1.9 - Audit Docker files and directories - /var/lib/docker" check_1_9() {
directory="/var/lib/docker" check_check_1_9="1.9 - Audit Docker files and directories - /var/lib/docker"
if [ -d "$directory" ]; then directory="/var/lib/docker"
if [ -d "$directory" ]; then
command -v auditctl >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
auditctl -l | grep $directory >/dev/null 2>&1 auditctl -l | grep $directory >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_9" pass "$check_check_1_9"
else else
warn "$check_1_9" warn "$check_check_1_9"
fi fi
else else
warn "1.9 - Failed to inspect: auditctl command not found." warn "1.9 - Failed to inspect: auditctl command not found."
fi fi
else else
info "$check_1_9" info "$check_check_1_9"
info " * Directory not found" info " * Directory not found"
fi fi
}
# 1.10 # 1.10
check_1_10="1.10 - Audit Docker files and directories - /etc/docker" check_1_10() {
directory="/etc/docker" check_check_1_10="1.10 - Audit Docker files and directories - /etc/docker"
if [ -d "$directory" ]; then directory="/etc/docker"
if [ -d "$directory" ]; then
command -v auditctl >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
auditctl -l | grep $directory >/dev/null 2>&1 auditctl -l | grep $directory >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_10" pass "$check_check_1_10"
else else
warn "$check_1_10" warn "$check_check_1_10"
fi fi
else else
warn "1.10 - Failed to inspect: auditctl command not found." warn "1.10 - Failed to inspect: auditctl command not found."
fi fi
else else
info "$check_1_10" info "$check_check_1_10"
info " * Directory not found" info " * Directory not found"
fi fi
}
# 1.11 # 1.11
check_1_11="1.11 - Audit Docker files and directories - docker-registry.service" check_1_11() {
file="$(get_systemd_service_file docker-registry.service)" check_check_1_11="1.11 - Audit Docker files and directories - docker-registry.service"
if [ -f "$file" ]; then file="$(get_systemd_service_file docker-registry.service)"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
auditctl -l | grep $file >/dev/null 2>&1 auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_11" pass "$check_check_1_11"
else else
warn "$check_1_11" warn "$check_check_1_11"
fi fi
else else
warn "1.11 - Failed to inspect: auditctl command not found." warn "1.11 - Failed to inspect: auditctl command not found."
fi fi
else else
info "$check_1_11" info "$check_check_1_11"
info " * File not found" info " * File not found"
fi fi
}
# 1.12 # 1.12
check_1_12="1.12 - Audit Docker files and directories - docker.service" check_1_12() {
file="$(get_systemd_service_file docker.service)" check_check_1_12="1.12 - Audit Docker files and directories - docker.service"
if [ -f "$file" ]; then file="$(get_systemd_service_file docker.service)"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
auditctl -l | grep $file >/dev/null 2>&1 auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_12" pass "$check_check_1_12"
else else
warn "$check_1_12" warn "$check_check_1_12"
fi fi
else else
warn "1.12 - Failed to inspect: auditctl command not found." warn "1.12 - Failed to inspect: auditctl command not found."
fi fi
else else
info "$check_1_12" info "$check_check_1_12"
info " * File not found" info " * File not found"
fi fi
}
# 1.13 # 1.13
check_1_13="1.13 - Audit Docker files and directories - /var/run/docker.sock" check_1_13() {
file="/var/run/docker.sock" check_check_1_13="1.13 - Audit Docker files and directories - /var/run/docker.sock"
if [ -e "$file" ]; then file="/var/run/docker.sock"
if [ -e "$file" ]; then
command -v auditctl >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
auditctl -l | grep $file >/dev/null 2>&1 auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_13" pass "$check_check_1_13"
else else
warn "$check_1_13" warn "$check_check_1_13"
fi fi
else else
warn "1.13 - Failed to inspect: auditctl command not found." warn "1.13 - Failed to inspect: auditctl command not found."
fi fi
else else
info "$check_1_13" info "$check_check_1_13"
info " * File not found" info " * File not found"
fi fi
}
# 1.14 # 1.14
check_1_14="1.14 - Audit Docker files and directories - /etc/sysconfig/docker" check_1_14() {
file="/etc/sysconfig/docker" check_check_1_14="1.14 - Audit Docker files and directories - /etc/sysconfig/docker"
if [ -f "$file" ]; then file="/etc/sysconfig/docker"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
auditctl -l | grep $file >/dev/null 2>&1 auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_14" pass "$check_check_1_14"
else else
warn "$check_1_14" warn "$check_check_1_14"
fi fi
else else
warn "1.14 - Failed to inspect: auditctl command not found." warn "1.14 - Failed to inspect: auditctl command not found."
fi fi
else else
info "$check_1_14" info "$check_check_1_14"
info " * File not found" info " * File not found"
fi fi
}
# 1.15 # 1.15
check_1_15="1.15 - Audit Docker files and directories - /etc/sysconfig/docker-network" check_1_15() {
file="/etc/sysconfig/docker-network" check_check_1_15="1.15 - Audit Docker files and directories - /etc/sysconfig/docker-network"
if [ -f "$file" ]; then file="/etc/sysconfig/docker-network"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
auditctl -l | grep $file >/dev/null 2>&1 auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_15" pass "$check_check_1_15"
else else
warn "$check_1_15" warn "$check_check_1_15"
fi fi
else else
warn "1.15 - Failed to inspect: auditctl command not found." warn "1.15 - Failed to inspect: auditctl command not found."
