GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-19 00:32:34 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #234 from konstruktoid/configuration_file_args

Browse source 
Modify get_docker_configuration_file_args
This commit is contained in:
Thomas Sjögren 2017-03-23 11:11:14 +01:00 committed by GitHub
commit 3ba6138958
3 changed files with 32 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
helper_lib.sh
View file

@ -92,6 +92,8 @@ get_docker_configuration_file_args() {
else else
CONFIG_FILE='/dev/null' CONFIG_FILE='/dev/null'
fi fi
grep "$OPTION" "$CONFIG_FILE" | sed 's/.*: //g' | tr -d \",
} }
get_systemd_service_file(){ get_systemd_service_file(){

5
tests/2_docker_daemon_configuration.sh
View file

@ -67,7 +67,9 @@ fi
# 2.6 # 2.6
check_2_6="2.6 - Configure TLS authentication for Docker daemon" check_2_6="2.6 - Configure TLS authentication for Docker daemon"
if get_docker_configuration_file_args 'tls' | grep true >/dev/null 2>&1; then if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then
if [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \
[ $(get_docker_configuration_file_args '"tlsverify' | grep 'true') ] ; then
if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then
if get_docker_configuration_file_args 'tlsverify' | grep 'true' >/dev/null 2>&1; then if get_docker_configuration_file_args 'tlsverify' | grep 'true' >/dev/null 2>&1; then
pass "$check_2_6" pass "$check_2_6"
@ -75,6 +77,7 @@ if get_docker_configuration_file_args 'tls' | grep true >/dev/null 2>&1; then
warn "$check_2_6" warn "$check_2_6"
warn " * Docker daemon currently listening on TCP with TLS, but no verification" warn " * Docker daemon currently listening on TCP with TLS, but no verification"
fi fi
fi
else else
warn "$check_2_6" warn "$check_2_6"
warn " * Docker daemon currently listening on TCP without TLS" warn " * Docker daemon currently listening on TCP without TLS"

