GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-19 00:32:34 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #389 from konstruktoid/CDB120

Browse source 
Cdb120
This commit is contained in:
Thomas Sjögren 2019-08-28 13:12:05 +02:00 committed by GitHub
commit 5a829f9e8c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
16 changed files with 639 additions and 326 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
CONTRIBUTING.md
View file

@ -47,7 +47,9 @@ tests/
├── 4_container_images.sh ├── 4_container_images.sh
├── 5_container_runtime.sh ├── 5_container_runtime.sh
├── 6_docker_security_operations.sh ├── 6_docker_security_operations.sh
└── 7_docker_swarm_configuration.sh ├── 7_docker_swarm_configuration.sh
├── 8_docker_enterprise_configuration.sh
└── 99_community_checks.sh
``` ```
To modify the Docker Bench for Security you should first clone the repository, To modify the Docker Bench for Security you should first clone the repository,
@ -55,7 +57,7 @@ make your changes, check your code with `shellcheck`, `checkbashisms` or similar
tools, and then sign off on your commits. After that feel free to send us a tools, and then sign off on your commits. After that feel free to send us a
pull request with the changes. pull request with the changes.
While this tool was inspired by the [CIS Docker 1.11.0 benchmark](https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docker16.110) While this tool was inspired by the [CIS Docker 1.11.0 benchmark](https://www.cisecurity.org/benchmark/docker/)
and its successors, feel free to add new tests. We will try to turn and its successors, feel free to add new tests. We will try to turn
[dockerbench.com](https://dockerbench.com) into a list of good community [dockerbench.com](https://dockerbench.com) into a list of good community
benchmarks for both security and performance, and we would love community benchmarks for both security and performance, and we would love community

3
CONTRIBUTORS.md
View file

@ -14,6 +14,7 @@ The following people, listed in alphabetical order, have contributed to docker-b
* Ernst de Haan <ernst@ernstdehaan.com> * Ernst de Haan <ernst@ernstdehaan.com>
* HuKeping <hukeping@huawei.com> * HuKeping <hukeping@huawei.com>
* Ivan Angelov <iangelov@users.noreply.github.com> * Ivan Angelov <iangelov@users.noreply.github.com>
* J0WI <J0WI@users.noreply.github.com>
* Jessica Frazelle <princess@docker.com> * Jessica Frazelle <princess@docker.com>
* Joachim Lusiardi <jlusiardi@users.noreply.github.com> * Joachim Lusiardi <jlusiardi@users.noreply.github.com>
* Joachim Lusiardi <joachim@lusiardi.de> * Joachim Lusiardi <joachim@lusiardi.de>
@ -52,4 +53,4 @@ The following people, listed in alphabetical order, have contributed to docker-b
* will Farrell <willfarrell@users.noreply.github.com> * will Farrell <willfarrell@users.noreply.github.com>
* Zvi "Viz" Effron <zeffron@riotgames.com> * Zvi "Viz" Effron <zeffron@riotgames.com>
This list was generated Sun May 5 20:30:13 UTC 2019. This list was generated Wed Aug 28 10:19:31 UTC 2019.

4
README.md
View file

@ -4,9 +4,7 @@
The Docker Bench for Security is a script that checks for dozens of common The Docker Bench for Security is a script that checks for dozens of common
best-practices around deploying Docker containers in production. The tests are best-practices around deploying Docker containers in production. The tests are
all automated, and are inspired by the [CIS Docker Community Edition Benchmark v1.1.0](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_Community_Edition_Benchmark_v1.1.0.pdf). all automated, and are inspired by the [CIS Docker Benchmark v1.2.0](https://www.cisecurity.org/benchmark/docker/).
We are releasing this as a follow-up to our [Understanding Docker Security and Best Practices](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/)
blog post.
We are making this available as an open-source utility so the Docker community We are making this available as an open-source utility so the Docker community
can have an easy way to self-assess their hosts and docker containers against can have an easy way to self-assess their hosts and docker containers against

2
distros/Dockerfile.alpine
View file

@ -1,4 +1,4 @@
FROM alpine:3.9 FROM alpine:3.10
LABEL \ LABEL \
org.label-schema.name="docker-bench-security" \ org.label-schema.name="docker-bench-security" \

2
docker-bench-security.sh
View file

@ -7,7 +7,7 @@
# Checks for dozens of common best-practices around deploying Docker containers in production. # Checks for dozens of common best-practices around deploying Docker containers in production.
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
version='1.3.4' version='1.3.5'
# Load dependencies # Load dependencies
. ./functions_lib.sh . ./functions_lib.sh

46
functions_lib.sh
View file

@ -3,18 +3,21 @@
host_configuration() { host_configuration() {
check_1 check_1
check_1_1 check_1_1
check_1_1_1
check_1_1_2
check_1_2 check_1_2
check_1_3 check_1_2_1
check_1_4 check_1_2_2
check_1_5 check_1_2_3
check_1_6 check_1_2_4
check_1_7 check_1_2_5
check_1_8 check_1_2_6
check_1_9 check_1_2_7
check_1_10 check_1_2_8
check_1_11 check_1_2_9
check_1_12 check_1_2_10
check_1_13 check_1_2_11
check_1_2_12
check_1_end check_1_end
} }
@ -37,7 +40,6 @@ docker_daemon_configuration() {
check_2_15 check_2_15
check_2_16 check_2_16
check_2_17 check_2_17
check_2_18
check_2_end check_2_end
} }
@ -63,6 +65,8 @@ docker_daemon_files() {
check_3_18 check_3_18
check_3_19 check_3_19
check_3_20 check_3_20
check_3_21
check_3_22
check_3_end check_3_end
} }
@ -141,9 +145,26 @@ docker_swarm_configuration() {
check_7_end check_7_end
} }
docker_enterprise_configuration() {
check_8
check_product_license
check_8_1
check_8_1_1
check_8_1_2
check_8_1_3
check_8_1_4
check_8_1_5
check_8_1_6
check_8_1_7
check_8_2
check_8_2_1
check_8_end
}
community_checks() { community_checks() {
check_c check_c
check_c_1 check_c_1
check_c_2
check_c_end check_c_end
} }
@ -156,6 +177,7 @@ cis() {
container_runtime container_runtime
docker_security_operations docker_security_operations
docker_swarm_configuration docker_swarm_configuration
docker_enterprise_configuration
} }
# Community contributed # Community contributed

2
helper_lib.sh
View file

@ -117,6 +117,6 @@ yell "# ------------------------------------------------------------------------
# Docker, Inc. (c) 2015- # Docker, Inc. (c) 2015-
# #
# Checks for dozens of common best-practices around deploying Docker containers in production. # Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Community Edition Benchmark v1.1.0. # Inspired by the CIS Docker Benchmark v1.2.0.
