From 91e625b8e49f4294cde8daaece9cc47caf0906e5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
 <konstruktoid@users.noreply.github.com>
Date: Tue, 21 Mar 2017 14:49:42 +0100
Subject: [PATCH 1/3] Modify get_docker_configuration_file_args in order to
 handle daemon.json better, and also address missing files issue.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes #231
Closes #232

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
 helper_lib.sh                                |  2 ++
 tests/2_docker_daemon_configuration.sh       | 16 +++++++------
 tests/3_docker_daemon_configuration_files.sh | 24 ++++++++++----------
 3 files changed, 23 insertions(+), 19 deletions(-)

diff --git a/helper_lib.sh b/helper_lib.sh
index d7a4618..6dea993 100644
--- a/helper_lib.sh
+++ b/helper_lib.sh
@@ -92,6 +92,8 @@ get_docker_configuration_file_args() {
     else
       CONFIG_FILE='/dev/null'
     fi
+
+    grep "$OPTION" "$CONFIG_FILE" | sed 's/.*: //g' | tr -d \",
 }
 
 get_systemd_service_file(){
diff --git a/tests/2_docker_daemon_configuration.sh b/tests/2_docker_daemon_configuration.sh
index 23f23d0..bda5ebe 100644
--- a/tests/2_docker_daemon_configuration.sh
+++ b/tests/2_docker_daemon_configuration.sh
@@ -67,13 +67,15 @@ fi
 
 # 2.6
 check_2_6="2.6  - Configure TLS authentication for Docker daemon"
-if get_docker_configuration_file_args 'tls' | grep true >/dev/null 2>&1; then
-  if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then
-    if get_docker_configuration_file_args 'tlsverify' | grep 'true' >/dev/null 2>&1; then
-      pass "$check_2_6"
-    else
-      warn "$check_2_6"
-      warn "     * Docker daemon currently listening on TCP with TLS, but no verification"
+if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then
+  if get_docker_configuration_file_args '"tls":' | grep 'true' 2>/dev/null 1>&2; then
+    if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then
+      if get_docker_configuration_file_args 'tlsverify' | grep 'true' >/dev/null 2>&1; then
+        pass "$check_2_6"
+      else
+        warn "$check_2_6"
+        warn "     * Docker daemon currently listening on TCP with TLS, but no verification"
+      fi
     fi
   else
     warn "$check_2_6"
diff --git a/tests/3_docker_daemon_configuration_files.sh b/tests/3_docker_daemon_configuration_files.sh
index 60fd01a..bd823b6 100644
--- a/tests/3_docker_daemon_configuration_files.sh
+++ b/tests/3_docker_daemon_configuration_files.sh
@@ -142,8 +142,8 @@ fi
 
 # 3.9
 check_3_9="3.9  - Verify that TLS CA certificate file ownership is set to root:root"
-if get_docker_configuration_file_args 'tlscacert' | grep -v ""; then
-  tlscacert=$(get_docker_configuration_file_args 'tlscacert' | sed 's/.*://g' | tr -d "",)
+if get_docker_configuration_file_args 'tlscacert' 2>/dev/null 1>&2; then
+  tlscacert=$(get_docker_configuration_file_args 'tlscacert')
 else
   tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
 fi
@@ -161,8 +161,8 @@ fi
 
 # 3.10
 check_3_10="3.10 - Verify that TLS CA certificate file permissions are set to 444 or more restrictive"
-if get_docker_configuration_file_args 'tlscacert' | grep -v ""; then
-  tlscacert=$(get_docker_configuration_file_args 'tlscacert' | sed 's/.*://g' | tr -d "",)
+if get_docker_configuration_file_args 'tlscacert' 2>/dev/null 1>&2; then
+  tlscacert=$(get_docker_configuration_file_args 'tlscacert')
 else
   tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
 fi
@@ -181,8 +181,8 @@ fi
 
 # 3.11
 check_3_11="3.11 - Verify that Docker server certificate file ownership is set to root:root"
-if get_docker_configuration_file_args 'tlscert' | grep -v ""; then
-  tlscert=$(get_docker_configuration_file_args 'tlscert' | sed 's/.*://g' | tr -d "",)
+if get_docker_configuration_file_args 'tlscert' 2>/dev/null 1>&2; then
+  tlscert=$(get_docker_configuration_file_args 'tlscert')
 else
   tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
 fi
@@ -200,8 +200,8 @@ fi
 
 # 3.12
 check_3_12="3.12 - Verify that Docker server certificate file permissions are set to 444 or more restrictive"
-if get_docker_configuration_file_args 'tlscert' | grep -v ""; then
-  tlscert=$(get_docker_configuration_file_args 'tlscert' | sed 's/.*://g' | tr -d "",)
+if get_docker_configuration_file_args 'tlscert' 2>/dev/null 1>&2; then
+  tlscert=$(get_docker_configuration_file_args 'tlscert')
 else
   tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
 fi
@@ -220,8 +220,8 @@ fi
 
 # 3.13
 check_3_13="3.13 - Verify that Docker server key file ownership is set to root:root"
-if get_docker_configuration_file_args 'tlskey' | grep -v ""; then
-  tlskey=$(get_docker_configuration_file_args 'tlskey' | sed 's/.*://g' | tr -d "",)
+if get_docker_configuration_file_args 'tlskey' 2>/dev/null 1>&2; then
+  tlskey=$(get_docker_configuration_file_args 'tlskey')
 else
   tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
 fi
@@ -239,8 +239,8 @@ fi
 
