GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-18 16:22:33 +01:00
Code Issues Projects Releases Packages Wiki Activity

Added filtering to ignore security-benchmark container

Browse source
This commit is contained in:
Diogo Monica 2015-05-13 19:22:39 -07:00
parent 1cd54124c7
commit 1c795f146e
6 changed files with 114 additions and 177 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
README.md
View file

@ -22,9 +22,9 @@ diogomonica/docker-security-benchmark
If you wish to build and run this container yourself, you can follow the following steps: If you wish to build and run this container yourself, you can follow the following steps:
``` ```
# git clone https://github.com/diogomonica/docker-security-benchmark.git git clone https://github.com/diogomonica/docker-security-benchmark.git
# cd docker-security-benchmark; docker build -t docker-security-benchmark . cd docker-security-benchmark; docker build -t docker-security-benchmark .
# docker run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock \ docker run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label security-benchmark \ -v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label security-benchmark \
docker-security-benchmark docker-security-benchmark
``` ```
@ -32,8 +32,8 @@ docker-security-benchmark
Also, this script can also be simply run from your base host by running: Also, this script can also be simply run from your base host by running:
``` ```
# git clone https://github.com/diogomonica/docker-security-benchmark.git git clone https://github.com/diogomonica/docker-security-benchmark.git
# cd docker-security-benchmark; sh docker_security_benchmark.sh cd docker-security-benchmark; sh docker_security_benchmark.sh
``` ```
This script was build to be POSIX 2004 compliant, so it should be portable across any Unix platform. This script was build to be POSIX 2004 compliant, so it should be portable across any Unix platform.

1
docker_security_benchmark.sh
View file

@ -81,6 +81,7 @@ main () {
done done
# List all running containers except docker-security-benchmark # List all running containers except docker-security-benchmark
containers=`docker ps -q | grep -v $benchcont` containers=`docker ps -q | grep -v $benchcont`
for test in tests/*.sh for test in tests/*.sh
do do
. ./$test . ./$test

1
tests/1_host_configuration.sh
View file

@ -31,6 +31,7 @@ if [ $listening_services -eq 0 ]; then
else else
if [ $listening_services -gt 5 ]; then if [ $listening_services -gt 5 ]; then
warn "$check_1_5" warn "$check_1_5"
warn " * Host listening on: $listening_services ports"
else else
pass "$check_1_5" pass "$check_1_5"
fi fi

13
tests/4_container_images.sh
View file

@ -11,25 +11,22 @@ if test "$containers" = ""; then
info "$check_4_1" info "$check_4_1"
info " * No containers running" info " * No containers running"
else else
# List all the running containers, ouput their ID and USER
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:User={{.Config.User}}' 2>/dev/null`
# We have some containers running, set failure flag to 0. Check for Users. # We have some containers running, set failure flag to 0. Check for Users.
fail=0 fail=0
# Make the loop separator be a new-line in POSIX compliant fashion # Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$' set -f; IFS=$'
' '
for c in $cont_inspect; do for c in $containers; do
user=`printf "$c" | cut -d ":" -f 2` user=`docker inspect --format 'User={{.Config.User}}' $c`
container_id=`printf "$c" | cut -d ":" -f 1`
if test $user = "User=" || test $user = "User=[]" ||test $user = "User=<no value>"; then if test $user = "User=" || test $user = "User=[]" || test $user = "User=<no value>"; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_4_1" warn "$check_4_1"
warn " * Running as root: $container_id" warn " * Running as root: $c"
fail=1 fail=1
else else
warn " * Running as root: $container_id" warn " * Running as root: $c"
fi fi
fi fi
done done

