GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-18 16:22:33 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #3 from wernerb/shellcheck

Browse source 
Shellcheck
This commit is contained in:
Diogo Mónica 2015-05-31 10:31:53 -07:00
commit 362c62ac6e
9 changed files with 87 additions and 87 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
docker-bench-security.sh
View file

@ -14,21 +14,20 @@
. ./helper_lib.sh . ./helper_lib.sh
# Setup the paths # Setup the paths
this_path=$(abspath $0) ## Path of this file including filenamel this_path=$(abspath "$0") ## Path of this file including filenamel
dir_name=`dirname ${this_path}` ## Dir where this file is myname=$(basename "${this_path}") ## file name of this script.
myname=`basename ${this_path}` ## file name of this script.
logger="${myname}.log"
export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/ export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/
logger="${myname}.log"
# Check for required program(s) # Check for required program(s)
req_progs='docker netstat grep awk' req_progs='docker netstat grep awk'
for p in $req_progs; do for p in $req_progs; do
command -v $p >/dev/null 2>&1 || { printf "$p command not found.\n"; exit 1; } command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; }
done done
# Ensure we can connect to docker daemon # Ensure we can connect to docker daemon
`docker ps -q >/dev/null 2>&1` docker ps -q >/dev/null 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
printf "Error connecting to docker daemon (does docker ps work?)\n" printf "Error connecting to docker daemon (does docker ps work?)\n"
exit 1 exit 1
@ -36,9 +35,9 @@ fi
usage () { usage () {
printf " printf "
usage: $myname [options] usage: %s [options]
-h optional Print this help message\n" -h optional Print this help message\n" "$myname"
exit 1 exit 1
} }
@ -51,10 +50,10 @@ yell "# ------------------------------------------------------------------------
# https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf # https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf
# ------------------------------------------------------------------------------" # ------------------------------------------------------------------------------"
logit "Initializing `date`\n" logit "Initializing $(date)\n"
# Warn if not root # Warn if not root
ID=`id -u` ID=$(id -u)
if [ "x$ID" != "x0" ]; then if [ "x$ID" != "x0" ]; then
warn "Some tests might require root to run" warn "Some tests might require root to run"
sleep 3 sleep 3
@ -73,19 +72,19 @@ done
# Load all the tests from tests/ and run them # Load all the tests from tests/ and run them
main () { main () {
# List all running containers # List all running containers
containers=`docker ps -q` containers=$(docker ps -q)
# If there is a container with label docker-bench, memorize it: # If there is a container with label docker-bench, memorize it:
benchcont="nil" benchcont="nil"
for c in $containers; do for c in $containers; do
labels=`docker inspect --format '{{ .Config.Labels }}' $c` labels=$(docker inspect --format '{{ .Config.Labels }}' "$c")
contains "$labels" "docker-bench" && benchcont="$c" contains "$labels" "docker-bench" && benchcont="$c"
done done
# List all running containers except docker-bench # List all running containers except docker-bench
containers=`docker ps -q | grep -v $benchcont` containers=$(docker ps -q | grep -v "$benchcont")
for test in tests/*.sh for test in tests/*.sh
do do
. ./$test . ./"$test"
done done
} }

8
helper_lib.sh
View file

@ -10,10 +10,10 @@ abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; es
do_version_check() { do_version_check() {
[ "$1" = "$2" ] && return 10 [ "$1" = "$2" ] && return 10
ver1front=`printf $1 | cut -d "." -f -1` ver1front=$(printf "%s" "$1" | cut -d "." -f -1)
ver1back=`printf $1 | cut -d "." -f 2-` ver1back=$(printf "%s" "$1" | cut -d "." -f 2-)
ver2front=`printf $2 | cut -d "." -f -1` ver2front=$(printf "%s" "$2" | cut -d "." -f -1)
ver2back=`printf $2 | cut -d "." -f 2-` ver2back=$(printf "%s" "$2" | cut -d "." -f 2-)
if [ "$ver1front" != "$1" ] || [ "$ver2front" != "$2" ]; then if [ "$ver1front" != "$1" ] || [ "$ver2front" != "$2" ]; then
[ "$ver1front" -gt "$ver2front" ] && return 11 [ "$ver1front" -gt "$ver2front" ] && return 11