fi fi
else else
info "$check_1_15" info "$check_check_1_15"
info " * File not found" info " * File not found"
fi fi
}
# 1.16 # 1.16
check_1_16="1.16 - Audit Docker files and directories - /etc/sysconfig/docker-registry" check_1_16() {
file="/etc/sysconfig/docker-registry" check_check_1_16="1.16 - Audit Docker files and directories - /etc/sysconfig/docker-registry"
if [ -f "$file" ]; then file="/etc/sysconfig/docker-registry"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
auditctl -l | grep $file >/dev/null 2>&1 auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_16" pass "$check_check_1_16"
else else
warn "$check_1_16" warn "$check_check_1_16"
fi fi
else else
warn "1.16 - Failed to inspect: auditctl command not found." warn "1.16 - Failed to inspect: auditctl command not found."
fi fi
else else
info "$check_1_16" info "$check_check_1_16"
info " * File not found" info " * File not found"
fi fi
}
# 1.17 # 1.17
check_1_17="1.17 - Audit Docker files and directories - /etc/sysconfig/docker-storage" check_1_17() {
file="/etc/sysconfig/docker-storage" check_check_1_17="1.17 - Audit Docker files and directories - /etc/sysconfig/docker-storage"
if [ -f "$file" ]; then file="/etc/sysconfig/docker-storage"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
auditctl -l | grep $file >/dev/null 2>&1 auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_17" pass "$check_check_1_17"
else else
warn "$check_1_17" warn "$check_check_1_17"
fi fi
else else
warn "1.17 - Failed to inspect: auditctl command not found." warn "1.17 - Failed to inspect: auditctl command not found."
fi fi
else else
info "$check_1_17" info "$check_check_1_17"
info " * File not found" info " * File not found"
fi fi
}
# 1.18 # 1.18
check_1_18="1.18 - Audit Docker files and directories - /etc/default/docker" check_1_18() {
file="/etc/default/docker" check_check_1_18="1.18 - Audit Docker files and directories - /etc/default/docker"
if [ -f "$file" ]; then file="/etc/default/docker"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
auditctl -l | grep $file >/dev/null 2>&1 auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_18" pass "$check_check_1_18"
else else
warn "$check_1_18" warn "$check_check_1_18"
fi fi
else else
warn "1.18 - Failed to inspect: auditctl command not found." warn "1.18 - Failed to inspect: auditctl command not found."
fi fi
else else
info "$check_1_18" info "$check_check_1_18"
info " * File not found" info " * File not found"
fi fi
}

127
tests/2_docker_daemon_configuration.sh
View file

@ -1,86 +1,105 @@
#!/bin/sh #!/bin/sh
logit "\n" check_2() {
info "2 - Docker Daemon Configuration" logit "\n"
info "2 - Docker Daemon Configuration"
}
# 2.1 # 2.1
check_2_1="2.1 - Do not use lxc execution driver" check_2_1() {
get_command_line_args docker | grep lxc >/dev/null 2>&1 check_2_1="2.1 - Do not use lxc execution driver"
if [ $? -eq 0 ]; then get_command_line_args docker | grep lxc >/dev/null 2>&1
if [ $? -eq 0 ]; then
warn "$check_2_1" warn "$check_2_1"
else else
pass "$check_2_1" pass "$check_2_1"
fi fi
}
# 2.2 # 2.2
check_2_2="2.2 - Restrict network traffic between containers" check_2_2() {
get_docker_effective_command_line_args '--icc' | grep "false" >/dev/null 2>&1 check_2_2="2.2 - Restrict network traffic between containers"
if [ $? -eq 0 ]; then get_docker_effective_command_line_args '--icc' | grep "false" >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_2_2" pass "$check_2_2"
else else
warn "$check_2_2" warn "$check_2_2"
fi fi
}
# 2.3 # 2.3
check_2_3="2.3 - Set the logging level" check_2_3() {
get_docker_effective_command_line_args '-l' | grep "debug" >/dev/null 2>&1 check_2_3="2.3 - Set the logging level"
if [ $? -eq 0 ]; then get_docker_effective_command_line_args '-l' | grep "debug" >/dev/null 2>&1
if [ $? -eq 0 ]; then
warn "$check_2_3" warn "$check_2_3"
else else
pass "$check_2_3" pass "$check_2_3"
fi fi
}
# 2.4 # 2.4
check_2_4="2.4 - Allow Docker to make changes to iptables" check_2_4() {
get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1 check_2_4="2.4 - Allow Docker to make changes to iptables"
if [ $? -eq 0 ]; then get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1
if [ $? -eq 0 ]; then
warn "$check_2_4" warn "$check_2_4"
else else
pass "$check_2_4" pass "$check_2_4"
fi fi
}
# 2.5 # 2.5
check_2_5="2.5 - Do not use insecure registries" check_2_5() {
get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1 check_2_5="2.5 - Do not use insecure registries"
if [ $? -eq 0 ]; then get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1
if [ $? -eq 0 ]; then
warn "$check_2_5" warn "$check_2_5"
else else
pass "$check_2_5" pass "$check_2_5"
fi fi
}
# 2.6 # 2.6
check_2_6="2.6 - Setup a local registry mirror" check_2_6() {
get_docker_effective_command_line_args '--registry-mirror' | grep "registry-mirror" >/dev/null 2>&1 check_2_6="2.6 - Setup a local registry mirror"
if [ $? -eq 0 ]; then get_docker_effective_command_line_args '--registry-mirror' | grep "registry-mirror" >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_2_6" pass "$check_2_6"
else else
info "$check_2_6" info "$check_2_6"
info " * No local registry currently configured" info " * No local registry currently configured"
fi fi
}