# ------------------------------------------------------------------------------" # ------------------------------------------------------------------------------"
} }

390
tests/1_host_configuration.sh
View file

@ -9,45 +9,33 @@ check_1() {
startsectionjson "$id_1" "$desc_1" startsectionjson "$id_1" "$desc_1"
} }
# 1.1
check_1_1() { check_1_1() {
logit ""
id_1_1="1.1" id_1_1="1.1"
desc_1_1="Ensure a separate partition for containers has been created" desc_1_1="General Configuration"
check_1_1="$id_1_1 - $desc_1_1" check_1_1="$id_1_1 - $desc_1_1"
starttestjson "$id_1_1" "$desc_1_1" info "$check_1_1"
totalChecks=$((totalChecks + 1))
if mountpoint -q -- "$(docker info -f '{{ .DockerRootDir }}')" >/dev/null 2>&1; then
pass "$check_1_1"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_1"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
} }
# 1.2 # 1.1.1
check_1_2() { check_1_1_1() {
id_1_2="1.2" id_1_1_1="1.1.1"
desc_1_2="Ensure the container host has been Hardened" desc_1_1_1="Ensure the container host has been Hardened"
check_1_2="$id_1_2 - $desc_1_2" check_1_1_1="$id_1_1_1 - $desc_1_1_1"
starttestjson "$id_1_2" "$desc_1_2" starttestjson "$id_1_1_1" "$desc_1_1_1"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
note "$check_1_2" note "$check_1_1_1"
resulttestjson "INFO" resulttestjson "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
} }
# 1.3 # 1.1.2
check_1_3() { check_1_1_2() {
id_1_3="1.3" id_1_1_2="1.1.2"
desc_1_3="Ensure Docker is up to date" desc_1_1_2="Ensure Docker is up to date"
check_1_3="$id_1_3 - $desc_1_3" check_1_1_2="$id_1_1_2 - $desc_1_1_2"
starttestjson "$id_1_3" "$desc_1_3" starttestjson "$id_1_1_2" "$desc_1_1_2"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \ docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
@ -55,358 +43,423 @@ check_1_3() {
docker_current_version="$(date +%y.%m.0 -d @$(( $(date +%s) - 2592000)))" docker_current_version="$(date +%y.%m.0 -d @$(( $(date +%s) - 2592000)))"
do_version_check "$docker_current_version" "$docker_version" do_version_check "$docker_current_version" "$docker_version"
if [ $? -eq 11 ]; then if [ $? -eq 11 ]; then
info "$check_1_3" info "$check_1_1_2"
info " * Using $docker_version, verify is it up to date as deemed necessary" info " * Using $docker_version, verify is it up to date as deemed necessary"
info " * Your operating system vendor may provide support and security maintenance for Docker" info " * Your operating system vendor may provide support and security maintenance for Docker"
resulttestjson "INFO" "Using $docker_version" resulttestjson "INFO" "Using $docker_version"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
else else
pass "$check_1_3" pass "$check_1_1_2"
info " * Using $docker_version which is current" info " * Using $docker_version which is current"
info " * Check with your operating system vendor for support and security maintenance for Docker" info " * Check with your operating system vendor for support and security maintenance for Docker"
resulttestjson "PASS" "Using $docker_version" resulttestjson "PASS" "Using $docker_version"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
} }
# 1.4 check_1_2() {
check_1_4() { logit ""
id_1_4="1.4" id_1_2="1.2"
desc_1_4="Ensure only trusted users are allowed to control Docker daemon" desc_1_2="Linux Hosts Specific Configuration"
check_1_4="$id_1_4 - $desc_1_4" check_1_2="$id_1_2 - $desc_1_2"
starttestjson "$id_1_4" "$desc_1_4" info "$check_1_2"
totalChecks=$((totalChecks + 1))
docker_users=$(getent group docker)
info "$check_1_4"
for u in $docker_users; do
info " * $u"
done
resulttestjson "INFO" "users" "$docker_users"
currentScore=$((currentScore + 0))
} }
# 1.5 # 1.2.1
check_1_5() { check_1_2_1() {
id_1_5="1.5" id_1_2_1="1.2.1"
desc_1_5="Ensure auditing is configured for the Docker daemon" desc_1_2_1="Ensure a separate partition for containers has been created"
check_1_5="$id_1_5 - $desc_1_5" check_1_2_1="$id_1_2_1 - $desc_1_2_1"
starttestjson "$id_1_5" "$desc_1_5" starttestjson "$id_1_2_1" "$desc_1_2_1"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="/usr/bin/docker "
if command -v auditctl >/dev/null 2>&1; then if mountpoint -q -- "$(docker info -f '{{ .DockerRootDir }}')" >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then pass "$check_1_2_1"
pass "$check_1_5"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_5"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_5"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_1_5" warn "$check_1_2_1"
resulttestjson "WARN" resulttestjson "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
# 1.6 # 1.2.2
check_1_6() { check_1_2_2() {
id_1_6="1.6" id_1_2_2="1.2.2"
desc_1_6="Ensure auditing is configured for Docker files and directories - /var/lib/docker" desc_1_2_2="Ensure only trusted users are allowed to control Docker daemon"
check_1_6="$id_1_6 - $desc_1_6" check_1_2_2="$id_1_2_2 - $desc_1_2_2"
starttestjson "$id_1_6" "$desc_1_6" starttestjson "$id_1_2_2" "$desc_1_2_2"
totalChecks=$((totalChecks + 1))
docker_users=$(getent group docker)
info "$check_1_2_2"
for u in $docker_users; do
info " * $u"
done
resulttestjson "INFO" "users" "$docker_users"
currentScore=$((currentScore + 0))
}
# 1.2.3
check_1_2_3() {
id_1_2_3="1.2.3"
desc_1_2_3="Ensure auditing is configured for the Docker daemon"
check_1_2_3="$id_1_2_3 - $desc_1_2_3"
starttestjson "$id_1_2_3" "$desc_1_2_3"
totalChecks=$((totalChecks + 1))
file="/usr/bin/dockerd"
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_2_3"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_3"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_2_3"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_3"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
}
# 1.2.4
check_1_2_4() {
id_1_2_4="1.2.4"
desc_1_2_4="Ensure auditing is configured for Docker files and directories - /var/lib/docker"
check_1_2_4="$id_1_2_4 - $desc_1_2_4"
starttestjson "$id_1_2_4" "$desc_1_2_4"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
directory="/var/lib/docker" directory="/var/lib/docker"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $directory >/dev/null 2>&1; then if auditctl -l | grep $directory >/dev/null 2>&1; then
pass "$check_1_6" pass "$check_1_2_4"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_1_6" warn "$check_1_2_4"
resulttestjson "WARN" resulttestjson "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_6" pass "$check_1_2_4"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_1_6" warn "$check_1_2_4"
resulttestjson "WARN" resulttestjson "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_1_6" info "$check_1_2_4"
info " * Directory not found" info " * Directory not found"
resulttestjson "INFO" "Directory not found" resulttestjson "INFO" "Directory not found"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
} }
# 1.7 # 1.2.5
check_1_7() { check_1_2_5() {
id_1_7="1.7" id_1_2_5="1.2.5"
