mirror of
https://github.com/docker/docker-bench-security.git
synced 2025-01-18 16:22:33 +01:00
initial commit of tests/7_docker_swarm_configuration.sh v1.3.1
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
This commit is contained in:
parent
3a9deae328
commit
4e379bbaf9
1 changed files with 25 additions and 25 deletions
|
@ -1,4 +1,4 @@
|
||||||
#!/bin/sh
|
#!/bin/bash
|
||||||
|
|
||||||
check_7() {
|
check_7() {
|
||||||
logit ""
|
logit ""
|
||||||
|
@ -11,10 +11,10 @@ check_7() {
|
||||||
|
|
||||||
check_7_1() {
|
check_7_1() {
|
||||||
local id="7.1"
|
local id="7.1"
|
||||||
local desc="Ensure swarm mode is not Enabled, if not needed (Scored)"
|
local desc="Ensure swarm mode is not Enabled, if not needed (Automated)"
|
||||||
local remediation="If swarm mode has been enabled on a system in error, you should run the command: docker swarm leave"
|
local remediation="If swarm mode has been enabled on a system in error, you should run the command: docker swarm leave"
|
||||||
local remediationImpact="Disabling swarm mode will impact the operation of Docker Enterprise components if these are in use."
|
local remediationImpact="Disabling swarm mode will impact the operation of Docker Enterprise components if these are in use."
|
||||||
local check="$id - $desc"
|
local check="$id - $desc"
|
||||||
starttestjson "$id" "$desc"
|
starttestjson "$id" "$desc"
|
||||||
|
|
||||||
if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
|
if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
|
||||||
|
@ -28,10 +28,10 @@ check_7_1() {
|
||||||
|
|
||||||
check_7_2() {
|
check_7_2() {
|
||||||
local id="7.2"
|
local id="7.2"
|
||||||
local desc="Ensure that the minimum number of manager nodes have been created in a swarm (Scored)"
|
local desc="Ensure that the minimum number of manager nodes have been created in a swarm (Automated)"
|
||||||
local remediation="If an excessive number of managers is configured, the excess nodes can be demoted to workers using command: docker node demote <manager node ID to be demoted>"
|
local remediation="If an excessive number of managers is configured, the excess nodes can be demoted to workers using command: docker node demote <manager node ID to be demoted>"
|
||||||
local remediationImpact="None."
|
local remediationImpact="None."
|
||||||
local check="$id - $desc"
|
local check="$id - $desc"
|
||||||
starttestjson "$id" "$desc"
|
starttestjson "$id" "$desc"
|
||||||
|
|
||||||
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
|
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
|
||||||
|
@ -51,17 +51,17 @@ check_7_2() {
|
||||||
|
|
||||||
check_7_3() {
|
check_7_3() {
|
||||||
local id="7.3"
|
local id="7.3"
|
||||||
local desc="Ensure that swarm services are bound to a specific host interface (Scored)"
|
local desc="Ensure that swarm services are bound to a specific host interface (Automated)"
|
||||||
local remediation="Resolving this issues requires re-initialization of the swarm, specifying a specific interface for the --listen-addr parameter."
|
local remediation="Resolving this issues requires re-initialization of the swarm, specifying a specific interface for the --listen-addr parameter."
|
||||||
local remediationImpact="None."
|
local remediationImpact="None."
|
||||||
local check="$id - $desc"
|
local check="$id - $desc"
|
||||||
starttestjson "$id" "$desc"
|
starttestjson "$id" "$desc"
|
||||||
|
|
||||||
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
|
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
|
||||||
$netbin -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1
|
$netbin -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1
|
||||||
if [ $? -eq 1 ]; then
|
if [ $? -eq 1 ]; then
|
||||||
pass -s "$check"
|
pass -s "$check"
|
||||||
logcheckresult "PASS"
|
logcheckresult "PASS"
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
warn -s "$check"
|
warn -s "$check"
|
||||||
|
@ -69,15 +69,15 @@ check_7_3() {
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
pass -s "$check (Swarm mode not enabled)"
|
pass -s "$check (Swarm mode not enabled)"
|
||||||
logcheckresult "PASS"
|
logcheckresult "PASS"
|
||||||
}
|
}
|
||||||
|
|
||||||
check_7_4() {
|
check_7_4() {
|
||||||
local id="7.4"
|
local id="7.4"
|
||||||
local desc="Ensure that all Docker swarm overlay networks are encrypted (Scored)"
|
local desc="Ensure that all Docker swarm overlay networks are encrypted (Automated)"
|
||||||
local remediation="You should create overlay networks the with --opt encrypted flag."
