From 1c795f146eac8851020551b70416d75198ae931d Mon Sep 17 00:00:00 2001 From: Diogo Monica Date: Wed, 13 May 2015 19:22:39 -0700 Subject: [PATCH] Added filtering to ignore security-benchmark container --- README.md | 10 +- docker_security_benchmark.sh | 1 + tests/1_host_configuration.sh | 1 + tests/4_container_images.sh | 13 +- tests/5_container_runtime.sh | 248 ++++++++++---------------- tests/6_docker_security_operations.sh | 18 +- 6 files changed, 114 insertions(+), 177 deletions(-) diff --git a/README.md b/README.md index bf7966f..b844e68 100644 --- a/README.md +++ b/README.md @@ -22,9 +22,9 @@ diogomonica/docker-security-benchmark If you wish to build and run this container yourself, you can follow the following steps: ``` -# git clone https://github.com/diogomonica/docker-security-benchmark.git -# cd docker-security-benchmark; docker build -t docker-security-benchmark . -# docker run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock \ +git clone https://github.com/diogomonica/docker-security-benchmark.git +cd docker-security-benchmark; docker build -t docker-security-benchmark . +docker run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock \ -v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label security-benchmark \ docker-security-benchmark ``` @@ -32,8 +32,8 @@ docker-security-benchmark Also, this script can also be simply run from your base host by running: ``` -# git clone https://github.com/diogomonica/docker-security-benchmark.git -# cd docker-security-benchmark; sh docker_security_benchmark.sh +git clone https://github.com/diogomonica/docker-security-benchmark.git +cd docker-security-benchmark; sh docker_security_benchmark.sh ``` This script was build to be POSIX 2004 compliant, so it should be portable across any Unix platform. diff --git a/docker_security_benchmark.sh b/docker_security_benchmark.sh index b852a54..a4a9b6c 100644 --- a/docker_security_benchmark.sh +++ b/docker_security_benchmark.sh @@ -81,6 +81,7 @@ main () { done # List all running containers except docker-security-benchmark containers=`docker ps -q | grep -v $benchcont` + for test in tests/*.sh do . ./$test diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index c103f9c..49af272 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -31,6 +31,7 @@ if [ $listening_services -eq 0 ]; then else if [ $listening_services -gt 5 ]; then warn "$check_1_5" + warn " * Host listening on: $listening_services ports" else pass "$check_1_5" fi diff --git a/tests/4_container_images.sh b/tests/4_container_images.sh index 554ff98..04c824a 100644 --- a/tests/4_container_images.sh +++ b/tests/4_container_images.sh @@ -11,25 +11,22 @@ if test "$containers" = ""; then info "$check_4_1" info " * No containers running" else - # List all the running containers, ouput their ID and USER - cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:User={{.Config.User}}' 2>/dev/null` # We have some containers running, set failure flag to 0. Check for Users. fail=0 # Make the loop separator be a new-line in POSIX compliant fashion set -f; IFS=$' ' - for c in $cont_inspect; do - user=`printf "$c" | cut -d ":" -f 2` - container_id=`printf "$c" | cut -d ":" -f 1` + for c in $containers; do + user=`docker inspect --format 'User={{.Config.User}}' $c` - if test $user = "User=" || test $user = "User=[]" ||test $user = "User="; then + if test $user = "User=" || test $user = "User=[]" || test $user = "User="; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_4_1" - warn " * Running as root: $container_id" + warn " * Running as root: $c" fail=1 else - warn " * Running as root: $container_id" + warn " * Running as root: $c" fi fi done diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh index 32b6a6d..98ae497 100644 --- a/tests/5_container_runtime.sh +++ b/tests/5_container_runtime.sh @@ -13,22 +13,18 @@ else # 5.1 check_5_1="5.1 - Verify AppArmor Profile, if applicable" - # List all the running containers, ouput their ID and AppArmorProfile - cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:AppArmorProfile={{.AppArmorProfile }}'` - # We have some containers running, set failure flag to 0, set failure flag to 0 fail=0 - for c in $cont_inspect; do - policy=`printf "$c" | cut -d ":" -f 2` - container_id=`printf "$c" | cut -d ":" -f 1` + for c in $containers; do + policy=`docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' $c` if test $policy = "AppArmorProfile=" || test $policy = "AppArmorProfile=[]" ||test $policy = "AppArmorProfile="; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_1" - warn " * No AppArmorProfile Found: $container_id" + warn " * No AppArmorProfile Found: $c" fail=1 else - warn " * No AppArmorProfile Found: $container_id" + warn " * No AppArmorProfile Found: $c" fi fi done @@ -40,22 +36,18 @@ else # 5.2 check_5_2="5.2 - Verify SELinux security options, if applicable" - # List all the running containers, ouput their ID and SecurityOptions - cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:SecurityOpt={{.HostConfig.SecurityOpt }}'` - # We have some containers running, set failure flag to 0, set failure flag to 0 fail=0 - for c in $cont_inspect; do - policy=`printf "$c" | cut -d ":" -f 2` - container_id=`printf "$c" | cut -d ":" -f 1` + for c in $containers; do + policy=`docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' $c` if test $policy = "SecurityOpt=" || test $policy = "SecurityOpt=[]" || test $policy = "SecurityOpt="; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_2" - warn " * No SecurityOptions Found: $container_id" + warn " * No SecurityOptions Found: $c" fail=1 else - warn " * No SecurityOptions Found: $container_id" + warn " * No SecurityOptions Found: $c" fi fi done @@ -67,21 +59,17 @@ else # 5.3 check_5_3="5.3 - Verify that containers are running only a single main process" - # List all the running containers, ouput their Id - cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}'` - # We have some containers running, set failure flag to 0, set failure flag to 0 fail=0 - - for c in $cont_inspect; do + for c in $containers; do processes=`docker exec $c ps -el 2>/dev/null | wc -l | awk '{print $1}'` if [ $processes -gt 5 ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_3" - warn " * Too many proccesses running: $container_id" + warn " * Too many proccesses running: $c" fail=1 else - warn " * Too many proccesses running: $container_id" + warn " * Too many proccesses running: $c" fi fi done @@ -93,22 +81,18 @@ else # 5.4 check_5_4="5.4 - Restrict Linux Kernel Capabilities within containers" - # List all the running containers, ouput their ID and CapAdd - cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:CapAdd={{ .HostConfig.CapAdd}}'` - # We have some containers running, set failure flag to 0, set failure flag to 0 fail=0 + for c in $containers; do + caps=`docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' $c` - for c in $cont_inspect; do - caps=`printf "$c" | cut -d ":" -f 2` - container_id=`printf "$c" | cut -d ":" -f 1` if test $caps != "CapAdd=" && test $caps != "CapAdd=[]" && test $caps != "CapAdd="; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_4" - warn " * Capabilities added: $caps to $container_id" + warn " * Capabilities added: $caps to $c" fail=1 else - warn " * Capabilities added: $caps to $container_id" + warn " * Capabilities added: $caps to $c" fi fi done @@ -120,22 +104,18 @@ else # 5.5 check_5_5="5.5 - Do not use privileged containers" - # List all the running containers, ouput their ID and privileged status - cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:{{.HostConfig.Privileged }}'` - # We have some containers running, set failure flag to 0, set failure flag to 0 fail=0 + for c in $containers; do + privileged=`docker inspect --format '{{ .HostConfig.Privileged }}' $c` - for c in $cont_inspect; do - privileged=`printf "$c" | cut -d ":" -f 2` - container_id=`printf "$c" | cut -d ":" -f 1` if test $privileged = "true"; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_5" - warn " * Container running in Privileged mode: $container_id" + warn " * Container running in Privileged mode: $c" fail=1 else - warn " * Container running in Privileged mode: $container_id" + warn " * Container running in Privileged mode: $c" fi fi done @@ -147,40 +127,33 @@ else # 5.6 check_5_6="5.6 - Do not mount sensitive host system directories on containers" - # List of sensitive directories to test for. Script uses new-lines as a separator + # List of sensitive directories to test for. Script uses new-lines as a separator. + # Note the lack of identation. It needs it for the substring comparison. sensitive_dirs='/boot - /dev - /etc - /lib - /proc - /sys - /usr' - # List all the running containers, ouput their ID and R/W Volumes - cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:{{ .VolumesRW }}'` - # We have some containers running, set failure flag to 0, set failure flag to 0 +/dev +/etc +/lib +/proc +/sys +/usr' fail=0 - for c in $cont_inspect; do - volumes=`printf "$c" | cut -d ":" -f 2-` - container_id=`printf "$c" | cut -d ":" -f 1` - sensitive=0 - + for c in $containers; do + volumes=`docker inspect --format '{{ .VolumesRW }}' $c` # Go over each directory in sensitive dir and see if they exist in the volumes for v in $sensitive_dirs; do - if [ $sensitive -eq 0 ]; then - contains "$volumes" "$v:" && sensitive=1 + sensitive=0 + contains "$volumes" "$v:" && sensitive=1 + if [ $sensitive -eq 1 ]; then + # If it's the first container, fail the test + if [ $fail -eq 0 ]; then + warn "$check_5_6" + warn " * Sensitive directory $v mounted in: $c" + fail=1 + else + warn " * Sensitive directory $v mounted in: $c" + fi fi done - - if [ $sensitive -eq 1 ]; then - # If it's the first container, fail the test - if [ $fail -eq 0 ]; then - warn "$check_5_6" - warn " * Container mounted with sensitive directory: $container_id" - fail=1 - else - warn " * Container mounted with sensitive directory: $container_id" - fi - fi done # We went through all the containers and found none with sensitive mounts if [ $fail -eq 0 ]; then @@ -190,20 +163,18 @@ else # 5.7 check_5_7="5.7 - Do not run ssh within containers" - # List all the running containers, ouput their Id - cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}'` - # We have some containers running, set failure flag to 0, set failure flag to 0 fail=0 - for c in $cont_inspect; do + for c in $containers; do processes=`docker exec $c ps -el 2>/dev/null | grep sshd | wc -l | awk '{print $1}'` + if [ $processes -gt 1 ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_7" - warn " * Container running sshd: $container_id" + warn " * Container running sshd: $c" fail=1 else - warn " * Container running sshd: $container_id" + warn " * Container running sshd: $c" fi fi done @@ -215,19 +186,18 @@ else # 5.8 check_5_8="5.8 - Do not map privileged ports within containers" - # List all the running containers, ouput their listening ports - # We have some containers running, set failure flag to 0, set failure flag to 0 fail=0 for c in $containers; do port=`docker port $c | awk '{print $1}' | cut -d '/' -f1` + if test "$port" != "" && [ $port -lt 1025 ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_8" - warn " * Privileged Port in use: $port" + warn " * Privileged Port in use: $port in $c" fail=1 else - warn " * Privileged Port in use: $port" + warn " * Privileged Port in use: $port in $c" fi fi done @@ -239,21 +209,18 @@ else # 5.10 check_5_10="5.10 - Do not use host network mode on container" - # List all the running containers, ouput their ID and network mode - cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:NetworkMode={{.HostConfig.NetworkMode }}'` - # We have some containers running, set failure flag to 0, set failure flag to 0 fail=0 - for c in $cont_inspect; do - mode=`printf "$c" | cut -d ":" -f 2` - container_id=`printf "$c" | cut -d ":" -f 1` + for c in $containers; do + mode=`docker inspect --format 'NetworkMode={{ .HostConfig.NetworkMode }}' $c` + if test $mode = "NetworkMode=host"; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_10" - warn " * Container running with networking mode 'host': $container_id" + warn " * Container running with networking mode 'host': $c" fail=1 else - warn " * Container running with networking mode 'host': $container_id" + warn " * Container running with networking mode 'host': $c" fi fi done @@ -265,22 +232,18 @@ else # 5.11 check_5_11="5.11 - Limit memory usage for container" - # List all the running containers, ouput their ID and memory limit - cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:{{ .Config.Memory }}'` - # We have some containers running, set failure flag to 0, set failure flag to 0 fail=0 - # Make the loop separator be a new-line in POSIX compliant fashion - for c in $cont_inspect; do - memory=`printf "$c" | cut -d ":" -f 2` - container_id=`printf "$c" | cut -d ":" -f 1` + for c in $containers; do + memory=`docker inspect --format '{{ .Config.Memory }}' $c` + if test $memory = "0"; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_11" - warn " * Container running without memory restrictions: $container_id" + warn " * Container running without memory restrictions: $c" fail=1 else - warn " * Container running without memory restrictions: $container_id" + warn " * Container running without memory restrictions: $c" fi fi done @@ -292,21 +255,18 @@ else # 5.12 check_5_12="5.12 - Set container CPU priority appropriately" - # List all the running containers, ouput their ID and CPU Shares - cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:{{.Config.CpuShares }}'` - # We have some containers running, set failure flag to 0, set failure flag to 0 fail=0 - for c in $cont_inspect; do - shares=`printf "$c" | cut -d ":" -f 2` - container_id=`printf "$c" | cut -d ":" -f 1` + for c in $containers; do + shares=`docker inspect --format '{{ .Config.CpuShares }}' $c` + if test $shares = "0"; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_12" - warn " * Container running without CPU restrictions: $container_id" + warn " * Container running without CPU restrictions: $c" fail=1 else - warn " * Container running without CPU restrictions: $container_id" + warn " * Container running without CPU restrictions: $c" fi fi done @@ -318,21 +278,18 @@ else # 5.13 check_5_13="5.13 - Mount container's root filesystem as read only" - # List all the running containers, ouput their ID and status of ReadonlyRootfs - cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:{{.HostConfig.ReadonlyRootfs }}'` - # We have some containers running, set failure flag to 0, set failure flag to 0 fail=0 - for c in $cont_inspect; do - read_status=`printf "$c" | cut -d ":" -f 2` - container_id=`printf "$c" | cut -d ":" -f 1` + for c in $containers; do + read_status=`docker inspect --format '{{ .HostConfig.ReadonlyRootfs }}' $c` + if test $read_status = "false"; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_13" - warn " * Container running with root FS mounted R/W: $container_id" + warn " * Container running with root FS mounted R/W: $c" fail=1 else - warn " * Container running with root FS mounted R/W: $container_id" + warn " * Container running with root FS mounted R/W: $c" fi fi done @@ -344,8 +301,6 @@ else # 5.14 check_5_14="5.14 - Bind incoming container traffic to a specific host interface" - # List all the running containers, ouput the IP where ports are being bound - # We have some containers running, set failure flag to 0, set failure flag to 0 fail=0 for c in $containers; do ip=`docker port $c | awk '{print $3}' | cut -d ':' -f1` @@ -353,10 +308,10 @@ else # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_14" - warn " * Port being bound to wildcard IP: 0.0.0.0" + warn " * Port being bound to wildcard IP: $ip in $c" fail=1 else - warn " * Port being bound to wildcard IP: 0.0.0.0" + warn " * Port being bound to wildcard IP: $ip in $c" fi fi done @@ -368,22 +323,18 @@ else # 5.15 check_5_15="5.15 - Do not set the 'on-failure' container restart policy to always" - # List all the running containers, ouput their ID and Restart Policy Name - cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:RestartPolicyName={{.HostConfig.RestartPolicy.Name }}'` - # We have some containers running, set failure flag to 0, set failure flag to 0 fail=0 - for c in $cont_inspect; do - policy=`printf "$c" | cut -d ":" -f 2` - container_id=`printf "$c" | cut -d ":" -f 1` + for c in $containers; do + policy=`docker inspect --format 'RestartPolicyName={{ .HostConfig.RestartPolicy.Name }}' $c` if test $policy = "RestartPolicyName=always"; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_15" - warn " * Restart Policy set to always: $container_id" + warn " * Restart Policy set to always: $c" fail=1 else - warn " * Restart Policy set to always: $container_id" + warn " * Restart Policy set to always: $c" fi fi done @@ -395,21 +346,18 @@ else # 5.16 check_5_16="5.16 - Do not share the host's process namespace" - # List all the running containers, ouput their ID and PidMode - cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:PidMode={{.HostConfig.PidMode }}'` - # We have some containers running, set failure flag to 0, set failure flag to 0 fail=0 - for c in $cont_inspect; do - mode=`printf "$c" | cut -d ":" -f 2` - container_id=`printf "$c" | cut -d ":" -f 1` + for c in $containers; do + mode=`docker inspect --format 'PidMode={{.HostConfig.PidMode }}' $c` + if test $mode = "PidMode=host"; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_16" - warn " * Host PID namespace being shared with: $container_id" + warn " * Host PID namespace being shared with: $c" fail=1 else - warn " * Host PID namespace being shared with: $container_id" + warn " * Host PID namespace being shared with: $c" fi fi done @@ -421,21 +369,18 @@ else # 5.17 check_5_17="5.17 - Do not share the host's IPC namespace" - # List all the running containers, ouput their ID and IpcMode - cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:IpcMode={{.HostConfig.IpcMode }}'` - # We have some containers running, set failure flag to 0, set failure flag to 0 fail=0 - for c in $cont_inspect; do - mode=`printf "$c" | cut -d ":" -f 2` - container_id=`printf "$c" | cut -d ":" -f 1` + for c in $containers; do + mode=`docker inspect --format 'IpcMode={{.HostConfig.IpcMode }}' $c` + if test $mode = "IpcMode=host"; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_17" - warn " * Host IPC namespace being shared with: $container_id" + warn " * Host IPC namespace being shared with: $c" fail=1 else - warn " * Host IPC namespace being shared with: $container_id" + warn " * Host IPC namespace being shared with: $c" fi fi done @@ -447,20 +392,18 @@ else # 5.18 check_5_18="5.18 - Do not directly expose host devices to containers" - # List all the running containers, ouput their ID and host devices - cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:Devices={{.HostConfig.Devices }}'` fail=0 - for c in $cont_inspect; do - mode=`printf "$c" | cut -d ":" -f 2` - container_id=`printf "$c" | cut -d ":" -f 1` - if test $mode != "Devices=" && test $mode != "Devices=[]" && test $mode != "Devices="; then + for c in $containers; do + devices=`docker inspect --format 'Devices={{ .HostConfig.Devices }}' $c` + + if test $devices != "Devices=" && test $devices != "Devices=[]" && test $devices != "Devices="; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then info "$check_5_18" - info " * Container has devices exposed directly: $container_id" + info " * Container has devices exposed directly: $c" fail=1 else - info " * Container has devices exposed directly: $container_id" + info " * Container has devices exposed directly: $c" fi fi done @@ -473,19 +416,18 @@ else check_5_19="5.19 - Override default ulimit at runtime only if needed" # List all the running containers, ouput their ID and host devices - cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:Ulimits={{.HostConfig.Ulimits }}'` fail=0 - for c in $cont_inspect; do - mode=`printf "$c" | cut -d ":" -f 2` - container_id=`printf "$c" | cut -d ":" -f 1` - if test $mode = "Ulimits=" || test $mode = "Ulimits=[]" || test $mode = "Ulimits="; then + for c in $containers; do + ulimits=`docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' $c` + + if test $ulimits = "Ulimits=" || test $ulimits = "Ulimits=[]" || test $ulimits = "Ulimits="; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then info "$check_5_19" - info " * Container no default ulimit override: $container_id" + info " * Container no default ulimit override: $c" fail=1 else - info " * Container no default ulimit override: $container_id" + info " * Container no default ulimit override: $c" fi fi done diff --git a/tests/6_docker_security_operations.sh b/tests/6_docker_security_operations.sh index c4c701c..9ad6b3c 100644 --- a/tests/6_docker_security_operations.sh +++ b/tests/6_docker_security_operations.sh @@ -11,24 +11,20 @@ if test "$containers" = ""; then info "$check_6_5" info " * No containers running" else - # List all the running containers, ouput their ID and host devices - cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id}}:{{ .Volumes }}'` - # We have some containers running, set failure flag to 0. fail=0 - # Make the loop separator be a new-line in POSIX compliant fashion set -f; IFS=$' ' - for c in $cont_inspect; do - mode=`printf "$c" | cut -d ":" -f 2` - container_id=`printf "$c" | cut -d ":" -f 1` - if test $mode = "map[]"; then + for c in $containers; do + volumes=`docker inspect --format '{{ .Volumes }}' $c` + + if test $volumes = "map[]"; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then info "$check_6_5" - info " * Container has no volumes, ensure centralized logging is enabled : $container_id" + info " * Container has no volumes, ensure centralized logging is enabled : $c" fail=1 else - info " * Container has no volumes, ensure centralized logging is enabled : $container_id" + info " * Container has no volumes, ensure centralized logging is enabled : $c" fi fi done @@ -41,7 +37,7 @@ set +f; unset IFS # 6.6 check_6_6="6.6 - Avoid image sprawl" images=`docker images | wc -l | awk '{print $1}'` -if [ $images -gt 200 ]; then +if [ $images -gt 100 ]; then warn "$check_6_6" warn " * There are currently: $images images" else