desc_1_7="Ensure auditing is configured for Docker files and directories - /etc/docker" desc_1_2_5="Ensure auditing is configured for Docker files and directories - /etc/docker"
check_1_7="$id_1_7 - $desc_1_7" check_1_2_5="$id_1_2_5 - $desc_1_2_5"
starttestjson "$id_1_7" "$desc_1_7" starttestjson "$id_1_2_5" "$desc_1_2_5"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
directory="/etc/docker" directory="/etc/docker"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $directory >/dev/null 2>&1; then if auditctl -l | grep $directory >/dev/null 2>&1; then
pass "$check_1_7" pass "$check_1_2_5"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_1_7" warn "$check_1_2_5"
resulttestjson "WARN" resulttestjson "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_7" pass "$check_1_2_5"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_1_7" warn "$check_1_2_5"
resulttestjson "WARN" resulttestjson "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_1_7" info "$check_1_2_5"
info " * Directory not found" info " * Directory not found"
resulttestjson "INFO" "Directory not found" resulttestjson "INFO" "Directory not found"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
} }
# 1.8 # 1.2.6
check_1_8() { check_1_2_6() {
id_1_8="1.8" id_1_2_6="1.2.6"
desc_1_8="Ensure auditing is configured for Docker files and directories - docker.service" desc_1_2_6="Ensure auditing is configured for Docker files and directories - docker.service"
check_1_8="$id_1_8 - $desc_1_8" check_1_2_6="$id_1_2_6 - $desc_1_2_6"
starttestjson "$id_1_8" "$desc_1_8" starttestjson "$id_1_2_6" "$desc_1_2_6"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.service)" file="$(get_systemd_service_file docker.service)"
if [ -f "$file" ]; then if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_8" pass "$check_1_2_6"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_1_8" warn "$check_1_2_6"
resulttestjson "WARN" resulttestjson "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_8" pass "$check_1_2_6"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_1_8" warn "$check_1_2_6"
resulttestjson "WARN" resulttestjson "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_1_8" info "$check_1_2_6"
info " * File not found" info " * File not found"
resulttestjson "INFO" "File not found" resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
} }
# 1.9 # 1.2.7
check_1_9() { check_1_2_7() {
id_1_9="1.9" id_1_2_7="1.2.7"
desc_1_9="Ensure auditing is configured for Docker files and directories - docker.socket" desc_1_2_7="Ensure auditing is configured for Docker files and directories - docker.socket"
check_1_9="$id_1_9 - $desc_1_9" check_1_2_7="$id_1_2_7 - $desc_1_2_7"
starttestjson "$id_1_9" "$desc_1_9" starttestjson "$id_1_2_7" "$desc_1_2_7"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.socket)" file="$(get_systemd_service_file docker.socket)"
if [ -e "$file" ]; then if [ -e "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_9" pass "$check_1_2_7"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_1_9" warn "$check_1_2_7"
resulttestjson "WARN" resulttestjson "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_9" pass "$check_1_2_7"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_1_9" warn "$check_1_2_7"
resulttestjson "WARN" resulttestjson "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_1_9" info "$check_1_2_7"
info " * File not found" info " * File not found"
resulttestjson "INFO" "File not found" resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
} }
# 1.10 # 1.2.8
check_1_10() { check_1_2_8() {
id_1_10="1.10" id_1_2_8="1.2.8"
desc_1_10="Ensure auditing is configured for Docker files and directories - /etc/default/docker" desc_1_2_8="Ensure auditing is configured for Docker files and directories - /etc/default/docker"
check_1_10="$id_1_10 - $desc_1_10" check_1_2_8="$id_1_2_8 - $desc_1_2_8"
starttestjson "$id_1_10" "$desc_1_10" starttestjson "$id_1_2_8" "$desc_1_2_8"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="/etc/default/docker" file="/etc/default/docker"
if [ -f "$file" ]; then if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_10" pass "$check_1_2_8"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_1_10" warn "$check_1_2_8"
resulttestjson "WARN" resulttestjson "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_10" pass "$check_1_2_8"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_1_10" warn "$check_1_2_8"
resulttestjson "WARN" resulttestjson "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_1_10" info "$check_1_2_8"
info " * File not found" info " * File not found"
resulttestjson "INFO" "File not found" resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
} }
# 1.11 # 1.2.9
check_1_11() { check_1_2_9() {
id_1_11="1.11" id_1_2_9="1.2.9"
desc_1_11="Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json" desc_1_2_9="Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker"
check_1_11="$id_1_11 - $desc_1_11" check_1_2_9="$id_1_2_9 - $desc_1_2_9"
starttestjson "$id_1_11" "$desc_1_11" starttestjson "$id_1_2_9" "$desc_1_2_9"
totalChecks=$((totalChecks + 1))
file="/etc/sysconfig/docker"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_2_9"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_9"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_2_9"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_9"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_2_9"
info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 1.2.10
check_1_2_10() {
id_1_2_10="1.2.10"
desc_1_2_10="Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json"
check_1_2_10="$id_1_2_10 - $desc_1_2_10"
starttestjson "$id_1_2_10" "$desc_1_2_10"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="/etc/docker/daemon.json" file="/etc/docker/daemon.json"
if [ -f "$file" ]; then if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_11" pass "$check_1_2_10"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_1_11" warn "$check_1_2_10"
resulttestjson "WARN" resulttestjson "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_11" pass "$check_1_2_10"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_1_11" warn "$check_1_2_10"
resulttestjson "WARN" resulttestjson "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_1_11" info "$check_1_2_10"
info " * File not found" info " * File not found"
resulttestjson "INFO" "File not found" resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
} }
# 1.12 # 1.2.11
check_1_12() { check_1_2_11() {
id_1_12="1.12" id_1_2_11="1.2.11"
desc_1_12="Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd" desc_1_2_11="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd"
check_1_12="$id_1_12 - $desc_1_12" check_1_2_11="$id_1_2_11 - $desc_1_2_11"
starttestjson "$id_1_12" "$desc_1_12" starttestjson "$id_1_2_11" "$desc_1_2_11"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="/usr/bin/docker-containerd" file="/usr/bin/containerd"