|
local remediation="You should create overlay networks the with --opt encrypted flag."
|
||||||
local remediationImpact="None."
|
local remediationImpact="None."
|
||||||
local check="$id - $desc"
|
local check="$id - $desc"
|
||||||
starttestjson "$id" "$desc"
|
starttestjson "$id" "$desc"
|
||||||
|
|
||||||
fail=0
|
fail=0
|
||||||
|
@ -97,7 +97,7 @@ check_7_4() {
|
||||||
# We went through all the networks and found none that are unencrypted
|
# We went through all the networks and found none that are unencrypted
|
||||||
if [ $fail -eq 0 ]; then
|
if [ $fail -eq 0 ]; then
|
||||||
pass -s "$check"
|
pass -s "$check"
|
||||||
logcheckresult "PASS"
|
logcheckresult "PASS"
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
logcheckresult "WARN" "Unencrypted overlay networks:" "$unencrypted_networks"
|
logcheckresult "WARN" "Unencrypted overlay networks:" "$unencrypted_networks"
|
||||||
|
@ -105,10 +105,10 @@ check_7_4() {
|
||||||
|
|
||||||
check_7_5() {
|
check_7_5() {
|
||||||
local id="7.5"
|
local id="7.5"
|
||||||
local desc="Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Not Scored)"
|
local desc="Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual)"
|
||||||
local remediation="You should follow the docker secret documentation and use it to manage secrets effectively."
|
local remediation="You should follow the docker secret documentation and use it to manage secrets effectively."
|
||||||
local remediationImpact="None."
|
local remediationImpact="None."
|
||||||
local check="$id - $desc"
|
local check="$id - $desc"
|
||||||
starttestjson "$id" "$desc"
|
starttestjson "$id" "$desc"
|
||||||
|
|
||||||
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
||||||
|
@ -127,10 +127,10 @@ check_7_5() {
|
||||||
|
|
||||||
check_7_6() {
|
check_7_6() {
|
||||||
local id="7.6"
|
local id="7.6"
|
||||||
local desc="Ensure that swarm manager is run in auto-lock mode (Scored)"
|
local desc="Ensure that swarm manager is run in auto-lock mode (Automated)"
|
||||||
local remediation="If you are initializing a swarm, use the command: docker swarm init --autolock. If you want to set --autolock on an existing swarm manager node, use the command: docker swarm update --autolock."
|
local remediation="If you are initializing a swarm, use the command: docker swarm init --autolock. If you want to set --autolock on an existing swarm manager node, use the command: docker swarm update --autolock."
|
||||||
local remediationImpact="A swarm in auto-lock mode will not recover from a restart without manual intervention from an administrator to enter the unlock key. This may not always be desirable, and should be reviewed at a policy level."
|
local remediationImpact="A swarm in auto-lock mode will not recover from a restart without manual intervention from an administrator to enter the unlock key. This may not always be desirable, and should be reviewed at a policy level."