248
tests/5_container_runtime.sh
View file

@ -13,22 +13,18 @@ else
# 5.1 # 5.1
check_5_1="5.1 - Verify AppArmor Profile, if applicable" check_5_1="5.1 - Verify AppArmor Profile, if applicable"
# List all the running containers, ouput their ID and AppArmorProfile
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:AppArmorProfile={{.AppArmorProfile }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0 fail=0
for c in $cont_inspect; do for c in $containers; do
policy=`printf "$c" | cut -d ":" -f 2` policy=`docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' $c`
container_id=`printf "$c" | cut -d ":" -f 1`
if test $policy = "AppArmorProfile=" || test $policy = "AppArmorProfile=[]" ||test $policy = "AppArmorProfile=<no value>"; then if test $policy = "AppArmorProfile=" || test $policy = "AppArmorProfile=[]" ||test $policy = "AppArmorProfile=<no value>"; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_1" warn "$check_5_1"
warn " * No AppArmorProfile Found: $container_id" warn " * No AppArmorProfile Found: $c"
fail=1 fail=1
else else
warn " * No AppArmorProfile Found: $container_id" warn " * No AppArmorProfile Found: $c"
fi fi
fi fi
done done
@ -40,22 +36,18 @@ else
# 5.2 # 5.2
check_5_2="5.2 - Verify SELinux security options, if applicable" check_5_2="5.2 - Verify SELinux security options, if applicable"
# List all the running containers, ouput their ID and SecurityOptions
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:SecurityOpt={{.HostConfig.SecurityOpt }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0 fail=0
for c in $cont_inspect; do for c in $containers; do
policy=`printf "$c" | cut -d ":" -f 2` policy=`docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' $c`
container_id=`printf "$c" | cut -d ":" -f 1`
if test $policy = "SecurityOpt=" || test $policy = "SecurityOpt=[]" || test $policy = "SecurityOpt=<no value>"; then if test $policy = "SecurityOpt=" || test $policy = "SecurityOpt=[]" || test $policy = "SecurityOpt=<no value>"; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_2" warn "$check_5_2"
warn " * No SecurityOptions Found: $container_id" warn " * No SecurityOptions Found: $c"
fail=1 fail=1
else else
warn " * No SecurityOptions Found: $container_id" warn " * No SecurityOptions Found: $c"
fi fi
fi fi
done done
@ -67,21 +59,17 @@ else
# 5.3 # 5.3
check_5_3="5.3 - Verify that containers are running only a single main process" check_5_3="5.3 - Verify that containers are running only a single main process"
# List all the running containers, ouput their Id
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0 fail=0
for c in $containers; do
for c in $cont_inspect; do
processes=`docker exec $c ps -el 2>/dev/null | wc -l | awk '{print $1}'` processes=`docker exec $c ps -el 2>/dev/null | wc -l | awk '{print $1}'`
if [ $processes -gt 5 ]; then if [ $processes -gt 5 ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_3" warn "$check_5_3"
warn " * Too many proccesses running: $container_id" warn " * Too many proccesses running: $c"
fail=1 fail=1
else else
warn " * Too many proccesses running: $container_id" warn " * Too many proccesses running: $c"
fi fi
fi fi
done done
@ -93,22 +81,18 @@ else
# 5.4 # 5.4
check_5_4="5.4 - Restrict Linux Kernel Capabilities within containers" check_5_4="5.4 - Restrict Linux Kernel Capabilities within containers"
# List all the running containers, ouput their ID and CapAdd
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:CapAdd={{ .HostConfig.CapAdd}}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0 fail=0
for c in $containers; do
caps=`docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' $c`
for c in $cont_inspect; do
caps=`printf "$c" | cut -d ":" -f 2`
container_id=`printf "$c" | cut -d ":" -f 1`
if test $caps != "CapAdd=" && test $caps != "CapAdd=[]" && test $caps != "CapAdd=<no value>"; then if test $caps != "CapAdd=" && test $caps != "CapAdd=[]" && test $caps != "CapAdd=<no value>"; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_4" warn "$check_5_4"
warn " * Capabilities added: $caps to $container_id" warn " * Capabilities added: $caps to $c"
fail=1 fail=1
else else
warn " * Capabilities added: $caps to $container_id" warn " * Capabilities added: $caps to $c"
fi fi
fi fi
done done
@ -120,22 +104,18 @@ else
# 5.5 # 5.5
check_5_5="5.5 - Do not use privileged containers" check_5_5="5.5 - Do not use privileged containers"
# List all the running containers, ouput their ID and privileged status
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:{{.HostConfig.Privileged }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0 fail=0
for c in $containers; do
privileged=`docker inspect --format '{{ .HostConfig.Privileged }}' $c`
for c in $cont_inspect; do
privileged=`printf "$c" | cut -d ":" -f 2`
container_id=`printf "$c" | cut -d ":" -f 1`