if [ -f "$file" ]; then if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_12" pass "$check_1_2_11"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_1_12" warn "$check_1_2_11"
resulttestjson "WARN" resulttestjson "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_12" pass "$check_1_2_11"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_1_12" warn "$check_1_2_11"
resulttestjson "WARN" resulttestjson "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_1_12" info "$check_1_2_11"
info " * File not found" info " * File not found"
resulttestjson "INFO" "File not found" resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
} }
# 1.13 # 1.2.12
check_1_13() { check_1_2_12() {
id_1_13="1.13" id_1_2_12="1.2.12"
desc_1_13="Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc" desc_1_2_12="Ensure auditing is configured for Docker files and directories - /usr/sbin/runc"
check_1_13="$id_1_13 - $desc_1_13" check_1_2_12="$id_1_2_12 - $desc_1_2_12"
starttestjson "$id_1_13" "$desc_1_13" starttestjson "$id_1_2_12" "$desc_1_2_12"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="/usr/bin/docker-runc" file="/usr/sbin/runc"
if [ -f "$file" ]; then if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_13" pass "$check_1_2_12"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_1_13" warn "$check_1_2_12"
resulttestjson "WARN" resulttestjson "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_13" pass "$check_1_2_12"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_1_13" warn "$check_1_2_12"
resulttestjson "WARN" resulttestjson "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_1_13" info "$check_1_2_12"
info " * File not found" info " * File not found"
resulttestjson "INFO" "File not found" resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
@ -415,4 +468,3 @@ check_1_13() {
check_1_end() { check_1_end() {
endsectionjson endsectionjson
} }

103
tests/2_docker_daemon_configuration.sh
View file

@ -316,21 +316,22 @@ check_2_12() {
# 2.13 # 2.13
check_2_13() { check_2_13() {
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,.' | cut -c 1-4)
totalChecks=$((totalChecks + 1))
id_2_13="2.13" id_2_13="2.13"
desc_2_13="Ensure operations on legacy registry (v1) are Disabled" desc_2_13="Ensure live restore is Enabled"
check_2_13="$id_2_13 - $desc_2_13" check_2_13="$id_2_13 - $desc_2_13"
starttestjson "$id_2_13" "$desc_2_13" starttestjson "$id_2_13" "$desc_2_13"
if [ "$docker_version" -lt 1712 ]; then totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then
pass "$check_2_13" pass "$check_2_13"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
pass "$check_2_13 (Incompatible with swarm mode)"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then
pass "$check_2_13" pass "$check_2_13"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
@ -339,94 +340,83 @@ check_2_13() {
resulttestjson "WARN" resulttestjson "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else
desc_2_13="$desc_2_13 (Deprecated)"
check_2_13="$id_2_13 - $desc_2_13"
info "$check_2_13"
resulttestjson "INFO"
fi fi
} }
# 2.14 # 2.14
check_2_14() { check_2_14() {
id_2_14="2.14" id_2_14="2.14"
desc_2_14="Ensure live restore is Enabled" desc_2_14="Ensure Userland Proxy is Disabled"
check_2_14="$id_2_14 - $desc_2_14" check_2_14="$id_2_14 - $desc_2_14"
starttestjson "$id_2_14" "$desc_2_14" starttestjson "$id_2_14" "$desc_2_14"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then
pass "$check_2_14"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
pass "$check_2_14" pass "$check_2_14"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then warn "$check_2_14"
pass "$check_2_14 (Incompatible with swarm mode)" resulttestjson "WARN"
resulttestjson "PASS" currentScore=$((currentScore - 1))
currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then
pass "$check_2_14"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_14"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
fi fi
} }
# 2.15 # 2.15
check_2_15() { check_2_15() {
id_2_15="2.15" id_2_15="2.15"
desc_2_15="Ensure Userland Proxy is Disabled" desc_2_15="Ensure that a daemon-wide custom seccomp profile is applied if appropriate"
check_2_15="$id_2_15 - $desc_2_15" check_2_15="$id_2_15 - $desc_2_15"
starttestjson "$id_2_15" "$desc_2_15" starttestjson "$id_2_15" "$desc_2_15"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then
pass "$check_2_15"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
pass "$check_2_15" pass "$check_2_15"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_2_15" info "$check_2_15"
resulttestjson "WARN" resulttestjson "INFO"
currentScore=$((currentScore - 1)) currentScore=$((currentScore + 0))
fi fi
} }
# 2.16 # 2.16
check_2_16() { check_2_16() {
id_2_16="2.16" id_2_16="2.16"
desc_2_16="Ensure daemon-wide custom seccomp profile is applied, if needed" desc_2_16="Ensure that experimental features are not implemented in production"
check_2_16="$id_2_16 - $desc_2_16" check_2_16="$id_2_16 - $desc_2_16"
starttestjson "$id_2_16" "$desc_2_16" starttestjson "$id_2_16" "$desc_2_16"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then
pass "$check_2_16" pass "$check_2_16"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
info "$check_2_16" warn "$check_2_16"
resulttestjson "INFO" resulttestjson "WARN"
currentScore=$((currentScore + 0)) currentScore=$((currentScore - 1))
fi fi
} }
# 2.17 # 2.17
check_2_17() { check_2_17() {
id_2_17="2.17" id_2_17="2.17"
desc_2_17="Ensure experimental features are avoided in production" desc_2_17="Ensure containers are restricted from acquiring new privileges"
check_2_17="$id_2_17 - $desc_2_17" check_2_17="$id_2_17 - $desc_2_17"
starttestjson "$id_2_17" "$desc_2_17" starttestjson "$id_2_17" "$desc_2_17"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then if get_docker_effective_command_line_args '--no-new-privileges' | grep "no-new-privileges" >/dev/null 2>&1; then
pass "$check_2_17"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then
pass "$check_2_17" pass "$check_2_17"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
@ -437,29 +427,6 @@ check_2_17() {
fi fi
} }
# 2.18
check_2_18() {
id_2_18="2.18"
desc_2_18="Ensure containers are restricted from acquiring new privileges"
check_2_18="$id_2_18 - $desc_2_18"
starttestjson "$id_2_18" "$desc_2_18"
totalChecks=$((totalChecks + 1))
if get_docker_effective_command_line_args '--no-new-privileges' | grep "no-new-privileges" >/dev/null 2>&1; then
pass "$check_2_18"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then
pass "$check_2_18"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_18"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
}
check_2_end() { check_2_end() {
endsectionjson endsectionjson
} }

110
tests/3_docker_daemon_configuration_files.sh
View file

@ -40,7 +40,7 @@ check_3_1() {
# 3.2 # 3.2
check_3_2() { check_3_2() {
id_3_2="3.2" id_3_2="3.2"
