GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-18 16:22:33 +01:00
Code Issues Projects Releases Packages Wiki Activity

Added filtering to ignore security-benchmark container

Browse source
This commit is contained in:
Diogo Monica 2015-05-13 19:22:39 -07:00
parent 1cd54124c7
commit 1c795f146e
6 changed files with 114 additions and 177 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
README.md
View file

@ -22,9 +22,9 @@ diogomonica/docker-security-benchmark
If you wish to build and run this container yourself, you can follow the following steps:
```
# git clone https://github.com/diogomonica/docker-security-benchmark.git
# cd docker-security-benchmark; docker build -t docker-security-benchmark .
# docker run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock \
git clone https://github.com/diogomonica/docker-security-benchmark.git
cd docker-security-benchmark; docker build -t docker-security-benchmark .
docker run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label security-benchmark \
docker-security-benchmark
```
@ -32,8 +32,8 @@ docker-security-benchmark
Also, this script can also be simply run from your base host by running:
```
# git clone https://github.com/diogomonica/docker-security-benchmark.git
# cd docker-security-benchmark; sh docker_security_benchmark.sh
git clone https://github.com/diogomonica/docker-security-benchmark.git
cd docker-security-benchmark; sh docker_security_benchmark.sh
```
This script was build to be POSIX 2004 compliant, so it should be portable across any Unix platform.

1
docker_security_benchmark.sh
View file

@ -81,6 +81,7 @@ main () {
done
# List all running containers except docker-security-benchmark
containers=`docker ps -q | grep -v $benchcont`
for test in tests/*.sh
do
. ./$test

1
tests/1_host_configuration.sh
View file

@ -31,6 +31,7 @@ if [ $listening_services -eq 0 ]; then
else
if [ $listening_services -gt 5 ]; then
warn "$check_1_5"
warn " * Host listening on: $listening_services ports"
else
pass "$check_1_5"
fi

13
tests/4_container_images.sh
View file

@ -11,25 +11,22 @@ if test "$containers" = ""; then
info "$check_4_1"
info " * No containers running"
else
# List all the running containers, ouput their ID and USER
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:User={{.Config.User}}' 2>/dev/null`
# We have some containers running, set failure flag to 0. Check for Users.
fail=0
# Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$'
'
for c in $cont_inspect; do
user=`printf "$c" | cut -d ":" -f 2`
container_id=`printf "$c" | cut -d ":" -f 1`
for c in $containers; do
user=`docker inspect --format 'User={{.Config.User}}' $c`
if test $user = "User=" || test $user = "User=[]" ||test $user = "User=<no value>"; then
if test $user = "User=" || test $user = "User=[]" || test $user = "User=<no value>"; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_4_1"
warn " * Running as root: $container_id"
warn " * Running as root: $c"
fail=1
else
warn " * Running as root: $container_id"
warn " * Running as root: $c"
fi
fi
done