# 2.7 # 2.7
check_2_7="2.7 - Do not use the aufs storage driver" check_2_7() {
docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1 check_2_7="2.7 - Do not use the aufs storage driver"
if [ $? -eq 0 ]; then docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1
if [ $? -eq 0 ]; then
warn "$check_2_7" warn "$check_2_7"
else else
pass "$check_2_7" pass "$check_2_7"
fi fi
}
# 2.8 # 2.8
check_2_8="2.8 - Do not bind Docker to another IP/Port or a Unix socket" check_2_8() {
get_docker_effective_command_line_args '-H' | grep "\-H" >/dev/null 2>&1 check_2_8="2.8 - Do not bind Docker to another IP/Port or a Unix socket"
if [ $? -eq 0 ]; then get_docker_effective_command_line_args '-H' | grep "\-H" >/dev/null 2>&1
if [ $? -eq 0 ]; then
info "$check_2_8" info "$check_2_8"
info " * Docker daemon running with -H" info " * Docker daemon running with -H"
else else
pass "$check_2_8" pass "$check_2_8"
fi fi
}
# 2.9 # 2.9
check_2_9="2.9 - Configure TLS authentication for Docker daemon" check_2_9() {
get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1 check_2_9="2.9 - Configure TLS authentication for Docker daemon"
if [ $? -eq 0 ]; then get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1
if [ $? -eq 0 ]; then
get_command_line_args docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1 get_command_line_args docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_2_9" pass "$check_2_9"
@ -89,18 +108,20 @@ if [ $? -eq 0 ]; then
warn "$check_2_9" warn "$check_2_9"
warn " * Docker daemon currently listening on TCP without --tlsverify" warn " * Docker daemon currently listening on TCP without --tlsverify"
fi fi
else else
info "$check_2_9" info "$check_2_9"
info " * Docker daemon not listening on TCP" info " * Docker daemon not listening on TCP"
fi fi
}
# 2.10 # 2.10
check_2_10="2.10 - Set default ulimit as appropriate" check_2_10() {
get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1 check_2_10="2.10 - Set default ulimit as appropriate"
if [ $? -eq 0 ]; then get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_2_10" pass "$check_2_10"
else else
info "$check_2_10" info "$check_2_10"
info " * Default ulimit doesn't appear to be set" info " * Default ulimit doesn't appear to be set"
fi fi
}

318
tests/3_docker_daemon_configuration_files.sh
View file

@ -1,237 +1,270 @@
#!/bin/sh #!/bin/sh
logit "\n" check_3() {
info "3 - Docker Daemon Configuration Files" logit "\n"
info "3 - Docker Daemon Configuration Files"
}
# 3.1 # 3.1
check_3_1="3.1 - Verify that docker.service file ownership is set to root:root" check_3_1() {
file="$(get_systemd_service_file docker.service)" check_3_1="3.1 - Verify that docker.service file ownership is set to root:root"
if [ -f "$file" ]; then file="$(get_systemd_service_file docker.service)"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_1" pass "$check_3_1"
else else
warn "$check_3_1" warn "$check_3_1"
warn " * Wrong ownership for $file" warn " * Wrong ownership for $file"
fi fi
else else
info "$check_3_1" info "$check_3_1"
info " * File not found" info " * File not found"
fi fi
}
# 3.2 # 3.2
check_3_2="3.2 - Verify that docker.service file permissions are set to 644" check_3_2() {
file="$(get_systemd_service_file docker.service)" check_3_2="3.2 - Verify that docker.service file permissions are set to 644"
if [ -f "$file" ]; then file="$(get_systemd_service_file docker.service)"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_2" pass "$check_3_2"
else else
warn "$check_3_2" warn "$check_3_2"
warn " * Wrong permissions for $file" warn " * Wrong permissions for $file"
fi fi
else else
info "$check_3_2" info "$check_3_2"
info " * File not found" info " * File not found"
fi fi
}
# 3.3 # 3.3
check_3_3="3.3 - Verify that docker-registry.service file ownership is set to root:root" check_3_3() {
file="$(get_systemd_service_file docker-registry.service)" check_3_3="3.3 - Verify that docker-registry.service file ownership is set to root:root"
if [ -f "$file" ]; then file="$(get_systemd_service_file docker-registry.service)"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_3" pass "$check_3_3"
else else
warn "$check_3_3" warn "$check_3_3"
warn " * Wrong ownership for $file" warn " * Wrong ownership for $file"
fi fi
else else
info "$check_3_3" info "$check_3_3"
info " * File not found" info " * File not found"
fi fi
}
# 3.4 # 3.4
check_3_4="3.4 - Verify that docker-registry.service file permissions are set to 644" check_3_4() {
file="$(get_systemd_service_file docker-registry.service)" check_3_4="3.4 - Verify that docker-registry.service file permissions are set to 644"
if [ -f "$file" ]; then file="$(get_systemd_service_file docker-registry.service)"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_4" pass "$check_3_4"
else else
warn "$check_3_4" warn "$check_3_4"
warn " * Wrong permissions for $file" warn " * Wrong permissions for $file"
fi fi
else else
info "$check_3_4" info "$check_3_4"
info " * File not found" info " * File not found"
fi fi
}
# 3.5 # 3.5
check_3_5="3.5 - Verify that docker.socket file ownership is set to root:root" check_3_5() {
file="$(get_systemd_service_file docker.socket)" check_3_5="3.5 - Verify that docker.socket file ownership is set to root:root"