desc_3_2="Ensure that docker.service file permissions are set to 644 or more restrictive" desc_3_2="Ensure that docker.service file permissions are appropriately set"
check_3_2="$id_3_2 - $desc_3_2" check_3_2="$id_3_2 - $desc_3_2"
starttestjson "$id_3_2" "$desc_3_2" starttestjson "$id_3_2" "$desc_3_2"
@ -299,13 +299,13 @@ check_3_10() {
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_3_10" warn "$check_3_10"
warn " * Wrong permissions for $tlscacert" warn " * Wrong permissions for $tlscacert"
resulttestjson "WARN" "Wrong permissions for $tlscacert" resulttestjson "WARN" "Wrong permissions for $tlscacert"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_10" info "$check_3_10"
info " * No TLS CA certificate found" info " * No TLS CA certificate found"
resulttestjson "INFO" "No TLS CA certificate found" resulttestjson "INFO" "No TLS CA certificate found"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
@ -331,13 +331,13 @@ check_3_11() {
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_3_11" warn "$check_3_11"
warn " * Wrong ownership for $tlscert" warn " * Wrong ownership for $tlscert"
resulttestjson "WARN" "Wrong ownership for $tlscert" resulttestjson "WARN" "Wrong ownership for $tlscert"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_11" info "$check_3_11"
info " * No TLS Server certificate found" info " * No TLS Server certificate found"
resulttestjson "INFO" "No TLS Server certificate found" resulttestjson "INFO" "No TLS Server certificate found"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
@ -363,13 +363,13 @@ check_3_12() {
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_3_12" warn "$check_3_12"
warn " * Wrong permissions for $tlscert" warn " * Wrong permissions for $tlscert"
resulttestjson "WARN" "Wrong permissions for $tlscert" resulttestjson "WARN" "Wrong permissions for $tlscert"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_12" info "$check_3_12"
info " * No TLS Server certificate found" info " * No TLS Server certificate found"
resulttestjson "INFO" "No TLS Server certificate found" resulttestjson "INFO" "No TLS Server certificate found"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
@ -395,13 +395,13 @@ check_3_13() {
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_3_13" warn "$check_3_13"
warn " * Wrong ownership for $tlskey" warn " * Wrong ownership for $tlskey"
resulttestjson "WARN" "Wrong ownership for $tlskey" resulttestjson "WARN" "Wrong ownership for $tlskey"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_13" info "$check_3_13"
info " * No TLS Key found" info " * No TLS Key found"
resulttestjson "INFO" "No TLS Key found" resulttestjson "INFO" "No TLS Key found"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
@ -427,13 +427,13 @@ check_3_14() {
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_3_14" warn "$check_3_14"
warn " * Wrong permissions for $tlskey" warn " * Wrong permissions for $tlskey"
resulttestjson "WARN" "Wrong permissions for $tlskey" resulttestjson "WARN" "Wrong permissions for $tlskey"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_14" info "$check_3_14"
info " * No TLS Key found" info " * No TLS Key found"
resulttestjson "INFO" "No TLS Key found" resulttestjson "INFO" "No TLS Key found"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
@ -455,13 +455,13 @@ check_3_15() {
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_3_15" warn "$check_3_15"
warn " * Wrong ownership for $file" warn " * Wrong ownership for $file"
resulttestjson "WARN" "Wrong ownership for $file" resulttestjson "WARN" "Wrong ownership for $file"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_15" info "$check_3_15"
info " * File not found" info " * File not found"
resulttestjson "INFO" "File not found" resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
@ -483,13 +483,13 @@ check_3_16() {
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_3_16" warn "$check_3_16"
warn " * Wrong permissions for $file" warn " * Wrong permissions for $file"
resulttestjson "WARN" "Wrong permissions for $file" resulttestjson "WARN" "Wrong permissions for $file"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_16" info "$check_3_16"
info " * File not found" info " * File not found"
resulttestjson "INFO" "File not found" resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
@ -511,13 +511,13 @@ check_3_17() {
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_3_17" warn "$check_3_17"
warn " * Wrong ownership for $file" warn " * Wrong ownership for $file"
resulttestjson "WARN" "Wrong ownership for $file" resulttestjson "WARN" "Wrong ownership for $file"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_17" info "$check_3_17"
info " * File not found" info " * File not found"
resulttestjson "INFO" "File not found" resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
@ -539,13 +539,13 @@ check_3_18() {
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_3_18" warn "$check_3_18"
warn " * Wrong permissions for $file" warn " * Wrong permissions for $file"
resulttestjson "WARN" "Wrong permissions for $file" resulttestjson "WARN" "Wrong permissions for $file"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_18" info "$check_3_18"
info " * File not found" info " * File not found"
resulttestjson "INFO" "File not found" resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
@ -567,13 +567,13 @@ check_3_19() {
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_3_19" warn "$check_3_19"
warn " * Wrong ownership for $file" warn " * Wrong ownership for $file"
resulttestjson "WARN" "Wrong ownership for $file" resulttestjson "WARN" "Wrong ownership for $file"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_19" info "$check_3_19"
info " * File not found" info " * File not found"
resulttestjson "INFO" "File not found" resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
@ -582,26 +582,82 @@ check_3_19() {
# 3.20 # 3.20
check_3_20() { check_3_20() {
id_3_20="3.20" id_3_20="3.20"
desc_3_20="Ensure that /etc/default/docker file permissions are set to 644 or more restrictive" desc_3_20="Ensure that the /etc/sysconfig/docker file ownership is set to root:root"
check_3_20="$id_3_20 - $desc_3_20" check_3_20="$id_3_20 - $desc_3_20"
starttestjson "$id_3_20" "$desc_3_20" starttestjson "$id_3_20" "$desc_3_20"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="/etc/default/docker" file="/etc/sysconfig/docker"
if [ -f "$file" ]; then if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 ] || [ "$(stat -c %a $file)" -eq 600 ]; then if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass "$check_3_20" pass "$check_3_20"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_3_20" warn "$check_3_20"
warn " * Wrong permissions for $file" warn " * Wrong ownership for $file"
resulttestjson "WARN" "Wrong permissions for $file" resulttestjson "WARN" "Wrong ownership for $file"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_20" info "$check_3_20"