248
tests/5_container_runtime.sh
View file

@ -13,22 +13,18 @@ else
# 5.1
check_5_1="5.1 - Verify AppArmor Profile, if applicable"
# List all the running containers, ouput their ID and AppArmorProfile
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:AppArmorProfile={{.AppArmorProfile }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0
for c in $cont_inspect; do
policy=`printf "$c" | cut -d ":" -f 2`
container_id=`printf "$c" | cut -d ":" -f 1`
for c in $containers; do
policy=`docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' $c`
if test $policy = "AppArmorProfile=" || test $policy = "AppArmorProfile=[]" ||test $policy = "AppArmorProfile=<no value>"; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_1"
warn " * No AppArmorProfile Found: $container_id"
warn " * No AppArmorProfile Found: $c"
fail=1
else
warn " * No AppArmorProfile Found: $container_id"
warn " * No AppArmorProfile Found: $c"
fi
fi
done
@ -40,22 +36,18 @@ else
# 5.2
check_5_2="5.2 - Verify SELinux security options, if applicable"
# List all the running containers, ouput their ID and SecurityOptions
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:SecurityOpt={{.HostConfig.SecurityOpt }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0
for c in $cont_inspect; do
policy=`printf "$c" | cut -d ":" -f 2`
container_id=`printf "$c" | cut -d ":" -f 1`
for c in $containers; do
policy=`docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' $c`
if test $policy = "SecurityOpt=" || test $policy = "SecurityOpt=[]" || test $policy = "SecurityOpt=<no value>"; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_2"
warn " * No SecurityOptions Found: $container_id"
warn " * No SecurityOptions Found: $c"
fail=1
else
warn " * No SecurityOptions Found: $container_id"
warn " * No SecurityOptions Found: $c"
fi
fi
done
@ -67,21 +59,17 @@ else
# 5.3
check_5_3="5.3 - Verify that containers are running only a single main process"
# List all the running containers, ouput their Id
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0
for c in $cont_inspect; do
for c in $containers; do
processes=`docker exec $c ps -el 2>/dev/null | wc -l | awk '{print $1}'`
if [ $processes -gt 5 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_3"
warn " * Too many proccesses running: $container_id"
warn " * Too many proccesses running: $c"
fail=1
else
warn " * Too many proccesses running: $container_id"
warn " * Too many proccesses running: $c"
fi
fi
done
@ -93,22 +81,18 @@ else
# 5.4
check_5_4="5.4 - Restrict Linux Kernel Capabilities within containers"
# List all the running containers, ouput their ID and CapAdd
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:CapAdd={{ .HostConfig.CapAdd}}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0
for c in $containers; do
caps=`docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' $c`
for c in $cont_inspect; do
caps=`printf "$c" | cut -d ":" -f 2`
container_id=`printf "$c" | cut -d ":" -f 1`
if test $caps != "CapAdd=" && test $caps != "CapAdd=[]" && test $caps != "CapAdd=<no value>"; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_4"
warn " * Capabilities added: $caps to $container_id"
warn " * Capabilities added: $caps to $c"
fail=1
else
warn " * Capabilities added: $caps to $container_id"
warn " * Capabilities added: $caps to $c"
fi
fi
done
@ -120,22 +104,18 @@ else
# 5.5
check_5_5="5.5 - Do not use privileged containers"
# List all the running containers, ouput their ID and privileged status
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:{{.HostConfig.Privileged }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0
for c in $containers; do
privileged=`docker inspect --format '{{ .HostConfig.Privileged }}' $c`
for c in $cont_inspect; do
privileged=`printf "$c" | cut -d ":" -f 2`
container_id=`printf "$c" | cut -d ":" -f 1`
if test $privileged = "true"; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_5"
warn " * Container running in Privileged mode: $container_id"
warn " * Container running in Privileged mode: $c"
fail=1
else
warn " * Container running in Privileged mode: $container_id"
warn " * Container running in Privileged mode: $c"
fi
fi
done
@ -147,40 +127,33 @@ else
# 5.6
check_5_6="5.6 - Do not mount sensitive host system directories on containers"
# List of sensitive directories to test for. Script uses new-lines as a separator
# List of sensitive directories to test for. Script uses new-lines as a separator.
# Note the lack of identation. It needs it for the substring comparison.
sensitive_dirs='/boot
/dev
/etc
/lib
/proc
/sys
/usr'
# List all the running containers, ouput their ID and R/W Volumes
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:{{ .VolumesRW }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
/dev
/etc
/lib
/proc
/sys
/usr'
fail=0
for c in $cont_inspect; do
volumes=`printf "$c" | cut -d ":" -f 2-`
container_id=`printf "$c" | cut -d ":" -f 1`
sensitive=0
for c in $containers; do
volumes=`docker inspect --format '{{ .VolumesRW }}' $c`
# Go over each directory in sensitive dir and see if they exist in the volumes
for v in $sensitive_dirs; do
if [ $sensitive -eq 0 ]; then
contains "$volumes" "$v:" && sensitive=1
sensitive=0
contains "$volumes" "$v:" && sensitive=1