if [ -f "$file" ]; then file="$(get_systemd_service_file docker.socket)"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_5" pass "$check_3_5"
else else
warn "$check_3_5" warn "$check_3_5"
warn " * Wrong ownership for $file" warn " * Wrong ownership for $file"
fi fi
else else
info "$check_3_5" info "$check_3_5"
info " * File not found" info " * File not found"
fi fi
}
# 3.6 # 3.6
check_3_6="3.6 - Verify that docker.socket file permissions are set to 644" check_3_6() {
file="$(get_systemd_service_file docker.socket)" check_3_6="3.6 - Verify that docker.socket file permissions are set to 644"
if [ -f "$file" ]; then file="$(get_systemd_service_file docker.socket)"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_6" pass "$check_3_6"
else else
warn "$check_3_6" warn "$check_3_6"
warn " * Wrong permissions for $file" warn " * Wrong permissions for $file"
fi fi
else else
info "$check_3_6" info "$check_3_6"
info " * File not found" info " * File not found"
fi fi
}
# 3.7 # 3.7
check_3_7="3.7 - Verify that Docker environment file ownership is set to root:root " check_3_7() {
file="/etc/sysconfig/docker" check_3_7="3.7 - Verify that Docker environment file ownership is set to root:root "
if [ -f "$file" ]; then file="/etc/sysconfig/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_7" pass "$check_3_7"
else else
warn "$check_3_7" warn "$check_3_7"
warn " * Wrong ownership for $file" warn " * Wrong ownership for $file"
fi fi
else else
info "$check_3_7" info "$check_3_7"
info " * File not found" info " * File not found"
fi fi
}
# 3.8 # 3.8
check_3_8="3.8 - Verify that Docker environment file permissions are set to 644" check_3_8() {
file="/etc/sysconfig/docker" check_3_8="3.8 - Verify that Docker environment file permissions are set to 644"
if [ -f "$file" ]; then file="/etc/sysconfig/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_8" pass "$check_3_8"
else else
warn "$check_3_8" warn "$check_3_8"
warn " * Wrong permissions for $file" warn " * Wrong permissions for $file"
fi fi
else else
info "$check_3_8" info "$check_3_8"
info " * File not found" info " * File not found"
fi fi
}
# 3.9 # 3.9
check_3_9="3.9 - Verify that docker-network environment file ownership is set to root:root" check_3_9() {
file="/etc/sysconfig/docker-network" check_3_9="3.9 - Verify that docker-network environment file ownership is set to root:root"
if [ -f "$file" ]; then file="/etc/sysconfig/docker-network"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_9" pass "$check_3_9"
else else
warn "$check_3_9" warn "$check_3_9"
warn " * Wrong ownership for $file" warn " * Wrong ownership for $file"
fi fi
else else
info "$check_3_9" info "$check_3_9"
info " * File not found" info " * File not found"
fi fi
}
# 3.10 # 3.10
check_3_10="3.10 - Verify that docker-network environment file permissions are set to 644" check_3_10() {
file="/etc/sysconfig/docker-network" check_3_10="3.10 - Verify that docker-network environment file permissions are set to 644"
if [ -f "$file" ]; then file="/etc/sysconfig/docker-network"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_10" pass "$check_3_10"
else else
warn "$check_3_10" warn "$check_3_10"
warn " * Wrong permissions for $file" warn " * Wrong permissions for $file"
fi fi
else else
info "$check_3_10" info "$check_3_10"
info " * File not found" info " * File not found"
fi fi
}
# 3.11 # 3.11
check_3_11="3.11 - Verify that docker-registry environment file ownership is set to root:root" check_3_11() {
file="/etc/sysconfig/docker-registry" check_3_11="3.11 - Verify that docker-registry environment file ownership is set to root:root"
if [ -f "$file" ]; then file="/etc/sysconfig/docker-registry"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_11" pass "$check_3_11"
else else
warn "$check_3_11" warn "$check_3_11"
warn " * Wrong ownership for $file" warn " * Wrong ownership for $file"
fi fi
else else
info "$check_3_11" info "$check_3_11"
info " * File not found" info " * File not found"
fi fi
}
# 3.12 # 3.12
check_3_12="3.12 - Verify that docker-registry environment file permissions are set to 644" check_3_12() {
file="/etc/sysconfig/docker-registry" check_3_12="3.12 - Verify that docker-registry environment file permissions are set to 644"
if [ -f "$file" ]; then file="/etc/sysconfig/docker-registry"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_12" pass "$check_3_12"
else else
warn "$check_3_12" warn "$check_3_12"
warn " * Wrong permissions for $file" warn " * Wrong permissions for $file"
fi fi
else else
info "$check_3_12" info "$check_3_12"
info " * File not found" info " * File not found"
fi fi
}
# 3.13 # 3.13
check_3_13="3.13 - Verify that docker-storage environment file ownership is set to root:root" check_3_13() {
file="/etc/sysconfig/docker-storage" check_3_13="3.13 - Verify that docker-storage environment file ownership is set to root:root"
if [ -f "$file" ]; then file="/etc/sysconfig/docker-storage"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_13" pass "$check_3_13"
else else
warn "$check_3_13" warn "$check_3_13"
warn " * Wrong ownership for $file" warn " * Wrong ownership for $file"
fi fi
else else
info "$check_3_13" info "$check_3_13"
info " * File not found" info " * File not found"
fi fi
}