info " * File not found" info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 3.21
check_3_21() {
id_3_21="3.21"
desc_3_21="Ensure that /etc/default/docker file permissions are set to 644 or more restrictive"
check_3_21="$id_3_21 - $desc_3_21"
starttestjson "$id_3_21" "$desc_3_21"
totalChecks=$((totalChecks + 1))
file="/etc/default/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 ] || [ "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_21"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_21"
warn " * Wrong permissions for $file"
resulttestjson "WARN" "Wrong permissions for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_21"
info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 3.22
check_3_22() {
id_3_22="3.22"
desc_3_22="Ensure that /etc/default/docker file permissions are set to 644 or more restrictive"
check_3_22="$id_3_22 - $desc_3_22"
starttestjson "$id_3_22" "$desc_3_22"
totalChecks=$((totalChecks + 1))
file="/etc/default/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 ] || [ "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_22"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_22"
warn " * Wrong permissions for $file"
resulttestjson "WARN" "Wrong permissions for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_22"
info " * File not found"
resulttestjson "INFO" "File not found" resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi

12
tests/4_container_images.sh
View file

@ -79,7 +79,7 @@ check_4_1() {
# 4.2 # 4.2
check_4_2() { check_4_2() {
id_4_2="4.2" id_4_2="4.2"
desc_4_2="Ensure that containers use trusted base images" desc_4_2="Ensure that containers use only trusted base images"
check_4_2="$id_4_2 - $desc_4_2" check_4_2="$id_4_2 - $desc_4_2"
starttestjson "$id_4_2" "$desc_4_2" starttestjson "$id_4_2" "$desc_4_2"
@ -92,7 +92,7 @@ check_4_2() {
# 4.3 # 4.3
check_4_3() { check_4_3() {
id_4_3="4.3" id_4_3="4.3"
desc_4_3="Ensure unnecessary packages are not installed in the container" desc_4_3="Ensure that unnecessary packages are not installed in the container"
check_4_3="$id_4_3 - $desc_4_3" check_4_3="$id_4_3 - $desc_4_3"
starttestjson "$id_4_3" "$desc_4_3" starttestjson "$id_4_3" "$desc_4_3"
@ -137,7 +137,7 @@ check_4_5() {
# 4.6 # 4.6
check_4_6() { check_4_6() {
id_4_6="4.6" id_4_6="4.6"
desc_4_6="Ensure HEALTHCHECK instructions have been added to the container image" desc_4_6="Ensure that HEALTHCHECK instructions have been added to container images"
check_4_6="$id_4_6 - $desc_4_6" check_4_6="$id_4_6 - $desc_4_6"
starttestjson "$id_4_6" "$desc_4_6" starttestjson "$id_4_6" "$desc_4_6"
@ -203,7 +203,7 @@ check_4_7() {
# 4.8 # 4.8
check_4_8() { check_4_8() {
id_4_8="4.8" id_4_8="4.8"
desc_4_8="Ensure setuid and setgid permissions are removed in the images" desc_4_8="Ensure setuid and setgid permissions are removed"
check_4_8="$id_4_8 - $desc_4_8" check_4_8="$id_4_8 - $desc_4_8"
starttestjson "$id_4_8" "$desc_4_8" starttestjson "$id_4_8" "$desc_4_8"
@ -216,7 +216,7 @@ check_4_8() {
# 4.9 # 4.9
check_4_9() { check_4_9() {
id_4_9="4.9" id_4_9="4.9"
desc_4_9="Ensure COPY is used instead of ADD in Dockerfile" desc_4_9="Ensure that COPY is used instead of ADD in Dockerfiles"
check_4_9="$id_4_9 - $desc_4_9" check_4_9="$id_4_9 - $desc_4_9"
starttestjson "$id_4_9" "$desc_4_9" starttestjson "$id_4_9" "$desc_4_9"
@ -263,7 +263,7 @@ check_4_10() {
# 4.11 # 4.11
check_4_11() { check_4_11() {
id_4_11="4.11" id_4_11="4.11"
desc_4_11="Ensure verified packages are only Installed" desc_4_11="Ensure only verified packages are installed"
check_4_11="$id_4_11 - $desc_4_11" check_4_11="$id_4_11 - $desc_4_11"
starttestjson "$id_4_11" "$desc_4_11" starttestjson "$id_4_11" "$desc_4_11"

46
tests/5_container_runtime.sh
View file

@ -12,7 +12,7 @@ check_5() {
check_running_containers() { check_running_containers() {
# If containers is empty, there are no running containers # If containers is empty, there are no running containers
if [ -z "$containers" ]; then if [ -z "$containers" ]; then
info " * No containers running, skipping Section 5" info " * No containers running, skipping Section 5"
running_containers=0 running_containers=0
else else
running_containers=1 running_containers=1
@ -29,7 +29,7 @@ check_5_1() {
fi fi
id_5_1="5.1" id_5_1="5.1"
desc_5_1="Ensure AppArmor Profile is Enabled" desc_5_1="Ensure that, if applicable, an AppArmor Profile is enabled "
check_5_1="$id_5_1 - $desc_5_1" check_5_1="$id_5_1 - $desc_5_1"
starttestjson "$id_5_1" "$desc_5_1" starttestjson "$id_5_1" "$desc_5_1"
@ -71,7 +71,7 @@ check_5_2() {
fi fi
id_5_2="5.2" id_5_2="5.2"
desc_5_2="Ensure SELinux security options are set, if applicable" desc_5_2="Ensure that, if applicable, SELinux security options are set"
check_5_2="$id_5_2 - $desc_5_2" check_5_2="$id_5_2 - $desc_5_2"
starttestjson "$id_5_2" "$desc_5_2" starttestjson "$id_5_2" "$desc_5_2"
@ -158,7 +158,7 @@ check_5_4() {
fi fi
id_5_4="5.4" id_5_4="5.4"
desc_5_4="Ensure privileged containers are not used" desc_5_4="Ensure that privileged containers are not used"
check_5_4="$id_5_4 - $desc_5_4" check_5_4="$id_5_4 - $desc_5_4"
starttestjson "$id_5_4" "$desc_5_4" starttestjson "$id_5_4" "$desc_5_4"
@ -262,7 +262,7 @@ check_5_6() {
fi fi
id_5_6="5.6" id_5_6="5.6"
desc_5_6="Ensure ssh is not run within containers" desc_5_6="Ensure sshd is not run within containers"
check_5_6="$id_5_6 - $desc_5_6" check_5_6="$id_5_6 - $desc_5_6"
starttestjson "$id_5_6" "$desc_5_6" starttestjson "$id_5_6" "$desc_5_6"
@ -364,7 +364,7 @@ check_5_8() {
fi fi
id_5_8="5.8" id_5_8="5.8"
desc_5_8="Ensure only needed ports are open on the container" desc_5_8="Ensure that only needed ports are open on the container"
check_5_8="$id_5_8 - $desc_5_8" check_5_8="$id_5_8 - $desc_5_8"
starttestjson "$id_5_8" "$desc_5_8" starttestjson "$id_5_8" "$desc_5_8"
@ -423,7 +423,7 @@ check_5_10() {
fi fi
id_5_10="5.10" id_5_10="5.10"
desc_5_10="Ensure memory usage for container is limited" desc_5_10="Ensure that the memory usage for containers is limited"
check_5_10="$id_5_10 - $desc_5_10" check_5_10="$id_5_10 - $desc_5_10"
starttestjson "$id_5_10" "$desc_5_10" starttestjson "$id_5_10" "$desc_5_10"
@ -515,7 +515,7 @@ check_5_12() {
fi fi
id_5_12="5.12" id_5_12="5.12"
desc_5_12="Ensure the container's root filesystem is mounted as read only" desc_5_12="Ensure that the container's root filesystem is mounted as read only"
check_5_12="$id_5_12 - $desc_5_12" check_5_12="$id_5_12 - $desc_5_12"
starttestjson "$id_5_12" "$desc_5_12" starttestjson "$id_5_12" "$desc_5_12"
@ -557,7 +557,7 @@ check_5_13() {
fi fi
id_5_13="5.13" id_5_13="5.13"
desc_5_13="Ensure incoming container traffic is binded to a specific host interface" desc_5_13="Ensure that incoming container traffic is bound to a specific host interface"
check_5_13="$id_5_13 - $desc_5_13" check_5_13="$id_5_13 - $desc_5_13"
starttestjson "$id_5_13" "$desc_5_13" starttestjson "$id_5_13" "$desc_5_13"