11
output_lib.sh
View file

@ -1,3 +1,4 @@
#!/bin/sh
bldred='\033[1;31m' bldred='\033[1;31m'
bldgrn='\033[1;32m' bldgrn='\033[1;32m'
bldblu='\033[1;34m' bldblu='\033[1;34m'
@ -5,21 +6,21 @@ bldylw='\033[1;33m' # Yellow
txtrst='\033[0m' txtrst='\033[0m'
logit () { logit () {
printf "$1\n" | tee -a $logger printf "%b\n" "$1" | tee -a "$logger"
} }
info () { info () {
printf '%b' "${bldblu}[INFO]${txtrst} $1\n" | tee -a $logger printf "%b\n" "${bldblu}[INFO]${txtrst} $1" | tee -a "$logger"
} }
pass () { pass () {
printf '%b' "${bldgrn}[PASS]${txtrst} $1\n" | tee -a $logger printf "%b\n" "${bldgrn}[PASS]${txtrst} $1" | tee -a "$logger"
} }
warn () { warn () {
printf '%b' "${bldred}[WARN]${txtrst} $1\n" | tee -a $logger printf "%b\n" "${bldred}[WARN]${txtrst} $1" | tee -a "$logger"
} }
yell () { yell () {
printf '%b' "${bldylw}$1${txtrst}\n" printf "%b\n" "${bldylw}$1${txtrst}\n"
} }

14
tests/1_host_configuration.sh
View file

@ -14,8 +14,8 @@ fi
# 1.2 # 1.2
check_1_2="1.2 - Use an updated Linux Kernel" check_1_2="1.2 - Use an updated Linux Kernel"
kernel_version=`uname -r | cut -d "-" -f 1` kernel_version=$(uname -r | cut -d "-" -f 1)
do_version_check 3.10 $kernel_version do_version_check 3.10 "$kernel_version"
if [ $? -eq 11 ]; then if [ $? -eq 11 ]; then
warn "$check_1_2" warn "$check_1_2"
else else
@ -25,11 +25,11 @@ fi
# 1.5 # 1.5
check_1_5="1.5 - Remove all non-essential services from the host - Network" check_1_5="1.5 - Remove all non-essential services from the host - Network"
# Check for listening network services. # Check for listening network services.
listening_services=`netstat -na | grep -v tcp6 | grep -v unix | grep LISTEN | wc -l` listening_services=$(netstat -na | grep -v tcp6 | grep -v unix | grep -c LISTEN)
if [ $listening_services -eq 0 ]; then if [ "$listening_services" -eq 0 ]; then
warn "1.5 - Failed to get listening services for check: $check_1_5" warn "1.5 - Failed to get listening services for check: $check_1_5"
else else
if [ $listening_services -gt 5 ]; then if [ "$listening_services" -gt 5 ]; then
warn "$check_1_5" warn "$check_1_5"
warn " * Host listening on: $listening_services ports" warn " * Host listening on: $listening_services ports"
else else
@ -39,8 +39,8 @@ fi
# 1.6 # 1.6
check_1_6="1.6 - Keep Docker up to date" check_1_6="1.6 - Keep Docker up to date"
docker_version=`docker version | grep 'Server version' | awk '{print $3}'`
do_version_check 1.6.2 $docker_version do_version_check 1.6.2 $docker_version
docker version | grep 'Server version' | awk '{print $3}'
if [ $? -eq 11 ]; then if [ $? -eq 11 ]; then
warn "$check_1_6" warn "$check_1_6"
else else
@ -49,7 +49,7 @@ fi
# 1.7 # 1.7
check_1_7="1.7 - Only allow trusted users to control Docker daemon" check_1_7="1.7 - Only allow trusted users to control Docker daemon"
docker_users=`grep docker /etc/group` docker_users=$(grep docker /etc/group)
info "$check_1_7" info "$check_1_7"
for u in $docker_users; do for u in $docker_users; do
info " * $u" info " * $u"