# 3.14 # 3.14
check_3_14="3.14 - Verify that docker-storage environment file permissions are set to 644" check_3_14() {
file="/etc/sysconfig/docker-storage" check_3_14="3.14 - Verify that docker-storage environment file permissions are set to 644"
if [ -f "$file" ]; then file="/etc/sysconfig/docker-storage"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_14" pass "$check_3_14"
else else
warn "$check_3_14" warn "$check_3_14"
warn " * Wrong permissions for $file" warn " * Wrong permissions for $file"
fi fi
else else
info "$check_3_14" info "$check_3_14"
info " * File not found" info " * File not found"
fi fi
}
# 3.15 # 3.15
check_3_15="3.15 - Verify that /etc/docker directory ownership is set to root:root" check_3_15() {
directory="/etc/docker" check_3_15="3.15 - Verify that /etc/docker directory ownership is set to root:root"
if [ -d "$directory" ]; then directory="/etc/docker"
if [ -d "$directory" ]; then
if [ "$(stat -c %u%g $directory)" -eq 00 ]; then if [ "$(stat -c %u%g $directory)" -eq 00 ]; then
pass "$check_3_15" pass "$check_3_15"
else else
warn "$check_3_15" warn "$check_3_15"
warn " * Wrong ownership for $directory" warn " * Wrong ownership for $directory"
fi fi
else else
info "$check_3_15" info "$check_3_15"
info " * Directory not found" info " * Directory not found"
fi fi
}
# 3.16 # 3.16
check_3_16="3.16 - Verify that /etc/docker directory permissions are set to 755" check_3_16() {
directory="/etc/docker" check_3_16="3.16 - Verify that /etc/docker directory permissions are set to 755"
if [ -d "$directory" ]; then directory="/etc/docker"
if [ -d "$directory" ]; then
if [ "$(stat -c %a $directory)" -eq 755 ]; then if [ "$(stat -c %a $directory)" -eq 755 ]; then
pass "$check_3_16" pass "$check_3_16"
elif [ "$(stat -c %a $directory)" -eq 700 ]; then elif [ "$(stat -c %a $directory)" -eq 700 ]; then
@ -240,15 +273,17 @@ if [ -d "$directory" ]; then
warn "$check_3_16" warn "$check_3_16"
warn " * Wrong permissions for $directory" warn " * Wrong permissions for $directory"
fi fi
else else
info "$check_3_16" info "$check_3_16"
info " * Directory not found" info " * Directory not found"
fi fi
}
# 3.17 # 3.17
check_3_17="3.17 - Verify that registry certificate file ownership is set to root:root" check_3_17() {
directory="/etc/docker/certs.d/" check_3_17="3.17 - Verify that registry certificate file ownership is set to root:root"
if [ -d "$directory" ]; then directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then
fail=0 fail=0
owners=$(ls -lL $directory | grep ".crt" | awk '{print $3, $4}') owners=$(ls -lL $directory | grep ".crt" | awk '{print $3, $4}')
for p in $owners; do for p in $owners; do
@ -263,15 +298,17 @@ if [ -d "$directory" ]; then
else else
pass "$check_3_17" pass "$check_3_17"
fi fi
else else
info "$check_3_17" info "$check_3_17"
info " * Directory not found" info " * Directory not found"
fi fi
}
# 3.18 # 3.18
check_3_18="3.18 - Verify that registry certificate file permissions are set to 444" check_3_18() {
directory="/etc/docker/certs.d/" check_3_18="3.18 - Verify that registry certificate file permissions are set to 444"
if [ -d "$directory" ]; then directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then
fail=0 fail=0
perms=$(ls -lL $directory | grep ".crt" | awk '{print $1}') perms=$(ls -lL $directory | grep ".crt" | awk '{print $1}')
for p in $perms; do for p in $perms; do
@ -285,30 +322,34 @@ if [ -d "$directory" ]; then
else else
pass "$check_3_18" pass "$check_3_18"
fi fi
else else
info "$check_3_18" info "$check_3_18"
info " * Directory not found" info " * Directory not found"
fi fi
}
# 3.19 # 3.19
check_3_19="3.19 - Verify that TLS CA certificate file ownership is set to root:root" check_3_19() {
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) check_3_19="3.19 - Verify that TLS CA certificate file ownership is set to root:root"
if [ -f "$tlscacert" ]; then tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -f "$tlscacert" ]; then
if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
pass "$check_3_19" pass "$check_3_19"
else else
warn "$check_3_19" warn "$check_3_19"
warn " * Wrong ownership for $tlscacert" warn " * Wrong ownership for $tlscacert"
fi fi
else else
info "$check_3_19" info "$check_3_19"
info " * No TLS CA certificate found" info " * No TLS CA certificate found"
fi fi
}
# 3.20 # 3.20
check_3_20="3.20 - Verify that TLS CA certificate file permissions are set to 444" check_3_20() {
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) check_3_20="3.20 - Verify that TLS CA certificate file permissions are set to 444"
if [ -f "$tlscacert" ]; then tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -f "$tlscacert" ]; then
perms=$(ls -ld "$tlscacert" | awk '{print $1}') perms=$(ls -ld "$tlscacert" | awk '{print $1}')
if [ "$perms" = "-r--r--r--" ]; then if [ "$perms" = "-r--r--r--" ]; then
pass "$check_3_20" pass "$check_3_20"
@ -316,30 +357,34 @@ if [ -f "$tlscacert" ]; then
warn "$check_3_20" warn "$check_3_20"
warn " * Wrong permissions for $tlscacert" warn " * Wrong permissions for $tlscacert"
fi fi
else else
info "$check_3_20" info "$check_3_20"
info " * No TLS CA certificate found" info " * No TLS CA certificate found"
fi fi
}
