From f4aab9c8c556246d0ee73d68bea097617e26c768 Mon Sep 17 00:00:00 2001 From: Werner Buck Date: Fri, 29 May 2015 13:42:34 +0200 Subject: [PATCH] Double quote to prevent globbing and word splitting. Do not use legacy backticks. Proper use of printf Do not use wc -l with grep, instead use grep -c Use pgrep Signed-off-by: Werner Buck --- docker-bench-security.sh | 27 ++++++------ helper_lib.sh | 8 ++-- output_lib.sh | 11 ++--- tests/1_host_configuration.sh | 14 +++---- tests/2_docker_daemon_configuration.sh | 22 +++++----- tests/3_docker_daemon_configuration_files.sh | 32 +++++++------- tests/4_container_images.sh | 2 +- tests/5_container_runtime.sh | 44 ++++++++++---------- tests/6_docker_security_operations.sh | 14 +++---- 9 files changed, 87 insertions(+), 87 deletions(-) diff --git a/docker-bench-security.sh b/docker-bench-security.sh index a18b852..d2cb12c 100644 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -14,21 +14,20 @@ . ./helper_lib.sh # Setup the paths -this_path=$(abspath $0) ## Path of this file including filenamel -dir_name=`dirname ${this_path}` ## Dir where this file is -myname=`basename ${this_path}` ## file name of this script. -logger="${myname}.log" +this_path=$(abspath "$0") ## Path of this file including filenamel +myname=$(basename "${this_path}") ## file name of this script. export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/ +logger="${myname}.log" # Check for required program(s) req_progs='docker netstat grep awk' for p in $req_progs; do - command -v $p >/dev/null 2>&1 || { printf "$p command not found.\n"; exit 1; } + command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; } done # Ensure we can connect to docker daemon -`docker ps -q >/dev/null 2>&1` +docker ps -q >/dev/null 2>&1 if [ $? -ne 0 ]; then printf "Error connecting to docker daemon (does docker ps work?)\n" exit 1 @@ -36,9 +35,9 @@ fi usage () { printf " - usage: $myname [options] + usage: %s [options] - -h optional Print this help message\n" + -h optional Print this help message\n" "$myname" exit 1 } @@ -51,10 +50,10 @@ yell "# ------------------------------------------------------------------------ # https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf # ------------------------------------------------------------------------------" -logit "Initializing `date`\n" +logit "Initializing $(date)\n" # Warn if not root -ID=`id -u` +ID=$(id -u) if [ "x$ID" != "x0" ]; then warn "Some tests might require root to run" sleep 3 @@ -73,19 +72,19 @@ done # Load all the tests from tests/ and run them main () { # List all running containers - containers=`docker ps -q` + containers=$(docker ps -q) # If there is a container with label docker-bench, memorize it: benchcont="nil" for c in $containers; do - labels=`docker inspect --format '{{ .Config.Labels }}' $c` + labels=$(docker inspect --format '{{ .Config.Labels }}' "$c") contains "$labels" "docker-bench" && benchcont="$c" done # List all running containers except docker-bench - containers=`docker ps -q | grep -v $benchcont` + containers=$(docker ps -q | grep -v "$benchcont") for test in tests/*.sh do - . ./$test + . ./"$test" done } diff --git a/helper_lib.sh b/helper_lib.sh index 8c6cfbb..8dd98ce 100644 --- a/helper_lib.sh +++ b/helper_lib.sh @@ -10,10 +10,10 @@ abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; es do_version_check() { [ "$1" = "$2" ] && return 10 - ver1front=`printf $1 | cut -d "." -f -1` - ver1back=`printf $1 | cut -d "." -f 2-` - ver2front=`printf $2 | cut -d "." -f -1` - ver2back=`printf $2 | cut -d "." -f 2-` + ver1front=$(printf "%s" "$1" | cut -d "." -f -1) + ver1back=$(printf "%s" "$1" | cut -d "." -f 2-) + ver2front=$(printf "%s" "$2" | cut -d "." -f -1) + ver2back=$(printf "%s" "$2" | cut -d "." -f 2-) if [ "$ver1front" != "$1" ] || [ "$ver2front" != "$2" ]; then [ "$ver1front" -gt "$ver2front" ] && return 11 diff --git a/output_lib.sh b/output_lib.sh index 1a5c423..f4f61bc 100644 --- a/output_lib.sh +++ b/output_lib.sh @@ -1,3 +1,4 @@ +#!