22
tests/2_docker_daemon_configuration.sh
View file

@ -5,7 +5,7 @@ info "2 - Docker Daemon Configuration"
# 2.1 # 2.1
check_2_1="2.1 - Do not use lxc execution driver" check_2_1="2.1 - Do not use lxc execution driver"
$ps_command $ps_args | grep docker | grep lxc >/dev/null 2>&1 pgrep -U root -u root -lf docker | grep lxc >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
warn "$check_2_1" warn "$check_2_1"
else else
@ -14,7 +14,7 @@ fi
# 2.2 # 2.2
check_2_2="2.2 - Restrict network traffic between containers" check_2_2="2.2 - Restrict network traffic between containers"
$ps_command $ps_args | grep docker | grep "icc=false" >/dev/null 2>&1 pgrep -U root -u root -lf docker | grep "icc=false" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_2_2" pass "$check_2_2"
else else
@ -23,7 +23,7 @@ fi
# 2.3 # 2.3
check_2_3="2.3 - Set the logging level" check_2_3="2.3 - Set the logging level"
$ps_command $ps_args | grep docker | grep "log-level=\"debug\"" >/dev/null 2>&1 pgrep -U root -u root -lf docker | grep "log-level=\"debug\"" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
warn "$check_2_3" warn "$check_2_3"
else else
@ -32,7 +32,7 @@ fi
# 2.4 # 2.4
check_2_4="2.4 - Allow Docker to make changes to iptables" check_2_4="2.4 - Allow Docker to make changes to iptables"
$ps_command $ps_args | grep docker | grep "iptables=false" >/dev/null 2>&1 pgrep -U root -u root -lf docker | grep "iptables=false" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
warn "$check_2_4" warn "$check_2_4"
else else
@ -41,7 +41,7 @@ fi
# 2.5 # 2.5
check_2_5="2.5 - Do not use insecure registries" check_2_5="2.5 - Do not use insecure registries"
$ps_command $ps_args | grep docker | grep "insecure-registry" >/dev/null 2>&1 pgrep -U root -u root -lf docker | grep "insecure-registry" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
warn "$check_2_5" warn "$check_2_5"
else else
@ -50,7 +50,7 @@ fi
# 2.6 # 2.6
check_2_6="2.6 - Setup a local registry mirror" check_2_6="2.6 - Setup a local registry mirror"
$ps_command $ps_args | grep docker | grep "registry-mirror" >/dev/null 2>&1 pgrep -U root -u root -lf docker | grep "registry-mirror" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_2_6" pass "$check_2_6"
else else
@ -60,7 +60,7 @@ fi
# 2.7 # 2.7
check_2_7="2.7 - Do not use the aufs storage driver" check_2_7="2.7 - Do not use the aufs storage driver"
storage_driver=`docker info 2>/dev/null| grep -e "^Storage Driver:\s*aufs\s*$"` docker info 2>/dev/null| grep -e "^Storage Driver:\s*aufs\s*$"
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
warn "$check_2_7" warn "$check_2_7"
else else
@ -69,7 +69,7 @@ fi
# 2.8 # 2.8
check_2_8="2.8 - Do not bind Docker to another IP/Port or a Unix socket" check_2_8="2.8 - Do not bind Docker to another IP/Port or a Unix socket"
$ps_command $ps_args | grep docker | grep "\-H" >/dev/null 2>&1 pgrep -U root -u root -lf docker | grep "\-H" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
info "$check_2_8" info "$check_2_8"
info " * Docker daemon running with -H" info " * Docker daemon running with -H"
@ -79,9 +79,9 @@ fi
# 2.9 # 2.9
check_2_9="2.9 - Configure TLS authentication for Docker daemon" check_2_9="2.9 - Configure TLS authentication for Docker daemon"
$ps_command $ps_args | grep docker | grep "tcp://" >/dev/null 2>&1 pgrep -U root -u root -lf docker | grep "tcp://" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
$ps_command $ps_args | grep docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1 pgrep -U root -u root -lf docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_2_9" pass "$check_2_9"
info " * Docker daemon currently listening on TCP" info " * Docker daemon currently listening on TCP"
@ -96,7 +96,7 @@ fi
# 2.10 # 2.10
check_2_10="2.10 - Set default ulimit as appropriate" check_2_10="2.10 - Set default ulimit as appropriate"
$ps_command $ps_args | grep docker | grep "default-ulimit" >/dev/null 2>&1 pgrep -U root -u root -lf docker | grep "default-ulimit" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_2_10" pass "$check_2_10"
else else