# 3.21 # 3.21
check_3_21="3.21 - Verify that Docker server certificate file ownership is set to root:root" check_3_21() {
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) check_3_21="3.21 - Verify that Docker server certificate file ownership is set to root:root"
if [ -f "$tlscert" ]; then tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -f "$tlscert" ]; then
if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
pass "$check_3_21" pass "$check_3_21"
else else
warn "$check_3_21" warn "$check_3_21"
warn " * Wrong ownership for $tlscert" warn " * Wrong ownership for $tlscert"
fi fi
else else
info "$check_3_21" info "$check_3_21"
info " * No TLS Server certificate found" info " * No TLS Server certificate found"
fi fi
}
# 3.22 # 3.22
check_3_22="3.22 - Verify that Docker server certificate file permissions are set to 444" check_3_22() {
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) check_3_22="3.22 - Verify that Docker server certificate file permissions are set to 444"
if [ -f "$tlscert" ]; then tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -f "$tlscert" ]; then
perms=$(ls -ld "$tlscert" | awk '{print $1}') perms=$(ls -ld "$tlscert" | awk '{print $1}')
if [ "$perms" = "-r--r--r--" ]; then if [ "$perms" = "-r--r--r--" ]; then
pass "$check_3_22" pass "$check_3_22"
@ -347,30 +392,34 @@ if [ -f "$tlscert" ]; then
warn "$check_3_22" warn "$check_3_22"
warn " * Wrong permissions for $tlscert" warn " * Wrong permissions for $tlscert"
fi fi
else else
info "$check_3_22" info "$check_3_22"
info " * No TLS Server certificate found" info " * No TLS Server certificate found"
fi fi
}
# 3.23 # 3.23
check_3_23="3.23 - Verify that Docker server key file ownership is set to root:root" check_3_23() {
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) check_3_23="3.23 - Verify that Docker server key file ownership is set to root:root"
if [ -f "$tlskey" ]; then tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -f "$tlskey" ]; then
if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
pass "$check_3_23" pass "$check_3_23"
else else
warn "$check_3_23" warn "$check_3_23"
warn " * Wrong ownership for $tlskey" warn " * Wrong ownership for $tlskey"
fi fi
else else
info "$check_3_23" info "$check_3_23"
info " * No TLS Key found" info " * No TLS Key found"
fi fi
}
# 3.24 # 3.24
check_3_24="3.24 - Verify that Docker server key file permissions are set to 400" check_3_24() {
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) check_3_24="3.24 - Verify that Docker server key file permissions are set to 400"
if [ -f "$tlskey" ]; then tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -f "$tlskey" ]; then
perms=$(ls -ld "$tlskey" | awk '{print $1}') perms=$(ls -ld "$tlskey" | awk '{print $1}')
if [ "$perms" = "-r--------" ]; then if [ "$perms" = "-r--------" ]; then
pass "$check_3_24" pass "$check_3_24"
@ -378,30 +427,34 @@ if [ -f "$tlskey" ]; then
warn "$check_3_24" warn "$check_3_24"
warn " * Wrong permissions for $tlskey" warn " * Wrong permissions for $tlskey"
fi fi
else else
info "$check_3_24" info "$check_3_24"
info " * No TLS Key found" info " * No TLS Key found"
fi fi
}
# 3.25 # 3.25
check_3_25="3.25 - Verify that Docker socket file ownership is set to root:docker" check_3_25(){
file="/var/run/docker.sock" check_3_25="3.25 - Verify that Docker socket file ownership is set to root:docker"
if [ -S "$file" ]; then file="/var/run/docker.sock"
if [ -S "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then
pass "$check_3_25" pass "$check_3_25"
else else
warn "$check_3_25" warn "$check_3_25"
warn " * Wrong ownership for $file" warn " * Wrong ownership for $file"
fi fi
else else
info "$check_3_25" info "$check_3_25"
info " * File not found" info " * File not found"
fi fi
}
# 3.26 # 3.26
check_3_26="3.26 - Verify that Docker socket file permissions are set to 660" check_3_26() {
file="/var/run/docker.sock" check_3_26="3.26 - Verify that Docker socket file permissions are set to 660"
if [ -S "$file" ]; then file="/var/run/docker.sock"
if [ -S "$file" ]; then
perms=$(ls -ld "$file" | awk '{print $1}') perms=$(ls -ld "$file" | awk '{print $1}')
if [ "$perms" = "srw-rw----" ]; then if [ "$perms" = "srw-rw----" ]; then
pass "$check_3_26" pass "$check_3_26"
@ -409,7 +462,8 @@ if [ -S "$file" ]; then
warn "$check_3_26" warn "$check_3_26"
warn " * Wrong permissions for $file" warn " * Wrong permissions for $file"
fi fi
else else
info "$check_3_26" info "$check_3_26"
info " * File not found" info " * File not found"
fi fi
}

24
tests/4_container_images.sh
View file

@ -1,21 +1,24 @@
#!/bin/sh #!/bin/sh
logit "\n" check_4() {
info "4 - Container Images and Build Files" logit "\n"
info "4 - Container Images and Build Files"
}
# 4.1 # 4.1
check_4_1="4.1 - Create a user for the container" check_4_1() {
check_4_1="4.1 - Create a user for the container"
# If container_users is empty, there are no running containers # If container_users is empty, there are no running containers
if [ -z "$containers" ]; then if [ -z "$containers" ]; then
info "$check_4_1" info "$check_4_1"
info " * No containers running" info " * No containers running"
else else
# We have some containers running, set failure flag to 0. Check for Users. # We have some containers running, set failure flag to 0. Check for Users.