if [ $sensitive -eq 1 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_6"
warn " * Sensitive directory $v mounted in: $c"
fail=1
else
warn " * Sensitive directory $v mounted in: $c"
fi
fi
done
if [ $sensitive -eq 1 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_6"
warn " * Container mounted with sensitive directory: $container_id"
fail=1
else
warn " * Container mounted with sensitive directory: $container_id"
fi
fi
done
# We went through all the containers and found none with sensitive mounts
if [ $fail -eq 0 ]; then
@ -190,20 +163,18 @@ else
# 5.7
check_5_7="5.7 - Do not run ssh within containers"
# List all the running containers, ouput their Id
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0
for c in $cont_inspect; do
for c in $containers; do
processes=`docker exec $c ps -el 2>/dev/null | grep sshd | wc -l | awk '{print $1}'`
if [ $processes -gt 1 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_7"
warn " * Container running sshd: $container_id"
warn " * Container running sshd: $c"
fail=1
else
warn " * Container running sshd: $container_id"
warn " * Container running sshd: $c"
fi
fi
done
@ -215,19 +186,18 @@ else
# 5.8
check_5_8="5.8 - Do not map privileged ports within containers"
# List all the running containers, ouput their listening ports
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0
for c in $containers; do
port=`docker port $c | awk '{print $1}' | cut -d '/' -f1`
if test "$port" != "" && [ $port -lt 1025 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_8"
warn " * Privileged Port in use: $port"
warn " * Privileged Port in use: $port in $c"
fail=1
else
warn " * Privileged Port in use: $port"
warn " * Privileged Port in use: $port in $c"
fi
fi
done
@ -239,21 +209,18 @@ else
# 5.10
check_5_10="5.10 - Do not use host network mode on container"
# List all the running containers, ouput their ID and network mode
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:NetworkMode={{.HostConfig.NetworkMode }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0
for c in $cont_inspect; do
mode=`printf "$c" | cut -d ":" -f 2`
container_id=`printf "$c" | cut -d ":" -f 1`
for c in $containers; do
mode=`docker inspect --format 'NetworkMode={{ .HostConfig.NetworkMode }}' $c`
if test $mode = "NetworkMode=host"; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_10"
warn " * Container running with networking mode 'host': $container_id"
warn " * Container running with networking mode 'host': $c"
fail=1
else
warn " * Container running with networking mode 'host': $container_id"
warn " * Container running with networking mode 'host': $c"
fi
fi
done
@ -265,22 +232,18 @@ else
# 5.11
check_5_11="5.11 - Limit memory usage for container"
# List all the running containers, ouput their ID and memory limit
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:{{ .Config.Memory }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0
# Make the loop separator be a new-line in POSIX compliant fashion
for c in $cont_inspect; do
memory=`printf "$c" | cut -d ":" -f 2`
container_id=`printf "$c" | cut -d ":" -f 1`
for c in $containers; do
memory=`docker inspect --format '{{ .Config.Memory }}' $c`
if test $memory = "0"; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_11"
warn " * Container running without memory restrictions: $container_id"
warn " * Container running without memory restrictions: $c"
fail=1
else
warn " * Container running without memory restrictions: $container_id"
warn " * Container running without memory restrictions: $c"
fi
fi
done
@ -292,21 +255,18 @@ else
# 5.12
check_5_12="5.12 - Set container CPU priority appropriately"
# List all the running containers, ouput their ID and CPU Shares
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:{{.Config.CpuShares }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0
for c in $cont_inspect; do
shares=`printf "$c" | cut -d ":" -f 2`
container_id=`printf "$c" | cut -d ":" -f 1`
for c in $containers; do
shares=`docker inspect --format '{{ .Config.CpuShares }}' $c`
if test $shares = "0"; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_12"
warn " * Container running without CPU restrictions: $container_id"
warn " * Container running without CPU restrictions: $c"
fail=1
else
warn " * Container running without CPU restrictions: $container_id"
warn " * Container running without CPU restrictions: $c"
fi
fi
done
@ -318,21 +278,18 @@ else
# 5.13
check_5_13="5.13 - Mount container's root filesystem as read only"
# List all the running containers, ouput their ID and status of ReadonlyRootfs
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:{{.HostConfig.ReadonlyRootfs }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0
for c in $cont_inspect; do
read_status=`printf "$c" | cut -d ":" -f 2`
container_id=`printf "$c" | cut -d ":" -f 1`
for c in $containers; do
read_status=`docker inspect --format '{{ .HostConfig.ReadonlyRootfs }}' $c`
if test $read_status = "false"; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_13"
warn " * Container running with root FS mounted R/W: $container_id"
warn " * Container running with root FS mounted R/W: $c"
fail=1
else
warn " * Container running with root FS mounted R/W: $container_id"
warn " * Container running with root FS mounted R/W: $c"
fi
fi
done