32
tests/3_docker_daemon_configuration_files.sh
View file

@ -247,10 +247,10 @@ fi
check_3_16="3.16 - Verify that /etc/docker directory permissions are set to 755" check_3_16="3.16 - Verify that /etc/docker directory permissions are set to 755"
directory="/etc/docker" directory="/etc/docker"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
perms=`ls -ld $directory | awk '{print $1}'` perms=$(ls -ld $directory | awk '{print $1}')
if [ $perms = "drwxr-xr-x." ]; then if [ "$perms" = "drwxr-xr-x." ]; then
pass "$check_3_16" pass "$check_3_16"
elif [ $perms = "drwx------" ]; then elif [ "$perms" = "drwx------" ]; then
pass "$check_3_16" pass "$check_3_16"
else else
warn "$check_3_16" warn "$check_3_16"
@ -266,9 +266,9 @@ check_3_17="3.17 - Verify that registry certificate file ownership is set to roo
directory="/etc/docker/certs.d/" directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
fail=0 fail=0
owners=`ls -lL $directory/* | grep .crt | awk '{print $3, $4}'` owners=$(ls -lL "$directory"/*.crt | awk '{print "$3", "$4"}')
for p in $owners; do for p in $owners; do
printf "$p" | grep "root" >/dev/null 2>&1 printf "%s" "$p" | grep "root" >/dev/null 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
fail=1 fail=1
fi fi
@ -289,7 +289,7 @@ check_3_18="3.18 - Verify that registry certificate file permissions are set to
directory="/etc/docker/certs.d/" directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
fail=0 fail=0
perms=`ls -lL $directory/* | grep .crt | awk '{print $1}'` perms=$(ls -lL "$directory"/*.crt | awk '{print $1}')
for p in $perms; do for p in $perms; do
if [ "$p" != "-rw-r--r--." -a "$p" = "-rw-------." ]; then if [ "$p" != "-rw-r--r--." -a "$p" = "-rw-------." ]; then
fail=1 fail=1
@ -308,7 +308,7 @@ fi
# 3.19 # 3.19
check_3_19="3.19 - Verify that TLS CA certificate file ownership is set to root:root" check_3_19="3.19 - Verify that TLS CA certificate file ownership is set to root:root"
tlscacert=`ps -ef | grep docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1` tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1)
if [ -f "$tlscacert" ]; then if [ -f "$tlscacert" ]; then
ls -ld "$tlscacert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 ls -ld "$tlscacert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
@ -324,9 +324,9 @@ fi
# 3.20 # 3.20
check_3_20="3.20 - Verify that TLS CA certificate file permissions are set to 444" check_3_20="3.20 - Verify that TLS CA certificate file permissions are set to 444"
tlscacert=`ps -ef | grep docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1` tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1)
if [ -f "$tlscacert" ]; then if [ -f "$tlscacert" ]; then
perms=`ls -ld "$tlscacert" | awk '{print $1}'` perms=$(ls -ld "$tlscacert" | awk '{print $1}')
if [ "$perms" = "-rw-r--r--" ]; then if [ "$perms" = "-rw-r--r--" ]; then
pass "$check_3_20" pass "$check_3_20"
else else
@ -340,7 +340,7 @@ fi
# 3.21 # 3.21
check_3_21="3.21 - Verify that Docker server certificate file ownership is set to root:root" check_3_21="3.21 - Verify that Docker server certificate file ownership is set to root:root"
tlscert=`ps -ef | grep docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1` tlscert=$(pgrep -lf docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1)
if [ -f "$tlscert" ]; then if [ -f "$tlscert" ]; then
ls -ld "$tlscert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 ls -ld "$tlscert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
@ -356,9 +356,9 @@ fi
# 3.22 # 3.22
check_3_22="3.22 - Verify that Docker server certificate file permissions are set to 444" check_3_22="3.22 - Verify that Docker server certificate file permissions are set to 444"
tlscacert=`ps -ef | grep docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1` tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1)
if [ -f "$tlscert" ]; then if [ -f "$tlscert" ]; then
perms=`ls -ld "$tlscert" | awk '{print $1}'` perms=$(ls -ld "$tlscert" | awk '{print $1}')
if [ "$perms" = "-rw-r--r--" ]; then if [ "$perms" = "-rw-r--r--" ]; then
pass "$check_3_22" pass "$check_3_22"
else else
@ -372,7 +372,7 @@ fi
# 3.23 # 3.23
check_3_23="3.23 - Verify that Docker server key file ownership is set to root:root" check_3_23="3.23 - Verify that Docker server key file ownership is set to root:root"
tlskey=`ps -ef | grep docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1` tlskey=$(pgrep -lf docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1)
if [ -f "$tlskey" ]; then if [ -f "$tlskey" ]; then
ls -ld "$tlskey" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 ls -ld "$tlskey" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
@ -388,9 +388,9 @@ fi
# 3.24 # 3.24
check_3_24="3.24 - Verify that Docker server key file permissions are set to 400" check_3_24="3.24 - Verify that Docker server key file permissions are set to 400"
tlskey=`ps -ef | grep docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1` tlskey=$(pgrep -lf docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1)
if [ -f "$tlskey" ]; then if [ -f "$tlskey" ]; then
perms=`ls -ld "$tlskey" | awk '{print $1}'` perms=$(ls -ld "$tlskey" | awk '{print $1}')
if [ "$perms" = "-r--------" ]; then if [ "$perms" = "-r--------" ]; then
pass "$check_3_24" pass "$check_3_24"
else else
@ -422,7 +422,7 @@ fi
check_3_26="3.26 - Verify that Docker socket file permissions are set to 660" check_3_26="3.26 - Verify that Docker socket file permissions are set to 660"
file="/var/run/docker.sock" file="/var/run/docker.sock"
if [ -f "$file" ]; then if [ -f "$file" ]; then
perms=`ls -ld "$file" | awk '{print $1}'` perms=$(ls -ld "$file" | awk '{print $1}')
if [ "$perms" = "srw-rw----" ]; then if [ "$perms" = "srw-rw----" ]; then
pass "$check_3_26" pass "$check_3_26"
else else