|
||||||
local check="$id - $desc"
|
local check="$id - $desc"
|
||||||
starttestjson "$id" "$desc"
|
starttestjson "$id" "$desc"
|
||||||
|
|
||||||
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
||||||
|
@ -144,15 +144,15 @@ check_7_6() {
|
||||||
return
|
return
|
||||||
fi
|
fi
|
||||||
pass -s "$check (Swarm mode not enabled)"
|
pass -s "$check (Swarm mode not enabled)"
|
||||||
logcheckresult "PASS"
|
logcheckresult "PASS"
|
||||||
}
|
}
|
||||||
|
|
||||||
check_7_7() {
|
check_7_7() {
|
||||||
local id="7.7"
|
local id="7.7"
|
||||||
local desc="Ensure that the swarm manager auto-lock key is rotated periodically (Not Scored)"
|
local desc="Ensure that the swarm manager auto-lock key is rotated periodically (Manual)"
|
||||||
local remediation="You should run the command docker swarm unlock-key --rotate to rotate the keys. To facilitate auditing of this recommendation, you should maintain key rotation records and ensure that you establish a pre-defined frequency for key rotation."
|
local remediation="You should run the command docker swarm unlock-key --rotate to rotate the keys. To facilitate auditing of this recommendation, you should maintain key rotation records and ensure that you establish a pre-defined frequency for key rotation."
|
||||||
local remediationImpact="None."
|
local remediationImpact="None."
|
||||||
local check="$id - $desc"
|
local check="$id - $desc"
|
||||||
starttestjson "$id" "$desc"
|
starttestjson "$id" "$desc"
|
||||||
|
|
||||||
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
||||||
|
@ -166,10 +166,10 @@ check_7_7() {
|
||||||
|
|
||||||
check_7_8() {
|
check_7_8() {
|
||||||
local id="7.8"
|
local id="7.8"
|
||||||
local desc="Ensure that node certificates are rotated as appropriate (Not Scored)"
|
local desc="Ensure that node certificates are rotated as appropriate (Manual)"
|
||||||
local remediation="You should run the command docker swarm update --cert-expiry 48h to set the desired expiry time on the node certificate."
|
local remediation="You should run the command docker swarm update --cert-expiry 48h to set the desired expiry time on the node certificate."
|
||||||
local remediationImpact="None."
|
local remediationImpact="None."
|
||||||
local check="$id - $desc"
|
local check="$id - $desc"
|
||||||
starttestjson "$id" "$desc"
|
starttestjson "$id" "$desc"
|
||||||
|
|
||||||
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
||||||
|
@ -188,10 +188,10 @@ check_7_8() {
|
||||||
|
|
||||||
check_7_9() {
|
check_7_9() {
|
||||||
local id="7.9"
|
local id="7.9"
|
||||||
local desc="Ensure that CA certificates are rotated as appropriate (Not Scored)"
|
local desc="Ensure that CA certificates are rotated as appropriate (Manual)"
|
||||||
local remediation="You should run the command docker swarm ca --rotate to rotate a certificate."
|
local remediation="You should run the command docker swarm ca --rotate to rotate a certificate."
|
||||||
local remediationImpact="None."
|
local remediationImpact="None."
|
||||||
local check="$id - $desc"
|
local check="$id - $desc"
|
||||||
starttestjson "$id" "$desc"
|
starttestjson "$id" "$desc"
|
||||||
|
|
||||||
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
||||||
|
@ -205,10 +205,10 @@ check_7_9() {
|
||||||
|
|
||||||
check_7_10() {
|
check_7_10() {
|
||||||
local id="7.10"
|
local id="7.10"
|
||||||
local desc="Ensure that management plane traffic is separated from data plane traffic (Not Scored)"
|
local desc="Ensure that management plane traffic is separated from data plane traffic (Manual)"
|
||||||
local remediation="You should initialize the swarm with dedicated interfaces for management and data planes respectively. Example: docker swarm init --advertise-addr=192.168.0.1 --data-path-addr=17.1.0.3"
|
local remediation="You should initialize the swarm with dedicated interfaces for management and data planes respectively. Example: docker swarm init --advertise-addr=192.168.0.1 --data-path-addr=17.1.0.3"
|
||||||
local remediationImpact="This requires two network interfaces per node."
|
local remediationImpact="This requires two network interfaces per node."
|
||||||
local check="$id - $desc"
|
local check="$id - $desc"
|
||||||
starttestjson "$id" "$desc"
|
starttestjson "$id" "$desc"
|
||||||
|
|
||||||
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
||||||
|
|
Loading…
Reference in a new issue