fail=0 fail=0
# Make the loop separator be a new-line in POSIX compliant fashion # Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$' set -f; IFS=$'
' '
for c in $containers; do for c in $containers; do
user=$(docker inspect --format 'User={{.Config.User}}' "$c") user=$(docker inspect --format 'User={{.Config.User}}' "$c")
@ -34,6 +37,7 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_4_1" pass "$check_4_1"
fi fi
fi fi
# Make the loop separator go back to space # Make the loop separator go back to space
set +f; unset IFS set +f; unset IFS
}

161
tests/5_container_runtime.sh
View file

@ -1,16 +1,29 @@
#!/bin/sh #!/bin/sh
check_5() {
logit "\n" logit "\n"
info "5 - Container Runtime" info "5 - Container Runtime"
}
# If containers is empty, there are no running containers check_running_containers() {
if [ -z "$containers" ]; then # If containers is empty, there are no running containers
if [ -z "$containers" ]; then
info " * No containers running, skipping Section 5" info " * No containers running, skipping Section 5"
else running_containers=0
else
running_containers=1
# Make the loop separator be a new-line in POSIX compliant fashion # Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$' set -f; IFS=$'
' '
# 5.1 fi
}
# 5.1
check_5_1() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_1="5.1 - Verify AppArmor Profile, if applicable" check_5_1="5.1 - Verify AppArmor Profile, if applicable"
fail=0 fail=0
@ -32,8 +45,14 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_1" pass "$check_5_1"
fi fi
}
# 5.2
check_5_2() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.2
check_5_2="5.2 - Verify SELinux security options, if applicable" check_5_2="5.2 - Verify SELinux security options, if applicable"
fail=0 fail=0
@ -55,8 +74,14 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_2" pass "$check_5_2"
fi fi
}
# 5.3
check_5_3() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.3
check_5_3="5.3 - Verify that containers are running only a single main process" check_5_3="5.3 - Verify that containers are running only a single main process"
fail=0 fail=0
@ -90,8 +115,14 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_3" pass "$check_5_3"
fi fi
}
# 5.4
check_5_4() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.4
check_5_4="5.4 - Restrict Linux Kernel Capabilities within containers" check_5_4="5.4 - Restrict Linux Kernel Capabilities within containers"
fail=0 fail=0
@ -113,8 +144,14 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_4" pass "$check_5_4"
fi fi
}
# 5.5
check_5_5() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.5
check_5_5="5.5 - Do not use privileged containers" check_5_5="5.5 - Do not use privileged containers"
fail=0 fail=0
@ -136,8 +173,14 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_5" pass "$check_5_5"
fi fi
}
# 5.6
check_5_6() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.6
check_5_6="5.6 - Do not mount sensitive host system directories on containers" check_5_6="5.6 - Do not mount sensitive host system directories on containers"
# List of sensitive directories to test for. Script uses new-lines as a separator. # List of sensitive directories to test for. Script uses new-lines as a separator.
@ -178,8 +221,14 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_6" pass "$check_5_6"
fi fi
}
# 5.7
check_5_8() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.7
check_5_7="5.7 - Do not run ssh within containers" check_5_7="5.7 - Do not run ssh within containers"
fail=0 fail=0
@ -214,8 +263,14 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_7" pass "$check_5_7"
fi fi
}
# 5.8
check_5_8() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.8
check_5_8="5.8 - Do not map privileged ports within containers" check_5_8="5.8 - Do not map privileged ports within containers"
fail=0 fail=0
@ -241,8 +296,14 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_8" pass "$check_5_8"
fi fi
}
# 5.10
check_5_10() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.10
check_5_10="5.10 - Do not use host network mode on container" check_5_10="5.10 - Do not use host network mode on container"
fail=0 fail=0
@ -264,8 +325,14 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_10" pass "$check_5_10"
fi fi
}
# 5.11
check_5_11() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.11
check_5_11="5.11 - Limit memory usage for container" check_5_11="5.11 - Limit memory usage for container"
fail=0 fail=0
@ -293,8 +360,14 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_11" pass "$check_5_11"
fi fi
}
# 5.12
check_5_12() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.12
check_5_12="5.12 - Set container CPU priority appropriately" check_5_12="5.12 - Set container CPU priority appropriately"
fail=0 fail=0
@ -322,8 +395,14 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_12" pass "$check_5_12"
fi fi
}
# 5.13
check_5_12(){
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.13
check_5_13="5.13 - Mount container's root filesystem as read only" check_5_13="5.13 - Mount container's root filesystem as read only"
fail=0 fail=0
@ -345,8 +424,14 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_13" pass "$check_5_13"
fi fi
}
# 5.14
check_5_14() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.14
check_5_14="5.14 - Bind incoming container traffic to a specific host interface" check_5_14="5.14 - Bind incoming container traffic to a specific host interface"
fail=0 fail=0
@ -368,8 +453,14 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_14" pass "$check_5_14"
fi fi