2
tests/4_container_images.sh
View file

@ -17,7 +17,7 @@ else
set -f; IFS=$' set -f; IFS=$'
' '
for c in $containers; do for c in $containers; do
user=`docker inspect --format 'User={{.Config.User}}' $c` user=$(docker inspect --format 'User={{.Config.User}}' "$c")
if [ "$user" = "User=" -o "$user" = "User=[]" -o "$user" = "User=<no value>" ]; then if [ "$user" = "User=" -o "$user" = "User=[]" -o "$user" = "User=<no value>" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test

44
tests/5_container_runtime.sh
View file

@ -15,7 +15,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
policy=`docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' $c` policy=$(docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' "$c")
if [ "$policy" = "AppArmorProfile=" -o "$policy" = "AppArmorProfile=[]" -o "$policy" = "AppArmorProfile=<no value>" ]; then if [ "$policy" = "AppArmorProfile=" -o "$policy" = "AppArmorProfile=[]" -o "$policy" = "AppArmorProfile=<no value>" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -38,7 +38,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
policy=`docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' $c` policy=$(docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' "$c")
if [ "$policy" = "SecurityOpt=" -o "$policy" = "SecurityOpt=[]" -o "$policy" = "SecurityOpt=<no value>" ]; then if [ "$policy" = "SecurityOpt=" -o "$policy" = "SecurityOpt=[]" -o "$policy" = "SecurityOpt=<no value>" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -61,15 +61,15 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
exec_check=`docker exec $c ps -el 2>/dev/null` exec_check=$(docker exec "$c" ps -el 2>/dev/null)
if [ $? -eq 255 ]; then if [ $? -eq 255 ]; then
warn "$check_5_3" warn "$check_5_3"
warn " * Docker exec fails: $c" warn " * Docker exec fails: $c"
fail=1 fail=1
fi fi
processes=`docker exec $c ps -el 2>/dev/null | wc -l | awk '{print $1}'` processes=$(docker exec "$c" ps -el 2>/dev/null | wc -l | awk '{print $1}')
if [ $processes -gt 5 ]; then if [ "$processes" -gt 5 ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_3" warn "$check_5_3"
@ -90,7 +90,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
caps=`docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' $c` caps=$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' "$c")
if [ "$caps" != "CapAdd=" -a "$caps" != "CapAdd=[]" -a "$caps" != "CapAdd=<no value>" ]; then if [ "$caps" != "CapAdd=" -a "$caps" != "CapAdd=[]" -a "$caps" != "CapAdd=<no value>" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -113,7 +113,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
privileged=`docker inspect --format '{{ .HostConfig.Privileged }}' $c` privileged=$(docker inspect --format '{{ .HostConfig.Privileged }}' "$c")
if [ "$privileged" = "true" ]; then if [ "$privileged" = "true" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -145,7 +145,7 @@ else
/usr' /usr'
fail=0 fail=0
for c in $containers; do for c in $containers; do
volumes=`docker inspect --format '{{ .VolumesRW }}' $c` volumes=$(docker inspect --format '{{ .VolumesRW }}' "$c")
# Go over each directory in sensitive dir and see if they exist in the volumes # Go over each directory in sensitive dir and see if they exist in the volumes
for v in $sensitive_dirs; do for v in $sensitive_dirs; do
sensitive=0 sensitive=0
@ -172,14 +172,14 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
exec_check=`docker exec $c ps -el 2>/dev/null` docker exec "$c" ps -el 2>/dev/null
if [ $? -eq 255 ]; then if [ $? -eq 255 ]; then
warn "$check_5_7" warn "$check_5_7"
warn " * Docker exec failed: $c" warn " * Docker exec failed: $c"
fail=1 fail=1
fi fi
processes=`docker exec $c ps -el 2>/dev/null | grep sshd | wc -l | awk '{print $1}'` processes=$(docker exec "$c" ps -el 2>/dev/null | grep -c sshd | awk '{print $1}')
if [ $processes -gt 1 ]; then if [ $processes -gt 1 ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
@ -201,7 +201,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