@ -344,8 +301,6 @@ else
# 5.14
check_5_14="5.14 - Bind incoming container traffic to a specific host interface"
# List all the running containers, ouput the IP where ports are being bound
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0
for c in $containers; do
ip=`docker port $c | awk '{print $3}' | cut -d ':' -f1`
@ -353,10 +308,10 @@ else
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_14"
warn " * Port being bound to wildcard IP: 0.0.0.0"
warn " * Port being bound to wildcard IP: $ip in $c"
fail=1
else
warn " * Port being bound to wildcard IP: 0.0.0.0"
warn " * Port being bound to wildcard IP: $ip in $c"
fi
fi
done
@ -368,22 +323,18 @@ else
# 5.15
check_5_15="5.15 - Do not set the 'on-failure' container restart policy to always"
# List all the running containers, ouput their ID and Restart Policy Name
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:RestartPolicyName={{.HostConfig.RestartPolicy.Name }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0
for c in $cont_inspect; do
policy=`printf "$c" | cut -d ":" -f 2`
container_id=`printf "$c" | cut -d ":" -f 1`
for c in $containers; do
policy=`docker inspect --format 'RestartPolicyName={{ .HostConfig.RestartPolicy.Name }}' $c`
if test $policy = "RestartPolicyName=always"; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_15"
warn " * Restart Policy set to always: $container_id"
warn " * Restart Policy set to always: $c"
fail=1
else
warn " * Restart Policy set to always: $container_id"
warn " * Restart Policy set to always: $c"
fi
fi
done
@ -395,21 +346,18 @@ else
# 5.16
check_5_16="5.16 - Do not share the host's process namespace"
# List all the running containers, ouput their ID and PidMode
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:PidMode={{.HostConfig.PidMode }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0
for c in $cont_inspect; do
mode=`printf "$c" | cut -d ":" -f 2`
container_id=`printf "$c" | cut -d ":" -f 1`
for c in $containers; do
mode=`docker inspect --format 'PidMode={{.HostConfig.PidMode }}' $c`
if test $mode = "PidMode=host"; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_16"
warn " * Host PID namespace being shared with: $container_id"
warn " * Host PID namespace being shared with: $c"
fail=1
else
warn " * Host PID namespace being shared with: $container_id"
warn " * Host PID namespace being shared with: $c"
fi
fi
done
@ -421,21 +369,18 @@ else
# 5.17
check_5_17="5.17 - Do not share the host's IPC namespace"
# List all the running containers, ouput their ID and IpcMode
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:IpcMode={{.HostConfig.IpcMode }}'`
# We have some containers running, set failure flag to 0, set failure flag to 0
fail=0
for c in $cont_inspect; do
mode=`printf "$c" | cut -d ":" -f 2`
container_id=`printf "$c" | cut -d ":" -f 1`
for c in $containers; do
mode=`docker inspect --format 'IpcMode={{.HostConfig.IpcMode }}' $c`
if test $mode = "IpcMode=host"; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_17"
warn " * Host IPC namespace being shared with: $container_id"
warn " * Host IPC namespace being shared with: $c"
fail=1
else
warn " * Host IPC namespace being shared with: $container_id"
warn " * Host IPC namespace being shared with: $c"
fi
fi
done
@ -447,20 +392,18 @@ else
# 5.18
check_5_18="5.18 - Do not directly expose host devices to containers"
# List all the running containers, ouput their ID and host devices
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:Devices={{.HostConfig.Devices }}'`
fail=0
for c in $cont_inspect; do
mode=`printf "$c" | cut -d ":" -f 2`
container_id=`printf "$c" | cut -d ":" -f 1`
if test $mode != "Devices=" && test $mode != "Devices=[]" && test $mode != "Devices=<no value>"; then
for c in $containers; do
devices=`docker inspect --format 'Devices={{ .HostConfig.Devices }}' $c`
if test $devices != "Devices=" && test $devices != "Devices=[]" && test $devices != "Devices=<no value>"; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
info "$check_5_18"
info " * Container has devices exposed directly: $container_id"
info " * Container has devices exposed directly: $c"
fail=1
else
info " * Container has devices exposed directly: $container_id"
info " * Container has devices exposed directly: $c"
fi
fi
done
@ -473,19 +416,18 @@ else
check_5_19="5.19 - Override default ulimit at runtime only if needed"
# List all the running containers, ouput their ID and host devices
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:Ulimits={{.HostConfig.Ulimits }}'`
fail=0
for c in $cont_inspect; do
mode=`printf "$c" | cut -d ":" -f 2`
container_id=`printf "$c" | cut -d ":" -f 1`
if test $mode = "Ulimits=" || test $mode = "Ulimits=[]" || test $mode = "Ulimits=<no value>"; then
for c in $containers; do
ulimits=`docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' $c`
if test $ulimits = "Ulimits=" || test $ulimits = "Ulimits=[]" || test $ulimits = "Ulimits=<no value>"; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
info "$check_5_19"
info " * Container no default ulimit override: $container_id"
info " * Container no default ulimit override: $c"
fail=1
else
info " * Container no default ulimit override: $container_id"
info " * Container no default ulimit override: $c"
fi
fi
done