if test $privileged = "true"; then if test $privileged = "true"; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_5" warn "$check_5_5"
warn " * Container running in Privileged mode: $container_id" warn " * Container running in Privileged mode: $c"
fail=1 fail=1
else else
warn " * Container running in Privileged mode: $container_id" warn " * Container running in Privileged mode: $c"
fi fi
fi fi
done done
@ -147,40 +127,33 @@ else
# 5.6 # 5.6
check_5_6="5.6 - Do not mount sensitive host system directories on containers" check_5_6="5.6 - Do not mount sensitive host system directories on containers"
# List of sensitive directories to test for. Script uses new-lines as a separator # List of sensitive directories to test for. Script uses new-lines as a separator.
# Note the lack of identation. It needs it for the substring comparison.
sensitive_dirs='/boot sensitive_dirs='/boot
/dev /dev
/etc /etc
/lib /lib
/proc /proc
/sys /sys
/usr' /usr'
# List all the running containers, ouput their ID and R/W Volumes
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:{{ .VolumesRW }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0 fail=0
for c in $cont_inspect; do for c in $containers; do
volumes=`printf "$c" | cut -d ":" -f 2-` volumes=`docker inspect --format '{{ .VolumesRW }}' $c`
container_id=`printf "$c" | cut -d ":" -f 1`
sensitive=0
# Go over each directory in sensitive dir and see if they exist in the volumes # Go over each directory in sensitive dir and see if they exist in the volumes
for v in $sensitive_dirs; do for v in $sensitive_dirs; do
if [ $sensitive -eq 0 ]; then sensitive=0
contains "$volumes" "$v:" && sensitive=1 contains "$volumes" "$v:" && sensitive=1
if [ $sensitive -eq 1 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_6"
warn " * Sensitive directory $v mounted in: $c"
fail=1
else
warn " * Sensitive directory $v mounted in: $c"
fi
fi fi
done done
if [ $sensitive -eq 1 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_6"
warn " * Container mounted with sensitive directory: $container_id"
fail=1
else
warn " * Container mounted with sensitive directory: $container_id"
fi
fi
done done
# We went through all the containers and found none with sensitive mounts # We went through all the containers and found none with sensitive mounts
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
@ -190,20 +163,18 @@ else
# 5.7 # 5.7
check_5_7="5.7 - Do not run ssh within containers" check_5_7="5.7 - Do not run ssh within containers"
# List all the running containers, ouput their Id
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0 fail=0
for c in $cont_inspect; do for c in $containers; do
processes=`docker exec $c ps -el 2>/dev/null | grep sshd | wc -l | awk '{print $1}'` processes=`docker exec $c ps -el 2>/dev/null | grep sshd | wc -l | awk '{print $1}'`
if [ $processes -gt 1 ]; then if [ $processes -gt 1 ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_7" warn "$check_5_7"
warn " * Container running sshd: $container_id" warn " * Container running sshd: $c"
fail=1 fail=1
else else
warn " * Container running sshd: $container_id" warn " * Container running sshd: $c"
fi fi
fi fi
done done
@ -215,19 +186,18 @@ else
# 5.8 # 5.8
check_5_8="5.8 - Do not map privileged ports within containers" check_5_8="5.8 - Do not map privileged ports within containers"
# List all the running containers, ouput their listening ports
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0 fail=0
for c in $containers; do for c in $containers; do
port=`docker port $c | awk '{print $1}' | cut -d '/' -f1` port=`docker port $c | awk '{print $1}' | cut -d '/' -f1`
if test "$port" != "" && [ $port -lt 1025 ]; then if test "$port" != "" && [ $port -lt 1025 ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_8" warn "$check_5_8"
warn " * Privileged Port in use: $port" warn " * Privileged Port in use: $port in $c"
fail=1 fail=1
else else
warn " * Privileged Port in use: $port" warn " * Privileged Port in use: $port in $c"
fi fi
fi fi
done done
@ -239,21 +209,18 @@ else
# 5.10 # 5.10
check_5_10="5.10 - Do not use host network mode on container" check_5_10="5.10 - Do not use host network mode on container"
# List all the running containers, ouput their ID and network mode
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:NetworkMode={{.HostConfig.NetworkMode }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0 fail=0
for c in $cont_inspect; do for c in $containers; do
mode=`printf "$c" | cut -d ":" -f 2` mode=`docker inspect --format 'NetworkMode={{ .HostConfig.NetworkMode }}' $c`
container_id=`printf "$c" | cut -d ":" -f 1`
if test $mode = "NetworkMode=host"; then if test $mode = "NetworkMode=host"; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_10" warn "$check_5_10"