46
tests/3_docker_daemon_configuration_files.sh
View file

@ -82,9 +82,7 @@ fi
check_3_6="3.6 - Verify that /etc/docker directory permissions are set to 755 or more restrictive" check_3_6="3.6 - Verify that /etc/docker directory permissions are set to 755 or more restrictive"
directory="/etc/docker" directory="/etc/docker"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
if [ "$(stat -c %a $directory)" -eq 755 ]; then if [ "$(stat -c %a $directory)" -eq 755 -o "$(stat -c %a $directory)" -eq 700 ]; then
pass "$check_3_6"
elif [ "$(stat -c %a $directory)" -eq 700 ]; then
pass "$check_3_6" pass "$check_3_6"
else else
warn "$check_3_6" warn "$check_3_6"
@ -100,10 +98,9 @@ check_3_7="3.7 - Verify that registry certificate file ownership is set to root
directory="/etc/docker/certs.d/" directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
fail=0 fail=0
owners=$(ls -lL $directory | grep ".crt" | awk '{print $3, $4}') owners=$(find "$directory" -type f -name '*.crt')
for p in $owners; do for p in $owners; do
printf "%s" "$p" | grep "root" >/dev/null 2>&1 if [ "$(stat -c %u $p)" -ne 0 ]; then
if [ $? -ne 0 ]; then
fail=1 fail=1
fi fi
done done
@ -123,9 +120,9 @@ check_3_8="3.8 - Verify that registry certificate file permissions are set to 4
directory="/etc/docker/certs.d/" directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
fail=0 fail=0
perms=$(ls -lL $directory | grep ".crt" | awk '{print $1}') perms=$(find "$directory" -type f -name '*.crt')
for p in $perms; do for p in $perms; do
if [ "$p" != "-r--r--r--." -a "$p" = "-r--------." ]; then if [ "$(stat -c %a $p)" -ne 444 -a "$(stat -c %a $p)" -ne 400 ]; then
fail=1 fail=1
fi fi
done done
@ -142,8 +139,8 @@ fi
# 3.9 # 3.9
check_3_9="3.9 - Verify that TLS CA certificate file ownership is set to root:root" check_3_9="3.9 - Verify that TLS CA certificate file ownership is set to root:root"
if get_docker_configuration_file_args 'tlscacert' | grep -v ""; then if get_docker_configuration_file_args 'tlscacert' 2>/dev/null 1>&2; then
tlscacert=$(get_docker_configuration_file_args 'tlscacert' | sed 's/.*://g' | tr -d "",) tlscacert=$(get_docker_configuration_file_args 'tlscacert')
else else
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi fi
@ -161,14 +158,13 @@ fi
# 3.10 # 3.10
check_3_10="3.10 - Verify that TLS CA certificate file permissions are set to 444 or more restrictive" check_3_10="3.10 - Verify that TLS CA certificate file permissions are set to 444 or more restrictive"
if get_docker_configuration_file_args 'tlscacert' | grep -v ""; then if get_docker_configuration_file_args 'tlscacert' 2>/dev/null 1>&2; then
tlscacert=$(get_docker_configuration_file_args 'tlscacert' | sed 's/.*://g' | tr -d "",) tlscacert=$(get_docker_configuration_file_args 'tlscacert')
else else
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi fi
if [ -f "$tlscacert" ]; then if [ -f "$tlscacert" ]; then
perms=$(ls -ld "$tlscacert" | awk '{print $1}') if [ "$(stat -c %a $tlscacert)" -eq 444 -o "$(stat -c %a $tlscacert)" -eq 400 ]; then
if [ "$perms" = "-r--r--r--" ]; then
pass "$check_3_10" pass "$check_3_10"
else else
warn "$check_3_10" warn "$check_3_10"
@ -181,8 +177,8 @@ fi
# 3.11 # 3.11
check_3_11="3.11 - Verify that Docker server certificate file ownership is set to root:root" check_3_11="3.11 - Verify that Docker server certificate file ownership is set to root:root"
if get_docker_configuration_file_args 'tlscert' | grep -v ""; then if get_docker_configuration_file_args 'tlscert' 2>/dev/null 1>&2; then
tlscert=$(get_docker_configuration_file_args 'tlscert' | sed 's/.*://g' | tr -d "",) tlscert=$(get_docker_configuration_file_args 'tlscert')
else else
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi fi
@ -200,14 +196,13 @@ fi
# 3.12 # 3.12
check_3_12="3.12 - Verify that Docker server certificate file permissions are set to 444 or more restrictive" check_3_12="3.12 - Verify that Docker server certificate file permissions are set to 444 or more restrictive"
if get_docker_configuration_file_args 'tlscert' | grep -v ""; then if get_docker_configuration_file_args 'tlscert' 2>/dev/null 1>&2; then
tlscert=$(get_docker_configuration_file_args 'tlscert' | sed 's/.*://g' | tr -d "",) tlscert=$(get_docker_configuration_file_args 'tlscert')
else else
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi fi
if [ -f "$tlscert" ]; then if [ -f "$tlscert" ]; then
perms=$(ls -ld "$tlscert" | awk '{print $1}') if [ "$(stat -c %a $tlscert)" -eq 444 -o "$(stat -c %a $tlscert)" -eq 400 ]; then
if [ "$perms" = "-r--r--r--" ]; then
pass "$check_3_12" pass "$check_3_12"
else else
warn "$check_3_12" warn "$check_3_12"
@ -220,8 +215,8 @@ fi
# 3.13 # 3.13
check_3_13="3.13 - Verify that Docker server key file ownership is set to root:root" check_3_13="3.13 - Verify that Docker server key file ownership is set to root:root"
if get_docker_configuration_file_args 'tlskey' | grep -v ""; then if get_docker_configuration_file_args 'tlskey' 2>/dev/null 1>&2; then
tlskey=$(get_docker_configuration_file_args 'tlskey' | sed 's/.*://g' | tr -d "",) tlskey=$(get_docker_configuration_file_args 'tlskey')
else else
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi fi
@ -239,14 +234,13 @@ fi
# 3.14 # 3.14
check_3_14="3.14 - Verify that Docker server key file permissions are set to 400 or more restrictive" check_3_14="3.14 - Verify that Docker server key file permissions are set to 400 or more restrictive"
if get_docker_configuration_file_args 'tlskey' | grep -v ""; then if get_docker_configuration_file_args 'tlskey' 2>/dev/null 1>&2; then
tlskey=$(get_docker_configuration_file_args 'tlskey' | sed 's/.*://g' | tr -d "",) tlskey=$(get_docker_configuration_file_args 'tlskey')
else else
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi fi
if [ -f "$tlskey" ]; then if [ -f "$tlskey" ]; then
perms=$(ls -ld "$tlskey" | awk '{print $1}') if [ "$(stat -c %a $tlskey)" -eq 444 -o "$(stat -c %a $tlskey)" -eq 400 ]; then
if [ "$perms" = "-r--------" ]; then
pass "$check_3_14" pass "$check_3_14"
else else
warn "$check_3_14" warn "$check_3_14"