}
# 5.15
check_5_15() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.15
check_5_15="5.15 - Do not set the 'on-failure' container restart policy to always" check_5_15="5.15 - Do not set the 'on-failure' container restart policy to always"
fail=0 fail=0
@ -391,8 +482,14 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_15" pass "$check_5_15"
fi fi
}
# 5.16
check_5_16() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.16
check_5_16="5.16 - Do not share the host's process namespace" check_5_16="5.16 - Do not share the host's process namespace"
fail=0 fail=0
@ -414,8 +511,14 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_16" pass "$check_5_16"
fi fi
}
# 5.17
check_5_17() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.17
check_5_17="5.17 - Do not share the host's IPC namespace" check_5_17="5.17 - Do not share the host's IPC namespace"
fail=0 fail=0
@ -437,8 +540,14 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_17" pass "$check_5_17"
fi fi
}
# 5.18
check_5_18() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.18
check_5_18="5.18 - Do not directly expose host devices to containers" check_5_18="5.18 - Do not directly expose host devices to containers"
fail=0 fail=0
@ -460,8 +569,14 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_18" pass "$check_5_18"
fi fi
}
# 5.19
check_5_19() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.19
check_5_19="5.19 - Override default ulimit at runtime only if needed" check_5_19="5.19 - Override default ulimit at runtime only if needed"
# List all the running containers, ouput their ID and host devices # List all the running containers, ouput their ID and host devices
@ -484,4 +599,4 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_19" pass "$check_5_19"
fi fi
fi }

62
tests/6_docker_security_operations.sh
View file

@ -1,19 +1,22 @@
#!/bin/sh #!/bin/sh
logit "\n" check_6() {
info "6 - Docker Security Operations" logit "\n"
info "6 - Docker Security Operations"
}
# 6.5 # 6.5
check_6_5="6.5 - Use a centralized and remote log collection service" check_6_5() {
check_6_5="6.5 - Use a centralized and remote log collection service"
# If containers is empty, there are no running containers # If containers is empty, there are no running containers
if [ -z "$containers" ]; then if [ -z "$containers" ]; then
info "$check_6_5" info "$check_6_5"
info " * No containers running" info " * No containers running"
else else
fail=0 fail=0
set -f; IFS=$' set -f; IFS=$'
' '
for c in $containers; do for c in $containers; do
docker inspect --format '{{ .Volumes }}' "$c" 2>/dev/null 1>&2 docker inspect --format '{{ .Volumes }}' "$c" 2>/dev/null 1>&2
@ -36,42 +39,47 @@ else
done done
# Only alert if there are no volumes. If there are volumes, can't know if they # Only alert if there are no volumes. If there are volumes, can't know if they
# are used for logs # are used for logs
fi fi
# Make the loop separator go back to space # Make the loop separator go back to space
set +f; unset IFS set +f; unset IFS
}
# 6.6 # 6.6
check_6_6="6.6 - Avoid image sprawl" check_6_6() {
images=$(docker images -q | sort -u | wc -l | awk '{print $1}') check_6_6="6.6 - Avoid image sprawl"
active_images=0 images=$(docker images -q | sort -u | wc -l | awk '{print $1}')
active_images=0
for c in $(docker inspect -f "{{.Image}}" $(docker ps -qa)); do for c in $(docker inspect -f "{{.Image}}" $(docker ps -qa)); do
if docker images --no-trunc -a | grep "$c" > /dev/null ; then if docker images --no-trunc -a | grep "$c" > /dev/null ; then
active_images=$(( active_images += 1 )) active_images=$(( active_images += 1 ))
fi fi
done done
if [ "$images" -gt 100 ]; then if [ "$images" -gt 100 ]; then
warn "$check_6_6" warn "$check_6_6"
warn " * There are currently: $images images" warn " * There are currently: $images images"
else else
info "$check_6_6" info "$check_6_6"
info " * There are currently: $images images" info " * There are currently: $images images"
fi fi
if [ "$active_images" -lt "$((images / 2))" ]; then if [ "$active_images" -lt "$((images / 2))" ]; then
warn " * Only $active_images out of $images are in use" warn " * Only $active_images out of $images are in use"
fi fi
}
# 6.7 # 6.7
check_6_7="6.7 - Avoid container sprawl" check_6_7() {
total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}') check_6_7="6.7 - Avoid container sprawl"
running_containers=$(docker ps -q | wc -l | awk '{print $1}') total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}')
diff="$((total_containers - running_containers))" running_containers=$(docker ps -q | wc -l | awk '{print $1}')
if [ "$diff" -gt 25 ]; then diff="$((total_containers - running_containers))"
if [ "$diff" -gt 25 ]; then
warn "$check_6_7" warn "$check_6_7"
warn " * There are currently a total of $total_containers containers, with only $running_containers of them currently running" warn " * There are currently a total of $total_containers containers, with only $running_containers of them currently running"
else else
info "$check_6_7" info "$check_6_7"
info " * There are currently a total of $total_containers containers, with $running_containers of them currently running" info " * There are currently a total of $total_containers containers, with $running_containers of them currently running"
fi fi
}

12
tests/X_community_tests.sh Normal file
View file

@ -0,0 +1,12 @@
#!/bin/sh
check_community() {
logit "\n"
info "X - Community contributed tests"
}
check_community_1() {
check_community_1="X.1 - Placeholder"
echo "This is just a placeholder."
}