warn " * Container running with networking mode 'host': $container_id" warn " * Container running with networking mode 'host': $c"
fail=1 fail=1
else else
warn " * Container running with networking mode 'host': $container_id" warn " * Container running with networking mode 'host': $c"
fi fi
fi fi
done done
@ -265,22 +232,18 @@ else
# 5.11 # 5.11
check_5_11="5.11 - Limit memory usage for container" check_5_11="5.11 - Limit memory usage for container"
# List all the running containers, ouput their ID and memory limit
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:{{ .Config.Memory }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0 fail=0
# Make the loop separator be a new-line in POSIX compliant fashion for c in $containers; do
for c in $cont_inspect; do memory=`docker inspect --format '{{ .Config.Memory }}' $c`
memory=`printf "$c" | cut -d ":" -f 2`
container_id=`printf "$c" | cut -d ":" -f 1`
if test $memory = "0"; then if test $memory = "0"; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_11" warn "$check_5_11"
warn " * Container running without memory restrictions: $container_id" warn " * Container running without memory restrictions: $c"
fail=1 fail=1
else else
warn " * Container running without memory restrictions: $container_id" warn " * Container running without memory restrictions: $c"
fi fi
fi fi
done done
@ -292,21 +255,18 @@ else
# 5.12 # 5.12
check_5_12="5.12 - Set container CPU priority appropriately" check_5_12="5.12 - Set container CPU priority appropriately"
# List all the running containers, ouput their ID and CPU Shares
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:{{.Config.CpuShares }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0 fail=0
for c in $cont_inspect; do for c in $containers; do
shares=`printf "$c" | cut -d ":" -f 2` shares=`docker inspect --format '{{ .Config.CpuShares }}' $c`
container_id=`printf "$c" | cut -d ":" -f 1`
if test $shares = "0"; then if test $shares = "0"; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_12" warn "$check_5_12"
warn " * Container running without CPU restrictions: $container_id" warn " * Container running without CPU restrictions: $c"
fail=1 fail=1
else else
warn " * Container running without CPU restrictions: $container_id" warn " * Container running without CPU restrictions: $c"
fi fi
fi fi
done done
@ -318,21 +278,18 @@ else
# 5.13 # 5.13
check_5_13="5.13 - Mount container's root filesystem as read only" check_5_13="5.13 - Mount container's root filesystem as read only"
# List all the running containers, ouput their ID and status of ReadonlyRootfs
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:{{.HostConfig.ReadonlyRootfs }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0 fail=0
for c in $cont_inspect; do for c in $containers; do
read_status=`printf "$c" | cut -d ":" -f 2` read_status=`docker inspect --format '{{ .HostConfig.ReadonlyRootfs }}' $c`
container_id=`printf "$c" | cut -d ":" -f 1`
if test $read_status = "false"; then if test $read_status = "false"; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_13" warn "$check_5_13"
warn " * Container running with root FS mounted R/W: $container_id" warn " * Container running with root FS mounted R/W: $c"
fail=1 fail=1
else else
warn " * Container running with root FS mounted R/W: $container_id" warn " * Container running with root FS mounted R/W: $c"
fi fi
fi fi
done done
@ -344,8 +301,6 @@ else
# 5.14 # 5.14
check_5_14="5.14 - Bind incoming container traffic to a specific host interface" check_5_14="5.14 - Bind incoming container traffic to a specific host interface"
# List all the running containers, ouput the IP where ports are being bound
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0 fail=0
for c in $containers; do for c in $containers; do
ip=`docker port $c | awk '{print $3}' | cut -d ':' -f1` ip=`docker port $c | awk '{print $3}' | cut -d ':' -f1`
@ -353,10 +308,10 @@ else
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_14" warn "$check_5_14"
warn " * Port being bound to wildcard IP: 0.0.0.0" warn " * Port being bound to wildcard IP: $ip in $c"
fail=1 fail=1
else else
warn " * Port being bound to wildcard IP: 0.0.0.0" warn " * Port being bound to wildcard IP: $ip in $c"
fi fi
fi fi
done done
@ -368,22 +323,18 @@ else
# 5.15 # 5.15
check_5_15="5.15 - Do not set the 'on-failure' container restart policy to always" check_5_15="5.15 - Do not set the 'on-failure' container restart policy to always"
# List all the running containers, ouput their ID and Restart Policy Name
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:RestartPolicyName={{.HostConfig.RestartPolicy.Name }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0 fail=0
for c in $cont_inspect; do for c in $containers; do
policy=`printf "$c" | cut -d ":" -f 2` policy=`docker inspect --format 'RestartPolicyName={{ .HostConfig.RestartPolicy.Name }}' $c`
