Merge pull request #218 from konstruktoid/issue_157

Check configuration file settings

helper_lib.sh

@@ -77,7 +77,21 @@ get_docker_cumulative_command_line_args() {
 # Does not account for option default or implicit options.
 get_docker_effective_command_line_args() {
     OPTION="$1"
-    get_docker_cumulative_command_line_args $OPTION | tail -n1
+    get_docker_cumulative_command_line_args "$OPTION" | tail -n1
+}
+
+get_docker_configuration_file_args() {
+    OPTION="$1"
+    FILE="$(get_docker_effective_command_line_args '--config-file' | \
+        sed 's/.*=//g')"
+
+    if [ -f "$FILE" ]; then
+      CONFIG_FILE="$FILE"
+    elif [ -f '/etc/docker/daemon.json' ]; then
+      CONFIG_FILE='/etc/docker/daemon.json'
+    else
+      CONFIG_FILE='/dev/null'
+    fi
 }
 
 get_systemd_service_file(){

tests/2_docker_daemon_configuration.sh

@@ -5,7 +5,9 @@ info "2 - Docker Daemon Configuration"
 
 # 2.1
 check_2_1="2.1  - Restrict network traffic between containers"
-if get_docker_effective_command_line_args '--icc' | grep "false" >/dev/null 2>&1; then
+if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then
+  pass "$check_2_1"
+elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then
   pass "$check_2_1"
 else
   warn "$check_2_1"
@@ -13,7 +15,15 @@ fi
 
 # 2.2
 check_2_2="2.2  - Set the logging level"
-if get_docker_effective_command_line_args '-l' >/dev/null 2>&1; then
+if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then
+  if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then
+    pass "$check_2_2"
+  elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then
+    pass "$check_2_2"
+  else
+    warn "$check_2_2"
+  fi
+elif get_docker_effective_command_line_args '-l'; then
   if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then
     pass "$check_2_2"
   else
@@ -27,6 +37,8 @@ fi
 check_2_3="2.3  - Allow Docker to make changes to iptables"
 if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then
   warn "$check_2_3"
+elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then
+  warn "$check_2_3"
 else
   pass "$check_2_3"
 fi
@@ -35,6 +47,12 @@ fi
 check_2_4="2.4  - Do not use insecure registries"
 if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then
   warn "$check_2_4"
+elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
+  if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then
+    pass "$check_2_4"
+  else
+    warn "$check_2_4"
+  fi
 else
   pass "$check_2_4"
 fi
@@ -49,7 +67,19 @@ fi
 
 # 2.6
 check_2_6="2.6  - Configure TLS authentication for Docker daemon"
-if get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1; then
+if get_docker_configuration_file_args 'tls' | grep true >/dev/null 2>&1; then
+  if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then
+    if get_docker_configuration_file_args 'tlsverify' | grep 'true' >/dev/null 2>&1; then
+      pass "$check_2_6"
+    else
+      warn "$check_2_6"
+      warn "     * Docker daemon currently listening on TCP with TLS, but no verification"
+    fi
+  else
+    warn "$check_2_6"
+    warn "     * Docker daemon currently listening on TCP without TLS"
+  fi
+elif get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1; then
   if get_docker_cumulative_command_line_args '--tlskey' | grep 'tlskey=' >/dev/null 2>&1; then
     if get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify' >/dev/null 2>&1; then
       pass "$check_2_6"
@@ -69,7 +99,9 @@ fi
 
 # 2.7
 check_2_7="2.7  - Set default ulimit as appropriate"
-if get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
+if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then
+  pass "$check_2_7"
+elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
   pass "$check_2_7"
 else
   info "$check_2_7"
@@ -78,7 +110,9 @@ fi
 
 # 2.8
 check_2_8="2.8  - Enable user namespace support"
-if get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
+if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then
+  pass "$check_2_8"
+elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
   pass "$check_2_8"
 else
   warn "$check_2_8"
@@ -86,7 +120,10 @@ fi
 
 # 2.9
 check_2_9="2.9  - Confirm default cgroup usage"
-if get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
+if get_docker_configuration_file_args 'cgroup-parent' | grep -v '""'; then
+  warn "$check_2_9"
+  info "     * Confirm cgroup usage"
+elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
   warn "$check_2_9"
   info "     * Confirm cgroup usage"
 else
@@ -95,7 +132,9 @@ fi
 