/bin/sh bldred='\033[1;31m' bldgrn='\033[1;32m' bldblu='\033[1;34m' @@ -5,21 +6,21 @@ bldylw='\033[1;33m' # Yellow txtrst='\033[0m' logit () { - printf "$1\n" | tee -a $logger + printf "%b\n" "$1" | tee -a "$logger" } info () { - printf '%b' "${bldblu}[INFO]${txtrst} $1\n" | tee -a $logger + printf "%b\n" "${bldblu}[INFO]${txtrst} $1" | tee -a "$logger" } pass () { - printf '%b' "${bldgrn}[PASS]${txtrst} $1\n" | tee -a $logger + printf "%b\n" "${bldgrn}[PASS]${txtrst} $1" | tee -a "$logger" } warn () { - printf '%b' "${bldred}[WARN]${txtrst} $1\n" | tee -a $logger + printf "%b\n" "${bldred}[WARN]${txtrst} $1" | tee -a "$logger" } yell () { - printf '%b' "${bldylw}$1${txtrst}\n" + printf "%b\n" "${bldylw}$1${txtrst}\n" } diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index 5265036..42ca105 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -14,8 +14,8 @@ fi # 1.2 check_1_2="1.2 - Use an updated Linux Kernel" -kernel_version=`uname -r | cut -d "-" -f 1` -do_version_check 3.10 $kernel_version +kernel_version=$(uname -r | cut -d "-" -f 1) +do_version_check 3.10 "$kernel_version" if [ $? -eq 11 ]; then warn "$check_1_2" else @@ -25,11 +25,11 @@ fi # 1.5 check_1_5="1.5 - Remove all non-essential services from the host - Network" # Check for listening network services. -listening_services=`netstat -na | grep -v tcp6 | grep -v unix | grep LISTEN | wc -l` -if [ $listening_services -eq 0 ]; then +listening_services=$(netstat -na | grep -v tcp6 | grep -v unix | grep -c LISTEN) +if [ "$listening_services" -eq 0 ]; then warn "1.5 - Failed to get listening services for check: $check_1_5" else - if [ $listening_services -gt 5 ]; then + if [ "$listening_services" -gt 5 ]; then warn "$check_1_5" warn " * Host listening on: $listening_services ports" else @@ -39,8 +39,8 @@ fi # 1.6 check_1_6="1.6 - Keep Docker up to date" -docker_version=`docker version | grep 'Server version' | awk '{print $3}'` do_version_check 1.6.2 $docker_version +docker version | grep 'Server version' | awk '{print $3}' if [ $? -eq 11 ]; then warn "$check_1_6" else @@ -49,7 +49,7 @@ fi # 1.7 check_1_7="1.7 - Only allow trusted users to control Docker daemon" -docker_users=`grep docker /etc/group` +docker_users=$(grep docker /etc/group) info "$check_1_7" for u in $docker_users; do info " * $u" diff --git a/tests/2_docker_daemon_configuration.sh b/tests/2_docker_daemon_configuration.sh index 46d8307..cde2345 100644 --- a/tests/2_docker_daemon_configuration.sh +++ b/tests/2_docker_daemon_configuration.sh @@ -5,7 +5,7 @@ info "2 - Docker Daemon Configuration" # 2.1 check_2_1="2.1 - Do not use lxc execution driver" -$ps_command $ps_args | grep docker | grep lxc >/dev/null 2>&1 +pgrep -U root -u root -lf docker | grep lxc >/dev/null 2>&1 if [ $? -eq 0 ]; then warn "$check_2_1" else @@ -14,7 +14,7 @@ fi # 2.2 check_2_2="2.2 - Restrict network traffic between containers" -$ps_command $ps_args | grep docker | grep "icc=false" >/dev/null 2>&1 +pgrep -U root -u root -lf docker | grep "icc=false" >/dev/null 2>&1 if [ $? -eq 0 ]; then pass "$check_2_2" else @@ -23,7 +23,7 @@ fi # 2.3 check_2_3="2.3 - Set the logging level" -$ps_command $ps_args | grep docker | grep "log-level=\"debug\"" >/dev/null 2>&1 +pgrep -U root -u root -lf docker | grep "log-level=\"debug\"" >/dev/null 2>&1 if [ $? -eq 0 ]; then warn "$check_2_3" else @@ -32,7 +32,7 @@ fi # 2.4 check_2_4="2.4 - Allow Docker to make changes to iptables" -$ps_command $ps_args | grep docker | grep "iptables=false" >/dev/null 2>&1 +pgrep -U root -u root -lf docker | grep "iptables=false" >/dev/null 2>&1 if [ $? -eq 0 ]; then warn "$check_2_4" else @@ -41,7 +41,7 @@ fi # 2.5 check_2_5="2.5 - Do not use insecure registries" -$ps_command $ps_args | grep docker | grep "insecure-registry" >/dev/null 2>&1 +pgrep -U root -u root -lf docker | grep "insecure-registry" >/dev/null 2>&1 if [ $? -eq 0 ]; then warn "$check_2_5" else @@ -50,7 +50,7 @@ fi # 2.6 check_2_6="2.6 - Setup a local registry mirror" -$ps_command $ps_args | grep docker | grep "registry-mirror" >/dev/null 2>&1 +pgrep -U root -u root -lf docker | grep "registry-mirror" >/dev/null 2>&1 if [ $? -eq 0 ]; then pass "$check_2_6" else @@ -60,7 +60,7 @@ fi # 2.7 check_2_7="2.7 - Do not use the aufs storage driver" -storage_driver=`docker info 2>/dev/null| grep -e "^Storage Driver:\s*aufs\s*$"` +docker info 2>/dev/null| grep -e "^Storage Driver:\s*aufs\s*$" if [ $? -eq 0 ]; then warn "$check_2_7" else @@ -69,7 +69,7 @@ fi # 2.8 check_2_8="2.8 - Do not bind Docker to another IP/Port or a Unix socket" -$ps_command $ps_args | grep docker | grep "\-H" >/dev/null 2>&1 +pgrep -U root -u root -lf docker | grep "\-H" >/dev/null 2>&1 if [ $? -eq 0 ]; then info "$check_2_8" info " * Docker daemon running with -H" @@ -79,9 +79,9 @@ fi # 2.9 check_2_9="2.9 - Configure TLS authentication for Docker daemon" -$ps_command $ps_args | grep docker | grep "tcp://" >/dev/null 2>&1 +pgrep -U root -u root -lf docker | grep "tcp://" >/dev/null 2>&1 if [ $? -eq 0 ]; then - $ps_command $ps_args | grep docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1 + pgrep -U root -u root -lf docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1 if [ $? -eq 0 ]; then pass "$check_2_9" info " * Docker daemon currently listening on TCP" @@ -96,7 +96,7 @@ fi # 2.10 check_2_10="2.10 - Set default ulimit as appropriate" -$ps_command $ps_args | grep docker | grep "default-ulimit" >/dev/null 2>&1 +pgrep -U root -u root -lf docker | grep "default-ulimit" >/dev/null 2>&1 if [ $? -eq 0 ]; then pass "$check_2_10" else diff --git a/tests/3_docker_daemon_configuration_files.sh b/tests/3_docker_daemon_configuration_files.sh index 60207de..36e49ab 100644 --- a/tests/3_docker_daemon_configuration_files.sh +++ b/tests/3_docker_daemon_configuration_files.sh @@ -247,10 +247,10 @@ fi check_3_16="3.16 - Verify that /etc/docker directory permissions are set to 755" directory="/etc/docker" if [ -d "$directory" ]; then - perms=`ls -ld $directory | awk '{print $1}'` - if [ $perms = "drwxr-xr-x." ]; then + perms=$(ls -ld $directory | awk '{print $1}') + if [ "$perms" = "drwxr-xr-x." ]; then pass "$check_3_16" - elif [ $perms = "drwx------" ]; then + elif [ "$perms" = "drwx------" ]; then pass "$check_3_16" else warn "$check_3_16" @@ -266,9 +266,9 @@ check_3_17="3.17 - Verify that registry certificate file ownership is set to roo directory="/etc/docker/certs.d/" if [ -d "$directory" ]; then fail=0 - owners=`ls -lL $directory/* | grep .crt | awk '{print $3, $4}'` + owners=$(ls -lL "$directory"/*.crt | awk '{print "$3", "$4"}') for p in $owners; do - printf "$p" | grep "root" >/dev/null 2>&1 + printf "%s" "$p" | grep "root" >/dev/null 2>&1 if [ $? -ne 0 ]; then fail=1 fi @@ -289,7 +289,7 @@ check_3_18="3.18 - Verify that registry certificate file permissions are set to directory="/etc/docker/certs.d/" if [ -d "$directory" ]; then fail=0 - perms=`ls -lL $directory/* | grep .crt | awk '{print $1}'` + perms=$(ls -lL "$directory"/*.crt | awk '{print $1}') for p in $perms; do if [ "$p" != "-rw-r--r--." -a "$p" = "-rw-------." ]; then fail=1 @@ -308,7 +308,7 @@ fi # 3.19 check_3_19="3.19 - Verify that TLS CA certificate file ownership is set to root:root" -tlscacert=`ps -ef | grep docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1` +tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1) if [ -f "$tlscacert" ]; then ls -ld "$tlscacert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 if [ $? -eq 0 ]; then @@ -324,9 +324,9 @@ fi # 3.20 check_3_20="3.20 - Verify that TLS CA certificate file permissions are set to 444" -tlscacert=`ps -ef | grep docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1` +tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1) if [ -f "$tlscacert" ]; then - perms=`ls -ld "$tlscacert" | awk '{print $1}'` + perms=$(ls -ld "$tlscacert" | awk '{print $1}') if [ "$perms" = "-rw-r--r--" ]; then pass "$check_3_20" else @@ -340,7 +340,7 @@ fi # 3.21 check_3_21="3.21 - Verify that Docker server certificate file ownership is set to root:root" -tlscert=`ps -ef | grep docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1` +tlscert=$(pgrep -lf docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1) if [ -f "$tlscert" ]; then ls -ld "$tlscert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 if [ $? -eq 0 ]; then @@ -356,9 +356,9 @@ fi # 3.22 check_3_22="3.22 - Verify that Docker server certificate file permissions are set to 444" -tlscacert=`ps -ef | grep docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1` +tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1) if [ -f "$tlscert" ]; then - perms=`ls -ld "$tlscert" | awk '{print $1}'` + perms=$(ls -ld "$tlscert" | awk '{print $1}') if [ "$perms" = "-rw-r--r--" ]; then pass "$check_3_22" else @@ -372,7 +372,7 @@ fi # 3.23 check_3_23="3.23 - Verify that Docker server key file ownership is set to root:root" -tlskey=`ps -ef | grep docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1` +tlskey=$(pgrep -lf docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1) if [ -f "$tlskey" ]; then ls -ld "$tlskey" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 if [ $? -eq 0 ]; then @@ -388,9 +388,9 @@ fi # 3.24 check_3_24="3.24 - Verify that Docker server key file permissions are set to 400" -tlskey=`ps -ef | grep docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1` +tlskey=$(pgrep -lf docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1) if [ -f "$tlskey" ]; then - perms=`ls -ld "$tlskey" | awk '{print $1}'` + perms=$(ls -ld "$tlskey" | awk '{print $1}') if [ "$perms" = "-r--------" ]; then pass "$check_3_24" else @@ -422,7 +422,7 @@ fi check_3_26="3.26 - Verify that Docker socket file permissions are set to 660" file="/var/run/docker.sock" if [ -f "$file" ]; then - perms=`ls -ld "$file" | awk '{print $1}'` + perms=$(ls -ld "$file" | awk '{print $1}') if [ "$perms" = "srw-rw----" ]; then pass "$check_3_26" else diff --git a/tests/4_container_images.sh b/tests/4_container_images.sh index eb50c7a..6cf9f66 100644 --- a/tests/4_container_images.sh +++ b/tests/4_container_images.sh @@ -17,7 +17,7 @@ else set -f; IFS=$' ' for c in $containers; do - user=`docker inspect --format 'User={{.Config.User}}' $c` + user=$(docker inspect --format 'User={{.Config.User}}' "$c") if [ "$user" = "User=" -o "$user" = "User=[]" -o "$user" = "User=" ]; then # If it's the first container, fail the test diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh index 7ec7e4d..a9ff634 100644 --- a/tests/5_container_runtime.sh +++ b/tests/5_container_runtime.sh @@ -15,7 +15,7 @@ else fail=0 for c in $containers; do - policy=`docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' $c` + policy=$(docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' "$c") if [ "$policy" = "AppArmorProfile=" -o "$policy" = "AppArmorProfile=[]" -o "$policy" = "AppArmorProfile=" ]; then # If it's the first container, fail the test @@ -38,7 +38,7 @@ else fail=0 for c in $containers; do - policy=`docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' $c` + policy=$(docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' "$c") if [ "$policy" = "SecurityOpt=" -o "$policy" = "SecurityOpt=[]" -o "$policy" = "SecurityOpt=" ]; then # If it's the first container, fail the test @@ -61,15 +61,15 @@ else fail=0 for c in $containers; do - exec_check=`docker exec $c ps -el 2>/dev/null` + exec_check=$(docker exec "$c" ps -el 2>/dev/null) if [ $? -eq 255 ]; then warn "$check_5_3" warn " * Docker exec fails: $c" fail=1 fi - processes=`docker exec $c ps -el 2>/dev/null | wc -l | awk '{print $1}'` - if [ $processes -gt 5 ]; then + processes=$(docker exec "$c" ps -el 2>/dev/null | wc -l | awk '{print $1}') + if [ "$processes" -gt 5 ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_3" @@ -90,7 +90,7 @@ else fail=0 for c in $containers; do - caps=`docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' $c` + caps=$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' "$c") if [ "$caps" != "CapAdd=" -a "$caps" != "CapAdd=[]" -a "$caps" != "CapAdd=" ]; then # If it's the first container, fail the test @@ -113,7 +113,7 @@ else fail=0 for c in $containers; do - privileged=`docker inspect --format '{{ .HostConfig.Privileged }}' $c` + privileged=$(docker inspect --format '{{ .HostConfig.Privileged }}' "$c") if [ "$privileged" = "true" ]; then # If it's the first container, fail the test @@ -145,7 +145,7 @@ else /usr' fail=0 for c in $containers; do - volumes=`docker inspect --format '{{ .VolumesRW }}' $c` + volumes=$(docker inspect --format '{{ .VolumesRW }}' "$c") # Go over each directory in sensitive dir and see if they exist in the volumes for v in $sensitive_dirs; do sensitive=0 @@ -172,14 +172,14 @@ else fail=0 for c in $containers; do - exec_check=`docker exec $c ps -el 2>/dev/null` + docker exec "$c" ps -el 2>/dev/null if [ $? -eq 255 ]; then warn "$check_5_7" warn " * Docker exec failed: $c" fail=1 fi - processes=`docker exec $c ps -el 2>/dev/null | grep sshd | wc -l | awk '{print $1}'` + processes=$(docker exec "$c" ps -el 2>/dev/null | grep -c sshd | awk '{print $1}') if [ $processes -gt 1 ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then @@ -201,7 +201,7 @@ else fail=0 for c in $containers; do - port=`docker port $c | awk '{print $1}' | cut -d '/' -f1` + port=$(docker port "$c" | awk '{print $1}' | cut -d '/' -f1) if [ ! -z "$port" ] && [ "$port" -lt 1025 ]; then # If it's the first container, fail the test @@ -224,7 +224,7 @@ else fail=0 for c in $containers; do - mode=`docker inspect --format 'NetworkMode={{ .HostConfig.NetworkMode }}' $c` + mode=$(docker inspect --format 'NetworkMode={{ .HostConfig.NetworkMode }}' "$c") if [ "$mode" = "NetworkMode=host" ]; then # If it's the first container, fail the test @@ -247,9 +247,9 @@ else fail=0 for c in $containers; do - memory=`docker inspect --format '{{ .Config.Memory }}' $c` + memory=$(docker inspect --format '{{ .Config.Memory }}' "$c") - if [ $memory = "0" ]; then + if [ "$memory" = "0" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_11" @@ -270,7 +270,7 @@ else fail=0 for c in $containers; do - shares=`docker inspect --format '{{ .Config.CpuShares }}' $c` + shares=$(docker inspect --format '{{ .Config.CpuShares }}' "$c") if [ "$shares" = "0" ]; then # If it's the first container, fail the test @@ -293,7 +293,7 @@ else fail=0 for c in $containers; do - read_status=`docker inspect --format '{{ .HostConfig.ReadonlyRootfs }}' $c` + read_status=$(docker inspect --format '{{ .HostConfig.ReadonlyRootfs }}' "$c") if [ "$read_status" = "false" ]; then # If it's the first container, fail the test @@ -316,7 +316,7 @@ else fail=0 for c in $containers; do - ip=`docker port $c | awk '{print $3}' | cut -d ':' -f1` + ip=$(docker port "$c" | awk '{print $3}' | cut -d ':' -f1) if [ "$ip" = "0.0.0.0" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then @@ -338,7 +338,7 @@ else fail=0 for c in $containers; do - policy=`docker inspect --format 'RestartPolicyName={{ .HostConfig.RestartPolicy.Name }}' $c` + policy=$(docker inspect --format 'RestartPolicyName={{ .HostConfig.RestartPolicy.Name }}' "$c") if [ "$policy" = "RestartPolicyName=always" ]; then # If it's the first container, fail the test @@ -361,7 +361,7 @@ else fail=0 for c in $containers; do - mode=`docker inspect --format 'PidMode={{.HostConfig.PidMode }}' $c` + mode=$(docker inspect --format 'PidMode={{.HostConfig.PidMode }}' "$c") if [ "$mode" = "PidMode=host" ]; then # If it's the first container, fail the test @@ -384,7 +384,7 @@ else fail=0 for c in $containers; do - mode=`docker inspect --format 'IpcMode={{.HostConfig.IpcMode }}' $c` + mode=$(docker inspect --format 'IpcMode={{.HostConfig.IpcMode }}' "$c") if [ "$mode" = "IpcMode=host" ]; then # If it's the first container, fail the test @@ -407,7 +407,7 @@ else fail=0 for c in $containers; do - devices=`docker inspect --format 'Devices={{ .HostConfig.Devices }}' $c` + devices=$(docker inspect --format 'Devices={{ .HostConfig.Devices }}' "$c") if [ "$devices" != "Devices=" -a "$devices" != "Devices=[]" -a "$devices" != "Devices=" ]; then # If it's the first container, fail the test @@ -431,7 +431,7 @@ else # List all the running containers, ouput their ID and host devices fail=0 for c in $containers; do - ulimits=`docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' $c` + ulimits=$(docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' "$c") if [ "$ulimits" = "Ulimits=" -o "$ulimits" = "Ulimits=[]" -o "$ulimits" = "Ulimits=" ]; then # If it's the first container, fail the test diff --git a/tests/6_docker_security_operations.sh b/tests/6_docker_security_operations.sh index 8c300ce..d1191b5 100644 --- a/tests/6_docker_security_operations.sh +++ b/tests/6_docker_security_operations.sh @@ -15,7 +15,7 @@ else set -f; IFS=$' ' for c in $containers; do - volumes=`docker inspect --format '{{ .Volumes }}' $c` + volumes=$(docker inspect --format '{{ .Volumes }}' "$c") if [ "$volumes" = "map[]" ]; then # If it's the first container, fail the test @@ -36,8 +36,8 @@ set +f; unset IFS # 6.6 check_6_6="6.6 - Avoid image sprawl" -images=`docker images | wc -l | awk '{print $1}'` -if [ $images -gt 100 ]; then +images=$(docker images | wc -l | awk '{print $1}') +if [ "$images" -gt 100 ]; then warn "$check_6_6" warn " * There are currently: $images images" else @@ -47,10 +47,10 @@ fi # 6.7 check_6_7="6.7 - Avoid container sprawl" -total_containers=`docker info 2>/dev/null | grep "Containers" | awk '{print $2}'` -running_containers=`docker ps -q | wc -l | awk '{print $1}'` -diff=`expr "$total_containers" - "$running_containers"` -if [ $diff -gt 25 ]; then +total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}') +running_containers=$(docker ps -q | wc -l | awk '{print $1}') +diff="$(($total_containers - $running_containers))" +if [ "$diff" -gt 25 ]; then warn "$check_6_7" warn " * There are currently a total of $total_containers containers, with only $running_containers of them currently running" else