@ -599,7 +599,7 @@ check_5_14() {
fi fi
id_5_14="5.14" id_5_14="5.14"
desc_5_14="Ensure 'on-failure' container restart policy is set to '5'" desc_5_14="Ensure that the 'on-failure' container restart policy is set to '5'"
check_5_14="$id_5_14 - $desc_5_14" check_5_14="$id_5_14 - $desc_5_14"
starttestjson "$id_5_14" "$desc_5_14" starttestjson "$id_5_14" "$desc_5_14"
@ -725,7 +725,7 @@ check_5_17() {
fi fi
id_5_17="5.17" id_5_17="5.17"
desc_5_17="Ensure host devices are not directly exposed to containers" desc_5_17="Ensure that host devices are not directly exposed to containers"
check_5_17="$id_5_17 - $desc_5_17" check_5_17="$id_5_17 - $desc_5_17"
starttestjson "$id_5_17" "$desc_5_17" starttestjson "$id_5_17" "$desc_5_17"
@ -767,7 +767,7 @@ check_5_18() {
fi fi
id_5_18="5.18" id_5_18="5.18"
desc_5_18="Ensure the default ulimit is overwritten at runtime, only if needed" desc_5_18="Ensure that the default ulimit is overwritten at runtime if needed"
check_5_18="$id_5_18 - $desc_5_18" check_5_18="$id_5_18 - $desc_5_18"
starttestjson "$id_5_18" "$desc_5_18" starttestjson "$id_5_18" "$desc_5_18"
@ -950,7 +950,7 @@ check_5_23() {
fi fi
id_5_23="5.23" id_5_23="5.23"
desc_5_23="Ensure docker exec commands are not used with user option" desc_5_23="Ensure that docker exec commands are not used with the user=root option"
check_5_23="$id_5_23 - $desc_5_23" check_5_23="$id_5_23 - $desc_5_23"
starttestjson "$id_5_23" "$desc_5_23" starttestjson "$id_5_23" "$desc_5_23"
@ -967,7 +967,7 @@ check_5_24() {
fi fi
id_5_24="5.24" id_5_24="5.24"
desc_5_24="Ensure cgroup usage is confirmed" desc_5_24="Ensure that cgroup usage is confirmed"
check_5_24="$id_5_24 - $desc_5_24" check_5_24="$id_5_24 - $desc_5_24"
starttestjson "$id_5_24" "$desc_5_24" starttestjson "$id_5_24" "$desc_5_24"
@ -1008,7 +1008,7 @@ check_5_25() {
return return
fi fi
id_5_25="5.25" id_5_25="5.25"
desc_5_25="Ensure the container is restricted from acquiring additional privileges" desc_5_25="Ensure that the container is restricted from acquiring additional privileges"
check_5_25="$id_5_25 - $desc_5_25" check_5_25="$id_5_25 - $desc_5_25"
starttestjson "$id_5_25" "$desc_5_25" starttestjson "$id_5_25" "$desc_5_25"
@ -1048,7 +1048,7 @@ check_5_26() {
fi fi
id_5_26="5.26" id_5_26="5.26"
desc_5_26="Ensure container health is checked at runtime" desc_5_26="Ensure that container health is checked at runtime"
check_5_26="$id_5_26 - $desc_5_26" check_5_26="$id_5_26 - $desc_5_26"
starttestjson "$id_5_26" "$desc_5_26" starttestjson "$id_5_26" "$desc_5_26"
@ -1086,7 +1086,7 @@ check_5_27() {
fi fi
id_5_27="5.27" id_5_27="5.27"
desc_5_27="Ensure docker commands always get the latest version of the image" desc_5_27="Ensure that Docker commands always make use of the latest version of their image"
check_5_27="$id_5_27 - $desc_5_27" check_5_27="$id_5_27 - $desc_5_27"
starttestjson "$id_5_27" "$desc_5_27" starttestjson "$id_5_27" "$desc_5_27"
@ -1103,7 +1103,7 @@ check_5_28() {
fi fi
id_5_28="5.28" id_5_28="5.28"
desc_5_28="Ensure PIDs cgroup limit is used" desc_5_28="Ensure that the PIDs cgroup limit is used"
check_5_28="$id_5_28 - $desc_5_28" check_5_28="$id_5_28 - $desc_5_28"
starttestjson "$id_5_28" "$desc_5_28" starttestjson "$id_5_28" "$desc_5_28"
@ -1112,9 +1112,9 @@ check_5_28() {
fail=0 fail=0
nopids_limit_containers="" nopids_limit_containers=""
for c in $containers; do for c in $containers; do
pidslimit=$(docker inspect --format '{{.HostConfig.PidsLimit }}' "$c") pidslimit="$(docker inspect --format '{{.HostConfig.PidsLimit }}' "$c")"
if [ "$pidslimit" -le 0 ]; then if [ "$pidslimit" = "0" ] || [ "$pidslimit" = "<nil>" ] || [ "$pidslimit" = "-1" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_28" warn "$check_5_28"
@ -1145,7 +1145,7 @@ check_5_29() {
fi fi
id_5_29="5.29" id_5_29="5.29"
desc_5_29="Ensure Docker's default bridge docker0 is not used" desc_5_29="Ensure that Docker's default bridge 'docker0' is not used"
check_5_29="$id_5_29 - $desc_5_29" check_5_29="$id_5_29 - $desc_5_29"
starttestjson "$id_5_29" "$desc_5_29" starttestjson "$id_5_29" "$desc_5_29"
@ -1198,7 +1198,7 @@ check_5_30() {
fi fi
id_5_30="5.30" id_5_30="5.30"
desc_5_30="Ensure the host's user namespaces is not shared" desc_5_30="Ensure that the host's user namespaces are not shared"
check_5_30="$id_5_30 - $desc_5_30" check_5_30="$id_5_30 - $desc_5_30"
starttestjson "$id_5_30" "$desc_5_30" starttestjson "$id_5_30" "$desc_5_30"
@ -1238,7 +1238,7 @@ check_5_31() {
fi fi
id_5_31="5.31" id_5_31="5.31"
desc_5_31="Ensure the Docker socket is not mounted inside any containers" desc_5_31="Ensure that the Docker socket is not mounted inside any containers"
check_5_31="$id_5_31 - $desc_5_31" check_5_31="$id_5_31 - $desc_5_31"
starttestjson "$id_5_31" "$desc_5_31" starttestjson "$id_5_31" "$desc_5_31"

4
tests/6_docker_security_operations.sh
View file

@ -12,7 +12,7 @@ check_6() {
# 6.1 # 6.1
check_6_1() { check_6_1() {
id_6_1="6.1" id_6_1="6.1"
desc_6_1="Avoid image sprawl" desc_6_1="Ensure that image sprawl is avoided"
check_6_1="$id_6_1 - $desc_6_1" check_6_1="$id_6_1 - $desc_6_1"
starttestjson "$id_6_1" "$desc_6_1" starttestjson "$id_6_1" "$desc_6_1"
@ -39,7 +39,7 @@ check_6_1() {
# 6.2 # 6.2
check_6_2() { check_6_2() {
id_6_2="6.2" id_6_2="6.2"
desc_6_2="Avoid container sprawl" desc_6_2="Ensure that container sprawl is avoided"
check_6_2="$id_6_2 - $desc_6_2" check_6_2="$id_6_2 - $desc_6_2"
starttestjson "$id_6_2" "$desc_6_2" starttestjson "$id_6_2" "$desc_6_2"

20
tests/7_docker_swarm_configuration.sh
View file

@ -31,14 +31,14 @@ check_7_1() {
# 7.2 # 7.2
check_7_2() { check_7_2() {
id_7_2="7.2" id_7_2="7.2"
desc_7_2="Ensure the minimum number of manager nodes have been created in a swarm" desc_7_2="Ensure that the minimum number of manager nodes have been created in a swarm"
check_7_2="$id_7_2 - $desc_7_2" check_7_2="$id_7_2 - $desc_7_2"
starttestjson "$id_7_2" "$desc_7_2" starttestjson "$id_7_2" "$desc_7_2"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
managernodes=$(docker node ls | grep -c "Leader") managernodes=$(docker node ls | grep -c "Leader")
if [ "$managernodes" -le 1 ]; then if [ "$managernodes" -eq 1 ]; then
pass "$check_7_2" pass "$check_7_2"
resulttestjson "PASS" resulttestjson "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
@ -57,7 +57,7 @@ check_7_2() {
# 7.3 # 7.3
check_7_3() { check_7_3() {
id_7_3="7.3" id_7_3="7.3"
desc_7_3="Ensure swarm services are binded to a specific host interface" desc_7_3="Ensure that swarm services are bound to a specific host interface"
check_7_3="$id_7_3 - $desc_7_3" check_7_3="$id_7_3 - $desc_7_3"
starttestjson "$id_7_3" "$desc_7_3" starttestjson "$id_7_3" "$desc_7_3"
@ -83,7 +83,7 @@ check_7_3() {
# 7.4 # 7.4
check_7_4() { check_7_4() {
id_7_4="7.4" id_7_4="7.4"
desc_7_4="Ensure data exchanged between containers are encrypted on different nodes on the overlay network" desc_7_4="Ensure that all Docker swarm overlay networks are encrypted"