 # 2.10
 check_2_10="2.10 - Do not change base device size until needed"
-if get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
+if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then
+  warn "$check_2_10"
+elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
   warn "$check_2_10"
 else
   pass "$check_2_10"
@@ -103,7 +142,9 @@ fi
 
 # 2.11
 check_2_11="2.11 - Use authorization plugin"
-if get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
+if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then
+  pass "$check_2_11"
+elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
   pass "$check_2_11"
 else
   warn "$check_2_11"
@@ -111,15 +152,17 @@ fi
 
 # 2.12
 check_2_12="2.12 - Configure centralized and remote logging"
-if get_docker_effective_command_line_args '--log-driver' | grep "log-driver" >/dev/null 2>&1; then
-  pass "$check_2_12"
-else
+if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then
   warn "$check_2_12"
+else
+  pass "$check_2_12"
 fi
 
 # 2.13
 check_2_13="2.13 - Disable operations on legacy registry (v1)"
-if get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then
+if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then
+  pass "$check_2_13"
+elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then
   pass "$check_2_13"
 else
   warn "$check_2_13"
@@ -173,7 +216,9 @@ fi
 
 # 2.18
 check_2_18="2.18 - Disable Userland Proxy"
-if get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
+if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then
+  pass "$check_2_18"
+elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
   pass "$check_2_18"
 else
   warn "$check_2_18"

tests/3_docker_daemon_configuration_files.sh

@@ -142,7 +142,11 @@ fi
 
 # 3.9
 check_3_9="3.9  - Verify that TLS CA certificate file ownership is set to root:root"
-tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+if get_docker_configuration_file_args 'tlscacert' | grep -v ""; then
+  tlscacert=$(get_docker_configuration_file_args 'tlscacert' | sed 's/.*://g' | tr -d "",)
+else
+  tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+fi
 if [ -f "$tlscacert" ]; then
   if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
     pass "$check_3_9"
@@ -157,7 +161,11 @@ fi
 
 # 3.10
 check_3_10="3.10 - Verify that TLS CA certificate file permissions are set to 444 or more restrictive"
-tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+if get_docker_configuration_file_args 'tlscacert' | grep -v ""; then
+  tlscacert=$(get_docker_configuration_file_args 'tlscacert' | sed 's/.*://g' | tr -d "",)
+else
+  tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+fi
 if [ -f "$tlscacert" ]; then
   perms=$(ls -ld "$tlscacert" | awk '{print $1}')
   if [ "$perms" = "-r--r--r--" ]; then
@@ -173,7 +181,11 @@ fi
 
 # 3.11
 check_3_11="3.11 - Verify that Docker server certificate file ownership is set to root:root"
-tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+if get_docker_configuration_file_args 'tlscert' | grep -v ""; then
+  tlscert=$(get_docker_configuration_file_args 'tlscert' | sed 's/.*://g' | tr -d "",)
+else
+  tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+fi
 if [ -f "$tlscert" ]; then
   if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
     pass "$check_3_11"
@@ -188,7 +200,11 @@ fi
 
 # 3.12
 check_3_12="3.12 - Verify that Docker server certificate file permissions are set to 444 or more restrictive"
-tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+if get_docker_configuration_file_args 'tlscert' | grep -v ""; then
+  tlscert=$(get_docker_configuration_file_args 'tlscert' | sed 's/.*://g' | tr -d "",)
+else
+  tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+fi
 if [ -f "$tlscert" ]; then
   perms=$(ls -ld "$tlscert" | awk '{print $1}')
   if [ "$perms" = "-r--r--r--" ]; then
@@ -204,7 +220,11 @@ fi
 
 # 3.13
 check_3_13="3.13 - Verify that Docker server key file ownership is set to root:root"
-tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+if get_docker_configuration_file_args 'tlskey' | grep -v ""; then
+  tlskey=$(get_docker_configuration_file_args 'tlskey' | sed 's/.*://g' | tr -d "",)
+else
+  tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+fi
 if [ -f "$tlskey" ]; then
   if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
     pass "$check_3_13"
@@ -219,7 +239,11 @@ fi
 
 # 3.14
 check_3_14="3.14 - Verify that Docker server key file permissions are set to 400 or more restrictive"
-tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+if get_docker_configuration_file_args 'tlskey' | grep -v ""; then
+  tlskey=$(get_docker_configuration_file_args 'tlskey' | sed 's/.*://g' | tr -d "",)
+else
+  tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+fi
 if [ -f "$tlskey" ]; then
   perms=$(ls -ld "$tlskey" | awk '{print $1}')
   if [ "$perms" = "-r--------" ]; then