 # 3.14
 check_3_14="3.14 - Verify that Docker server key file permissions are set to 400 or more restrictive"
-if get_docker_configuration_file_args 'tlskey' | grep -v ""; then
-  tlskey=$(get_docker_configuration_file_args 'tlskey' | sed 's/.*://g' | tr -d "",)
+if get_docker_configuration_file_args 'tlskey' 2>/dev/null 1>&2; then
+  tlskey=$(get_docker_configuration_file_args 'tlskey')
 else
   tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
 fi

From 754e0ed02bc9b7175890e7d5a7f25b6bc162314d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
 <konstruktoid@users.noreply.github.com>
Date: Tue, 21 Mar 2017 16:17:08 +0100
Subject: [PATCH 2/3] tlsverify implies tls
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
 tests/2_docker_daemon_configuration.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tests/2_docker_daemon_configuration.sh b/tests/2_docker_daemon_configuration.sh
index bda5ebe..74e38e9 100644
--- a/tests/2_docker_daemon_configuration.sh
+++ b/tests/2_docker_daemon_configuration.sh
@@ -68,7 +68,8 @@ fi
 # 2.6
 check_2_6="2.6  - Configure TLS authentication for Docker daemon"
 if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then
-  if get_docker_configuration_file_args '"tls":' | grep 'true' 2>/dev/null 1>&2; then
+  if [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \
+    [ $(get_docker_configuration_file_args '"tlsverify' | grep 'true') ] ; then
     if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then
       if get_docker_configuration_file_args 'tlsverify' | grep 'true' >/dev/null 2>&1; then
         pass "$check_2_6"

From 6105ff664188eb9e0880090bf99b73a24da3e917 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
 <konstruktoid@users.noreply.github.com>
Date: Wed, 22 Mar 2017 15:23:04 +0100
Subject: [PATCH 3/3] use stat when checking permissions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
 tests/3_docker_daemon_configuration_files.sh | 22 +++++++-------------
 1 file changed, 8 insertions(+), 14 deletions(-)

diff --git a/tests/3_docker_daemon_configuration_files.sh b/tests/3_docker_daemon_configuration_files.sh
index bd823b6..4177daf 100644
--- a/tests/3_docker_daemon_configuration_files.sh
+++ b/tests/3_docker_daemon_configuration_files.sh
@@ -82,9 +82,7 @@ fi
 check_3_6="3.6  - Verify that /etc/docker directory permissions are set to 755 or more restrictive"
 directory="/etc/docker"
 if [ -d "$directory" ]; then
-  if [ "$(stat -c %a $directory)" -eq 755 ]; then
-    pass "$check_3_6"
-  elif [ "$(stat -c %a $directory)" -eq 700 ]; then
+  if [ "$(stat -c %a $directory)" -eq 755 -o "$(stat -c %a $directory)" -eq 700 ]; then
     pass "$check_3_6"
   else
     warn "$check_3_6"
@@ -100,10 +98,9 @@ check_3_7="3.7  - Verify that registry certificate file ownership is set to root
 directory="/etc/docker/certs.d/"
 if [ -d "$directory" ]; then
   fail=0
-  owners=$(ls -lL $directory | grep ".crt" | awk '{print $3, $4}')
+  owners=$(find "$directory" -type f -name '*.crt')
   for p in $owners; do
-    printf "%s" "$p" | grep "root" >/dev/null 2>&1
-    if [ $? -ne 0 ]; then
+    if [ "$(stat -c %u $p)" -ne 0 ]; then
       fail=1
     fi
   done
@@ -123,9 +120,9 @@ check_3_8="3.8  - Verify that registry certificate file permissions are set to 4
 directory="/etc/docker/certs.d/"
 if [ -d "$directory" ]; then
   fail=0
-  perms=$(ls -lL $directory | grep ".crt" | awk '{print $1}')
+  perms=$(find "$directory" -type f -name '*.crt')
   for p in $perms; do
-    if [ "$p" != "-r--r--r--." -a "$p" = "-r--------." ]; then
+    if [ "$(stat -c %a $p)" -ne 444 -a "$(stat -c %a $p)" -ne 400 ]; then
       fail=1
     fi
   done
@@ -167,8 +164,7 @@ else
   tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
 fi
 if [ -f "$tlscacert" ]; then
-  perms=$(ls -ld "$tlscacert" | awk '{print $1}')
-  if [ "$perms" = "-r--r--r--" ]; then
+  if [ "$(stat -c %a $tlscacert)" -eq 444 -o "$(stat -c %a $tlscacert)" -eq 400 ]; then
     pass "$check_3_10"
   else
     warn "$check_3_10"
@@ -206,8 +202,7 @@ else
   tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
 fi
 if [ -f "$tlscert" ]; then
-  perms=$(ls -ld "$tlscert" | awk '{print $1}')
-  if [ "$perms" = "-r--r--r--" ]; then
+  if [ "$(stat -c %a $tlscert)" -eq 444 -o "$(stat -c %a $tlscert)" -eq 400 ]; then
     pass "$check_3_12"
   else
     warn "$check_3_12"
@@ -245,8 +240,7 @@ else
   tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
 fi
 if [ -f "$tlskey" ]; then
-  perms=$(ls -ld "$tlskey" | awk '{print $1}')
-  if [ "$perms" = "-r--------" ]; then
+  if [ "$(stat -c %a $tlskey)" -eq 444 -o "$(stat -c %a $tlskey)" -eq 400 ]; then
     pass "$check_3_14"
   else
     warn "$check_3_14"