diff --git a/tests/2_docker_daemon_configuration.sh b/tests/2_docker_daemon_configuration.sh index f3800a7..3bdd440 100644 --- a/tests/2_docker_daemon_configuration.sh +++ b/tests/2_docker_daemon_configuration.sh @@ -141,3 +141,48 @@ if [ $? -eq 0 ]; then else warn "$check_2_13" fi + +# 2.14 +check_2_14="2.14 - Enable live restore" +get_docker_effective_command_line_args '--live-restore' 2>/dev/null | grep "live-restore" >/dev/null 2>&1 +if [ $? -eq 0 ]; then + pass "$check_2_14" +else + warn "$check_2_14" +fi + +# 2.15 +check_2_15="2.15 - Do not enable swarm mode, if not needed" +docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1 +if [ $? -eq 1 ]; then + pass "$check_2_15" +else + warn "$check_2_15" +fi + +# 2.16 +check_2_16="2.16 - Control the number of manager nodes in a swarm" +docker node ls 2>/dev/null | grep "Leader" >/dev/null 2>&1 +if [ $? -eq 1 ]; then + pass "$check_2_16" +else + warn "$check_2_16" +fi + +# 2.17 +check_2_17="2.17 - Bind swarm services to a specific host interface" +netstat -lt 2>/dev/null | grep -i 2377 >/dev/null 2>&1 +if [ $? -eq 1 ]; then + pass "$check_2_17" +else + warn "$check_2_17" +fi + +# 2.18 +check_2_18="2.18 - Disable Userland Proxy" +get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1 +if [ $? -eq 0 ]; then + pass "$check_2_18" +else + warn "$check_2_18" +fi diff --git a/tests/4_container_images.sh b/tests/4_container_images.sh index 6439c31..1e52dba 100644 --- a/tests/4_container_images.sh +++ b/tests/4_container_images.sh @@ -38,6 +38,8 @@ fi # Make the loop separator go back to space set +f; unset IFS +images=$(docker images -q) + # 4.5 check_4_5="4.5 - Enable Content trust for Docker" if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then @@ -45,3 +47,57 @@ if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then else warn "$check_4_5" fi + +# 4.6 +check_4_6="4.6 - Add HEALTHCHECK instruction to the container image" +fail=0 +for img in $images; do + docker inspect --format='{{.Config.Healthcheck}}' $img 2>/dev/null | grep -e "" >/dev/null 2>&1 + if [ $? -eq 0 ]; then + if [ $fail -eq 0 ]; then + fail=1 + warn "$check_4_6" + fi + imgName=`docker inspect --format='{{.RepoTags}}' $img 2>/dev/null` + warn " No Healthcheck found : $imgName" + fi +done +if [ $fail -eq 0 ]; then + pass "$check_4_6" +fi + +# 4.7 +check_4_7="4.7 - Do not use update instructions alone in the Dockerfile" +fail=0 +for img in $images; do + docker history $img 2>/dev/null | grep -e "update" >/dev/null 2>&1 + if [ $? -eq 0 ]; then + if [ $fail -eq 0 ]; then + fail=1 + info "$check_4_7" + fi + imgName=`docker inspect --format='{{.RepoTags}}' $img 2>/dev/null` + info " update instruction found in history of $imgName" + fi +done +if [ $fail -eq 0 ]; then + pass "$check_4_7" +fi + +# 4.9 +check_4_9="4.9 - Use COPY instead of ADD in Dockerfile" +fail=0 +for img in $images; do + docker history $img 2> /dev/null | grep 'ADD' >/dev/null 2>&1 + if [ $? -eq 0 ]; then + if [ $fail -eq 0 ]; then + fail=1 + info "$check_4_9" + fi + imgName=`docker inspect --format='{{.RepoTags}}' $img 2>/dev/null` + info " found ADD in docker history of $imgName" + fi +done +if [ $fail -eq 0 ]; then + pass "$check_4_9" +fi diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh index 9d46c6a..fb4c79a 100644 --- a/tests/5_container_runtime.sh +++ b/tests/5_container_runtime.sh @@ -514,7 +514,7 @@ else fi fi done - # We went through all the containers and found none with UTSMode as host + # We went through all the containers and found none with default secomp profile disabled if [ $fail -eq 0 ]; then pass "$check_5_21" fi @@ -561,8 +561,123 @@ else fi fi done - # We went through all the containers and found none with UTSMode as host + # We went through all the containers and found none with capability to acquire additional privileges if [ $fail -eq 0 ]; then pass "$check_5_25" fi + + # 5.26 + check_5_26="5.26 - Check container health at runtime" + + fail=0 + for c in $containers; do + docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}' "$c" 2>/dev/null 1>&2 + if [ $? -ne 0 ]; then + if [ $fail -eq 0 ]; then + warn "$check_5_26" + warn " * Health check not set for $c" + fail=1 + else + warn " * Health check not set for $c" + fi + fi + done + if [ $fail -eq 0 ]; then + pass "$check_5_26" + fi + + # 5.28 + check_5_28="5.28 - Use PIDs cgroup limit" + + fail=0 + for c in $containers; do + pidslimit=`docker inspect --format '{{.HostConfig.PidsLimit }}' "$c"` + + if [ $pidslimit -le 0 ]; then + # If it's the first container, fail the test + if [ $fail -eq 0 ]; then + warn "$check_5_28" + warn " * pidslimit not set: $c" + fail=1 + else + warn " * pidslimit not set: $c" + fi + fi + done + # We went through all the containers and found all with PIDs limit + if [ $fail -eq 0 ]; then + pass "$check_5_28" + fi + + # 5.29 + check_5_29="5.29 - Do not use Docker's default bridge docker0" + + fail=0 + networks=`docker network ls -q 2>/dev/null` + for net in $networks; do + docker network inspect --format '{{ .Options }}' "$net" 2>/dev/null | grep "com.docker.network.bridge.name:docker0" >/dev/null 2>&1 + + if [ $? -eq 0 ]; then + docker0Containers=`docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" 2>/dev/null` + if [ -n "$docker0Containers" ]; then + if [ $fail -eq 0 ]; then + warn "$check_5_29" + fail=1 + fi + for c in $docker0Containers; do + warn " * container in docker0 network: $c" + done + fi + fi + done + # We went through all the containers and found none in docker0 network + if [ $fail -eq 0 ]; then + pass "$check_5_29" + fi + + # 5.30 + check_5_30="5.30 - Do not share the host's user namespaces" + + fail=0 + for c in $containers; do + docker inspect --format '{{ .HostConfig.UsernsMode }}' "$c" 2>/dev/null | grep -i 'host' >/dev/null 2>&1 + + if [ $? -eq 0 ]; then + # If it's the first container, fail the test + if [ $fail -eq 0 ]; then + warn "$check_5_30" + warn " * Namespace shared: $c" + fail=1 + else + warn " * Namespace shared: $c" + fi + fi + done + # We went through all the containers and found none with host's user namespace shared + if [ $fail -eq 0 ]; then + pass "$check_5_30" + fi + + # 5.31 + check_5_31="5.31 - Do not mount the Docker socket inside any containers" + + fail=0 + for c in $containers; do + docker inspect --format '{{ .Mounts }}' "$c" 2>/dev/null | grep 'docker.sock' >/dev/null 2>&1 + + if [ $? -eq 0 ]; then + # If it's the first container, fail the test + if [ $fail -eq 0 ]; then + warn "$check_5_31" + warn " * Docker sock shared: $c" + fail=1 + else + warn " * Docekr sock shared: $c" + fi + fi + done + # We went through all the containers and found none with docker.sock shared + if [ $fail -eq 0 ]; then + pass "$check_5_31" + fi fi