port=`docker port $c | awk '{print $1}' | cut -d '/' -f1` port=$(docker port "$c" | awk '{print $1}' | cut -d '/' -f1)
if [ ! -z "$port" ] && [ "$port" -lt 1025 ]; then if [ ! -z "$port" ] && [ "$port" -lt 1025 ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -224,7 +224,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
mode=`docker inspect --format 'NetworkMode={{ .HostConfig.NetworkMode }}' $c` mode=$(docker inspect --format 'NetworkMode={{ .HostConfig.NetworkMode }}' "$c")
if [ "$mode" = "NetworkMode=host" ]; then if [ "$mode" = "NetworkMode=host" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -247,9 +247,9 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
memory=`docker inspect --format '{{ .Config.Memory }}' $c` memory=$(docker inspect --format '{{ .Config.Memory }}' "$c")
if [ $memory = "0" ]; then if [ "$memory" = "0" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_11" warn "$check_5_11"
@ -270,7 +270,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
shares=`docker inspect --format '{{ .Config.CpuShares }}' $c` shares=$(docker inspect --format '{{ .Config.CpuShares }}' "$c")
if [ "$shares" = "0" ]; then if [ "$shares" = "0" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -293,7 +293,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
read_status=`docker inspect --format '{{ .HostConfig.ReadonlyRootfs }}' $c` read_status=$(docker inspect --format '{{ .HostConfig.ReadonlyRootfs }}' "$c")
if [ "$read_status" = "false" ]; then if [ "$read_status" = "false" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -316,7 +316,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
ip=`docker port $c | awk '{print $3}' | cut -d ':' -f1` ip=$(docker port "$c" | awk '{print $3}' | cut -d ':' -f1)
if [ "$ip" = "0.0.0.0" ]; then if [ "$ip" = "0.0.0.0" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
@ -338,7 +338,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
policy=`docker inspect --format 'RestartPolicyName={{ .HostConfig.RestartPolicy.Name }}' $c` policy=$(docker inspect --format 'RestartPolicyName={{ .HostConfig.RestartPolicy.Name }}' "$c")
if [ "$policy" = "RestartPolicyName=always" ]; then if [ "$policy" = "RestartPolicyName=always" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -361,7 +361,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
mode=`docker inspect --format 'PidMode={{.HostConfig.PidMode }}' $c` mode=$(docker inspect --format 'PidMode={{.HostConfig.PidMode }}' "$c")
if [ "$mode" = "PidMode=host" ]; then if [ "$mode" = "PidMode=host" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -384,7 +384,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
mode=`docker inspect --format 'IpcMode={{.HostConfig.IpcMode }}' $c` mode=$(docker inspect --format 'IpcMode={{.HostConfig.IpcMode }}' "$c")
if [ "$mode" = "IpcMode=host" ]; then if [ "$mode" = "IpcMode=host" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -407,7 +407,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
devices=`docker inspect --format 'Devices={{ .HostConfig.Devices }}' $c` devices=$(docker inspect --format 'Devices={{ .HostConfig.Devices }}' "$c")
if [ "$devices" != "Devices=" -a "$devices" != "Devices=[]" -a "$devices" != "Devices=<no value>" ]; then if [ "$devices" != "Devices=" -a "$devices" != "Devices=[]" -a "$devices" != "Devices=<no value>" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -431,7 +431,7 @@ else
# List all the running containers, ouput their ID and host devices # List all the running containers, ouput their ID and host devices
fail=0 fail=0
for c in $containers; do for c in $containers; do
ulimits=`docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' $c` ulimits=$(docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' "$c")
if [ "$ulimits" = "Ulimits=" -o "$ulimits" = "Ulimits=[]" -o "$ulimits" = "Ulimits=<no value>" ]; then if [ "$ulimits" = "Ulimits=" -o "$ulimits" = "Ulimits=[]" -o "$ulimits" = "Ulimits=<no value>" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test