container_id=`printf "$c" | cut -d ":" -f 1`
if test $policy = "RestartPolicyName=always"; then if test $policy = "RestartPolicyName=always"; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_15" warn "$check_5_15"
warn " * Restart Policy set to always: $container_id" warn " * Restart Policy set to always: $c"
fail=1 fail=1
else else
warn " * Restart Policy set to always: $container_id" warn " * Restart Policy set to always: $c"
fi fi
fi fi
done done
@ -395,21 +346,18 @@ else
# 5.16 # 5.16
check_5_16="5.16 - Do not share the host's process namespace" check_5_16="5.16 - Do not share the host's process namespace"
# List all the running containers, ouput their ID and PidMode
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:PidMode={{.HostConfig.PidMode }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0 fail=0
for c in $cont_inspect; do for c in $containers; do
mode=`printf "$c" | cut -d ":" -f 2` mode=`docker inspect --format 'PidMode={{.HostConfig.PidMode }}' $c`
container_id=`printf "$c" | cut -d ":" -f 1`
if test $mode = "PidMode=host"; then if test $mode = "PidMode=host"; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_16" warn "$check_5_16"
warn " * Host PID namespace being shared with: $container_id" warn " * Host PID namespace being shared with: $c"
fail=1 fail=1
else else
warn " * Host PID namespace being shared with: $container_id" warn " * Host PID namespace being shared with: $c"
fi fi
fi fi
done done
@ -421,21 +369,18 @@ else
# 5.17 # 5.17
check_5_17="5.17 - Do not share the host's IPC namespace" check_5_17="5.17 - Do not share the host's IPC namespace"
# List all the running containers, ouput their ID and IpcMode
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:IpcMode={{.HostConfig.IpcMode }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0 fail=0
for c in $cont_inspect; do for c in $containers; do
mode=`printf "$c" | cut -d ":" -f 2` mode=`docker inspect --format 'IpcMode={{.HostConfig.IpcMode }}' $c`
container_id=`printf "$c" | cut -d ":" -f 1`
if test $mode = "IpcMode=host"; then if test $mode = "IpcMode=host"; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_17" warn "$check_5_17"
warn " * Host IPC namespace being shared with: $container_id" warn " * Host IPC namespace being shared with: $c"
fail=1 fail=1
else else
warn " * Host IPC namespace being shared with: $container_id" warn " * Host IPC namespace being shared with: $c"
fi fi
fi fi
done done
@ -447,20 +392,18 @@ else
# 5.18 # 5.18
check_5_18="5.18 - Do not directly expose host devices to containers" check_5_18="5.18 - Do not directly expose host devices to containers"
# List all the running containers, ouput their ID and host devices
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:Devices={{.HostConfig.Devices }}'`
fail=0 fail=0
for c in $cont_inspect; do for c in $containers; do
mode=`printf "$c" | cut -d ":" -f 2` devices=`docker inspect --format 'Devices={{ .HostConfig.Devices }}' $c`
container_id=`printf "$c" | cut -d ":" -f 1`
if test $mode != "Devices=" && test $mode != "Devices=[]" && test $mode != "Devices=<no value>"; then if test $devices != "Devices=" && test $devices != "Devices=[]" && test $devices != "Devices=<no value>"; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
info "$check_5_18" info "$check_5_18"
info " * Container has devices exposed directly: $container_id" info " * Container has devices exposed directly: $c"
fail=1 fail=1
else else
info " * Container has devices exposed directly: $container_id" info " * Container has devices exposed directly: $c"
fi fi
fi fi
done done
@ -473,19 +416,18 @@ else
check_5_19="5.19 - Override default ulimit at runtime only if needed" check_5_19="5.19 - Override default ulimit at runtime only if needed"
# List all the running containers, ouput their ID and host devices # List all the running containers, ouput their ID and host devices
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:Ulimits={{.HostConfig.Ulimits }}'`
fail=0 fail=0
for c in $cont_inspect; do for c in $containers; do
mode=`printf "$c" | cut -d ":" -f 2` ulimits=`docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' $c`
container_id=`printf "$c" | cut -d ":" -f 1`
if test $mode = "Ulimits=" || test $mode = "Ulimits=[]" || test $mode = "Ulimits=<no value>"; then if test $ulimits = "Ulimits=" || test $ulimits = "Ulimits=[]" || test $ulimits = "Ulimits=<no value>"; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
info "$check_5_19" info "$check_5_19"
info " * Container no default ulimit override: $container_id" info " * Container no default ulimit override: $c"
fail=1 fail=1
else else
info " * Container no default ulimit override: $container_id" info " * Container no default ulimit override: $c"
fi fi
fi fi
done done