check_7_4="$id_7_4 - $desc_7_4" check_7_4="$id_7_4 - $desc_7_4"
starttestjson "$id_7_4" "$desc_7_4" starttestjson "$id_7_4" "$desc_7_4"
@ -116,7 +116,7 @@ check_7_4() {
# 7.5 # 7.5
check_7_5() { check_7_5() {
id_7_5="7.5" id_7_5="7.5"
desc_7_5="Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster" desc_7_5="Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster"
check_7_5="$id_7_5 - $desc_7_5" check_7_5="$id_7_5 - $desc_7_5"
starttestjson "$id_7_5" "$desc_7_5" starttestjson "$id_7_5" "$desc_7_5"
@ -141,7 +141,7 @@ check_7_5() {
# 7.6 # 7.6
check_7_6() { check_7_6() {
id_7_6="7.6" id_7_6="7.6"
desc_7_6="Ensure swarm manager is run in auto-lock mode" desc_7_6="Ensure that swarm manager is run in auto-lock mode"
check_7_6="$id_7_6 - $desc_7_6" check_7_6="$id_7_6 - $desc_7_6"
starttestjson "$id_7_6" "$desc_7_6" starttestjson "$id_7_6" "$desc_7_6"
@ -166,7 +166,7 @@ check_7_6() {
# 7.7 # 7.7
check_7_7() { check_7_7() {
id_7_7="7.7" id_7_7="7.7"
desc_7_7="Ensure swarm manager auto-lock key is rotated periodically" desc_7_7="Ensure that the swarm manager auto-lock key is rotated periodically"
check_7_7="$id_7_7 - $desc_7_7" check_7_7="$id_7_7 - $desc_7_7"
starttestjson "$id_7_7" "$desc_7_7" starttestjson "$id_7_7" "$desc_7_7"
@ -185,7 +185,7 @@ check_7_7() {
# 7.8 # 7.8
check_7_8() { check_7_8() {
id_7_8="7.8" id_7_8="7.8"
desc_7_8="Ensure node certificates are rotated as appropriate" desc_7_8="Ensure that node certificates are rotated as appropriate"
check_7_8="$id_7_8 - $desc_7_8" check_7_8="$id_7_8 - $desc_7_8"
starttestjson "$id_7_8" "$desc_7_8" starttestjson "$id_7_8" "$desc_7_8"
@ -210,7 +210,7 @@ check_7_8() {
# 7.9 # 7.9
check_7_9() { check_7_9() {
id_7_9="7.9" id_7_9="7.9"
desc_7_9="Ensure CA certificates are rotated as appropriate" desc_7_9="Ensure that CA certificates are rotated as appropriate"
check_7_9="$id_7_9 - $desc_7_9" check_7_9="$id_7_9 - $desc_7_9"
starttestjson "$id_7_9" "$desc_7_9" starttestjson "$id_7_9" "$desc_7_9"
@ -229,7 +229,7 @@ check_7_9() {
# 7.10 # 7.10
check_7_10() { check_7_10() {
id_7_10="7.10" id_7_10="7.10"
desc_7_10="Ensure management plane traffic has been separated from data plane traffic" desc_7_10="Ensure that management plane traffic is separated from data plane traffic"
check_7_10="$id_7_10 - $desc_7_10" check_7_10="$id_7_10 - $desc_7_10"
starttestjson "$id_7_10" "$desc_7_10" starttestjson "$id_7_10" "$desc_7_10"

182
tests/8_docker_enterprise_configuration.sh Normal file
View file

@ -0,0 +1,182 @@
#!/bin/sh
check_8() {
logit "\n"
id_8="8"
desc_8="Docker Enterprise Configuration"
check_8="$id_8 - $desc_8"
info "$check_8"
startsectionjson "$id_8" "$desc_8"
}
check_product_license() {
if docker version | grep -qi '^Client.*Community$'; then
info " * Community Engine license, skipping section 8"
enterprise_license=0
else
enterprise_license=1
fi
}
check_8_1() {
if [ "$enterprise_license" -ne 1 ]; then
return
fi
logit "\n"
id_8_1="8.1"
desc_8_1="Universal Control Plane Configuration"
check_8_1="$id_8_1 - $desc_8_1"
info "$check_8_1"
}
# 8.1.1
check_8_1_1() {
if [ "$enterprise_license" -ne 1 ]; then
return
fi
id_8_1_1="8.1.1"
desc_8_1_1="Configure the LDAP authentication service"
check_8_1_1="$id_8_1_1 - $desc_8_1_1"
starttestjson "$id_8_1_1" "$desc_8_1_1"
totalChecks=$((totalChecks + 1))
note "$check_8_1_1"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
}
# 8.1.2
check_8_1_2() {
if [ "$enterprise_license" -ne 1 ]; then
return
fi
id_8_1_2="8.1.2"
desc_8_1_2="Use external certificates"
check_8_1_2="$id_8_1_2 - $desc_8_1_2"
starttestjson "$id_8_1_2" "$desc_8_1_2"
totalChecks=$((totalChecks + 1))
note "$check_8_1_2"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
}
# 8.1.3
check_8_1_3() {
if [ "$enterprise_license" -ne 1 ]; then
return
fi
id_8_1_3="8.1.3"
desc_8_1_3="Enforce the use of client certificate bundles for unprivileged users"
check_8_1_3="$id_8_1_3 - $desc_8_1_3"
starttestjson "$id_8_1_3" "$desc_8_1_3"
totalChecks=$((totalChecks + 1))
note "$check_8_1_3"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
}
# 8.1.4
check_8_1_4() {
if [ "$enterprise_license" -ne 1 ]; then
return
fi
id_8_1_4="8.1.4"
desc_8_1_4="Configure applicable cluster role-based access control policies"
check_8_1_4="$id_8_1_4 - $desc_8_1_4"
starttestjson "$id_8_1_4" "$desc_8_1_4"
totalChecks=$((totalChecks + 1))
note "$check_8_1_4"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
}
# 8.1.5
check_8_1_5() {
if [ "$enterprise_license" -ne 1 ]; then
return
fi
id_8_1_5="8.1.5"
desc_8_1_5="Enable signed image enforcement"
check_8_1_5="$id_8_1_5 - $desc_8_1_5"
starttestjson "$id_8_1_5" "$desc_8_1_5"
totalChecks=$((totalChecks + 1))
note "$check_8_1_5"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
}
# 8.1.6
check_8_1_6() {
if [ "$enterprise_license" -ne 1 ]; then
return
fi
id_8_1_6="8.1.6"
desc_8_1_6="Set the Per-User Session Limit to a value of '3' or lower"
check_8_1_6="$id_8_1_6 - $desc_8_1_6"
starttestjson "$id_8_1_6" "$desc_8_1_6"
totalChecks=$((totalChecks + 1))
note "$check_8_1_6"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
}
# 8.1.7
check_8_1_7() {
if [ "$enterprise_license" -ne 1 ]; then
return
fi
id_8_1_7="8.1.7"
desc_8_1_7="Set the 'Lifetime Minutes' and 'Renewal Threshold Minutes' values to '15' or lower and '0' respectively"
check_8_1_7="$id_8_1_7 - $desc_8_1_7"
starttestjson "$id_8_1_7" "$desc_8_1_7"
totalChecks=$((totalChecks + 1))
note "$check_8_1_7"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
}
check_8_2() {
if [ "$enterprise_license" -ne 1 ]; then
return
fi
logit "\n"
id_8_2="8.2"
desc_8_2="Docker Trusted Registry Configuration"
check_8_2="$id_8_2 - $desc_8_2"
info "$check_8_2"
}
check_8_2_1() {
if [ "$enterprise_license" -ne 1 ]; then
return
fi
id_8_2_1="8.2.1"
desc_8_2_1="Enable image vulnerability scanning"
check_8_2_1="$id_8_2_1 - $desc_8_2_1"
starttestjson "$id_8_2_1" "$desc_8_2_1"
totalChecks=$((totalChecks + 1))
note "$check_8_2_1"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
}
check_8_end() {
endsectionjson
}

33
tests/99_community_checks.sh
View file

@ -21,6 +21,39 @@ check_c_1() {
fi fi
} }
# check_c_2
check_c_2() {
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,.' | cut -c 1-4)
totalChecks=$((totalChecks + 1))
id_c_2="C.2"
desc_c_2="Ensure operations on legacy registry (v1) are Disabled"
check_c_2="$id_c_2 - $desc_c_2"
starttestjson "$id_c_2" "$desc_c_2"
if [ "$docker_version" -lt 1712 ]; then
if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then
pass "$check_c_2"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then
pass "$check_c_2"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_c_2"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
desc_c_2="$desc_c_2 (Deprecated)"
check_c_2="$id_c_2 - $desc_c_2"
info "$check_c_2"
resulttestjson "INFO"
fi
}
check_c_end() { check_c_end() {
endsectionjson endsectionjson
} }