14
tests/6_docker_security_operations.sh
View file

@ -15,7 +15,7 @@ else
set -f; IFS=$' set -f; IFS=$'
' '
for c in $containers; do for c in $containers; do
volumes=`docker inspect --format '{{ .Volumes }}' $c` volumes=$(docker inspect --format '{{ .Volumes }}' "$c")
if [ "$volumes" = "map[]" ]; then if [ "$volumes" = "map[]" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -36,8 +36,8 @@ set +f; unset IFS
# 6.6 # 6.6
check_6_6="6.6 - Avoid image sprawl" check_6_6="6.6 - Avoid image sprawl"
images=`docker images | wc -l | awk '{print $1}'` images=$(docker images | wc -l | awk '{print $1}')
if [ $images -gt 100 ]; then if [ "$images" -gt 100 ]; then
warn "$check_6_6" warn "$check_6_6"
warn " * There are currently: $images images" warn " * There are currently: $images images"
else else
@ -47,10 +47,10 @@ fi
# 6.7 # 6.7
check_6_7="6.7 - Avoid container sprawl" check_6_7="6.7 - Avoid container sprawl"
total_containers=`docker info 2>/dev/null | grep "Containers" | awk '{print $2}'` total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}')
running_containers=`docker ps -q | wc -l | awk '{print $1}'` running_containers=$(docker ps -q | wc -l | awk '{print $1}')
diff=`expr "$total_containers" - "$running_containers"` diff="$(($total_containers - $running_containers))"
if [ $diff -gt 25 ]; then if [ "$diff" -gt 25 ]; then
warn "$check_6_7" warn "$check_6_7"
warn " * There are currently a total of $total_containers containers, with only $running_containers of them currently running" warn " * There are currently a total of $total_containers containers, with only $running_containers of them currently running"
else else