18
tests/6_docker_security_operations.sh
View file

@ -11,24 +11,20 @@ if test "$containers" = ""; then
info "$check_6_5" info "$check_6_5"
info " * No containers running" info " * No containers running"
else else
# List all the running containers, ouput their ID and host devices
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id}}:{{ .Volumes }}'`
# We have some containers running, set failure flag to 0.
fail=0 fail=0
# Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$' set -f; IFS=$'
' '
for c in $cont_inspect; do for c in $containers; do
mode=`printf "$c" | cut -d ":" -f 2` volumes=`docker inspect --format '{{ .Volumes }}' $c`
container_id=`printf "$c" | cut -d ":" -f 1`
if test $mode = "map[]"; then if test $volumes = "map[]"; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
info "$check_6_5" info "$check_6_5"
info " * Container has no volumes, ensure centralized logging is enabled : $container_id" info " * Container has no volumes, ensure centralized logging is enabled : $c"
fail=1 fail=1
else else
info " * Container has no volumes, ensure centralized logging is enabled : $container_id" info " * Container has no volumes, ensure centralized logging is enabled : $c"
fi fi
fi fi
done done
@ -41,7 +37,7 @@ set +f; unset IFS
# 6.6 # 6.6
check_6_6="6.6 - Avoid image sprawl" check_6_6="6.6 - Avoid image sprawl"
images=`docker images | wc -l | awk '{print $1}'` images=`docker images | wc -l | awk '{print $1}'`
if [ $images -gt 200 ]; then if [ $images -gt 100 ]; then
warn "$check_6_6" warn "$check_6_6"
warn " * There are currently: $images images" warn " * There are currently: $images images"
else else