18
tests/6_docker_security_operations.sh
View file

@ -11,24 +11,20 @@ if test "$containers" = ""; then
info "$check_6_5"
info " * No containers running"
else
# List all the running containers, ouput their ID and host devices
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id}}:{{ .Volumes }}'`
# We have some containers running, set failure flag to 0.
fail=0
# Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$'
'
for c in $cont_inspect; do
mode=`printf "$c" | cut -d ":" -f 2`
container_id=`printf "$c" | cut -d ":" -f 1`
if test $mode = "map[]"; then
for c in $containers; do
volumes=`docker inspect --format '{{ .Volumes }}' $c`
if test $volumes = "map[]"; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
info "$check_6_5"
info " * Container has no volumes, ensure centralized logging is enabled : $container_id"
info " * Container has no volumes, ensure centralized logging is enabled : $c"
fail=1
else
info " * Container has no volumes, ensure centralized logging is enabled : $container_id"
info " * Container has no volumes, ensure centralized logging is enabled : $c"
fi
fi
done
@ -41,7 +37,7 @@ set +f; unset IFS
# 6.6
check_6_6="6.6 - Avoid image sprawl"
images=`docker images | wc -l | awk '{print $1}'`
if [ $images -gt 200 ]; then
if [ $images -gt 100 ]; then
warn "$check_6_6"
warn " * There are currently: $images images"
else