From 67e0fedef26f34fd3e392a9f268d183803bda687 Mon Sep 17 00:00:00 2001 From: Thomas Berger Date: Sat, 30 May 2015 11:21:15 +0200 Subject: [PATCH] *.sh: use the new POSIX syntax $(...) Also, add quotes around command substitution --- docker-bench-security.sh | 16 ++++----- helper_lib.sh | 8 ++--- tests/1_host_configuration.sh | 8 ++--- tests/2_docker_daemon_configuration.sh | 2 +- tests/3_docker_daemon_configuration_files.sh | 26 +++++++------- tests/4_container_images.sh | 2 +- tests/5_container_runtime.sh | 36 ++++++++++---------- tests/6_docker_security_operations.sh | 10 +++--- 8 files changed, 54 insertions(+), 54 deletions(-) diff --git a/docker-bench-security.sh b/docker-bench-security.sh index 6ebe45b..71a6a66 100644 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -15,8 +15,8 @@ # Setup the paths this_path=$(abspath $0) ## Path of this file including filenamel -dir_name=`dirname ${this_path}` ## Dir where this file is -myname=`basename ${this_path}` ## file name of this script. +dir_name="$(dirname ${this_path})" ## Dir where this file is +myname="$(basename ${this_path})" ## file name of this script. logger="${myname}.log" @@ -27,7 +27,7 @@ for p in $req_progs; do done # Ensure we can connect to docker daemon -`docker ps -q >/dev/null 2>&1` +"$(docker ps -q >/dev/null 2>&1)" if [ $? -ne 0 ]; then printf "Error connecting to docker daemon (does docker ps work?)\n" exit 1 @@ -50,10 +50,10 @@ yell "# ------------------------------------------------------------------------ # https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf # ------------------------------------------------------------------------------" -logit "Initializing `date`\n" +logit "Initializing $(date)\n" # Warn if not root -ID=`id -u` +ID="$(id -u)" if [ "x$ID" != "x0" ]; then warn "Some tests might require root to run" sleep 3 @@ -72,15 +72,15 @@ done # Load all the tests from tests/ and run them main () { # List all running containers - containers=`docker ps -q` + containers="$(docker ps -q)" # If there is a container with label docker-bench, memorize it: benchcont="nil" for c in $containers; do - labels=`docker inspect --format '{{ .Config.Labels }}' $c` + labels="$(docker inspect --format '{{ .Config.Labels }}' $c)" contains "$labels" "docker-bench" && benchcont="$c" done # List all running containers except docker-bench - containers=`docker ps -q | grep -v $benchcont` + containers="$(docker ps -q | grep -v $benchcont)" for test in tests/*.sh do diff --git a/helper_lib.sh b/helper_lib.sh index e692deb..e3593b1 100644 --- a/helper_lib.sh +++ b/helper_lib.sh @@ -7,10 +7,10 @@ abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; es do_version_check() { [ "$1" = "$2" ] && return 10 - ver1front=`printf $1 | cut -d "." -f -1` - ver1back=`printf $1 | cut -d "." -f 2-` - ver2front=`printf $2 | cut -d "." -f -1` - ver2back=`printf $2 | cut -d "." -f 2-` + ver1front="$(printf $1 | cut -d "." -f -1)" + ver1back="$(printf $1 | cut -d "." -f 2-)" + ver2front="$(printf $2 | cut -d "." -f -1)" + ver2back="$(printf $2 | cut -d "." -f 2-)" if [ "$ver1front" != "$1" ] || [ "$ver2front" != "$2" ]; then [ "$ver1front" -gt "$ver2front" ] && return 11 diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index 49af272..6716f11 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -14,7 +14,7 @@ fi # 1.2 check_1_2="1.2 - Use an updated Linux Kernel" -kernel_version=`uname -r | cut -d "-" -f 1` +kernel_version="$(uname -r | cut -d "-" -f 1)" do_version_check 3.10 $kernel_version if [ $? -eq 11 ]; then warn "$check_1_2" @@ -25,7 +25,7 @@ fi # 1.5 check_1_5="1.5 - Remove all non-essential services from the host - Network" # Check for listening network services. -listening_services=`netstat -na | grep -v tcp6 | grep -v unix | grep LISTEN | wc -l` +listening_services="$(netstat -na | grep -v tcp6 | grep -v unix | grep LISTEN | wc -l)" if [ $listening_services -eq 0 ]; then warn "1.5 - Failed to get listening services for check: $check_1_5" else @@ -39,7 +39,7 @@ fi # 1.6 check_1_6="1.6 - Keep Docker up to date" -docker_version=`docker version | grep 'Server version' | awk '{print $3}'` +docker_version="$(docker version | grep 'Server version' | awk '{print $3}')" if [ $? -eq 11 ]; then warn "$check_1_6" else @@ -48,7 +48,7 @@ fi # 1.7 check_1_7="1.7 - Only allow trusted users to control Docker daemon" -docker_users=`cat /etc/group | grep docker` +docker_users="$(cat /etc/group | grep docker)" info "$check_1_7" for u in $docker_users; do info " * $u" diff --git a/tests/2_docker_daemon_configuration.sh b/tests/2_docker_daemon_configuration.sh index 11a0ea9..865d3ca 100644 --- a/tests/2_docker_daemon_configuration.sh +++ b/tests/2_docker_daemon_configuration.sh @@ -60,7 +60,7 @@ fi # 2.7 check_2_7="2.7 - Do not use the aufs storage driver" -storage_driver=`docker info 2>/dev/null| grep -e "^Storage Driver:\s*aufs\s*$"` +storage_driver="$(docker info 2>/dev/null| grep -e "^Storage Driver:\s*aufs\s*$")" if [ $? -eq 0 ]; then warn "$check_2_7" else diff --git a/tests/3_docker_daemon_configuration_files.sh b/tests/3_docker_daemon_configuration_files.sh index 60207de..fa28fbc 100644 --- a/tests/3_docker_daemon_configuration_files.sh +++ b/tests/3_docker_daemon_configuration_files.sh @@ -247,7 +247,7 @@ fi check_3_16="3.16 - Verify that /etc/docker directory permissions are set to 755" directory="/etc/docker" if [ -d "$directory" ]; then - perms=`ls -ld $directory | awk '{print $1}'` + perms="$(ls -ld $directory | awk '{print $1}')" if [ $perms = "drwxr-xr-x." ]; then pass "$check_3_16" elif [ $perms = "drwx------" ]; then @@ -266,7 +266,7 @@ check_3_17="3.17 - Verify that registry certificate file ownership is set to roo directory="/etc/docker/certs.d/" if [ -d "$directory" ]; then fail=0 - owners=`ls -lL $directory/* | grep .crt | awk '{print $3, $4}'` + owners="$(ls -lL $directory/* | grep .crt | awk '{print $3, $4}')" for p in $owners; do printf "$p" | grep "root" >/dev/null 2>&1 if [ $? -ne 0 ]; then @@ -289,7 +289,7 @@ check_3_18="3.18 - Verify that registry certificate file permissions are set to directory="/etc/docker/certs.d/" if [ -d "$directory" ]; then fail=0 - perms=`ls -lL $directory/* | grep .crt | awk '{print $1}'` + perms="$(ls -lL $directory/* | grep .crt | awk '{print $1}')" for p in $perms; do if [ "$p" != "-rw-r--r--." -a "$p" = "-rw-------." ]; then fail=1 @@ -308,7 +308,7 @@ fi # 3.19 check_3_19="3.19 - Verify that TLS CA certificate file ownership is set to root:root" -tlscacert=`ps -ef | grep docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1` +tlscacert="$(ps -ef | grep docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1)" if [ -f "$tlscacert" ]; then ls -ld "$tlscacert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 if [ $? -eq 0 ]; then @@ -324,9 +324,9 @@ fi # 3.20 check_3_20="3.20 - Verify that TLS CA certificate file permissions are set to 444" -tlscacert=`ps -ef | grep docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1` +tlscacert="$(ps -ef | grep docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1)" if [ -f "$tlscacert" ]; then - perms=`ls -ld "$tlscacert" | awk '{print $1}'` + perms="$(ls -ld "$tlscacert" | awk '{print $1}')" if [ "$perms" = "-rw-r--r--" ]; then pass "$check_3_20" else @@ -340,7 +340,7 @@ fi # 3.21 check_3_21="3.21 - Verify that Docker server certificate file ownership is set to root:root" -tlscert=`ps -ef | grep docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1` +tlscert="$(ps -ef | grep docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1)" if [ -f "$tlscert" ]; then ls -ld "$tlscert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 if [ $? -eq 0 ]; then @@ -356,9 +356,9 @@ fi # 3.22 check_3_22="3.22 - Verify that Docker server certificate file permissions are set to 444" -tlscacert=`ps -ef | grep docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1` +tlscacert="$(ps -ef | grep docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1)" if [ -f "$tlscert" ]; then - perms=`ls -ld "$tlscert" | awk '{print $1}'` + perms="$(ls -ld "$tlscert" | awk '{print $1}')" if [ "$perms" = "-rw-r--r--" ]; then pass "$check_3_22" else @@ -372,7 +372,7 @@ fi # 3.23 check_3_23="3.23 - Verify that Docker server key file ownership is set to root:root" -tlskey=`ps -ef | grep docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1` +tlskey="$(ps -ef | grep docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1)" if [ -f "$tlskey" ]; then ls -ld "$tlskey" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 if [ $? -eq 0 ]; then @@ -388,9 +388,9 @@ fi # 3.24 check_3_24="3.24 - Verify that Docker server key file permissions are set to 400" -tlskey=`ps -ef | grep docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1` +tlskey="$(ps -ef | grep docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1)" if [ -f "$tlskey" ]; then - perms=`ls -ld "$tlskey" | awk '{print $1}'` + perms="$(ls -ld "$tlskey" | awk '{print $1}')" if [ "$perms" = "-r--------" ]; then pass "$check_3_24" else @@ -422,7 +422,7 @@ fi check_3_26="3.26 - Verify that Docker socket file permissions are set to 660" file="/var/run/docker.sock" if [ -f "$file" ]; then - perms=`ls -ld "$file" | awk '{print $1}'` + perms="$(ls -ld "$file" | awk '{print $1}')" if [ "$perms" = "srw-rw----" ]; then pass "$check_3_26" else diff --git a/tests/4_container_images.sh b/tests/4_container_images.sh index eb50c7a..3597620 100644 --- a/tests/4_container_images.sh +++ b/tests/4_container_images.sh @@ -17,7 +17,7 @@ else set -f; IFS=$' ' for c in $containers; do - user=`docker inspect --format 'User={{.Config.User}}' $c` + user="$(docker inspect --format 'User={{.Config.User}}' $c)" if [ "$user" = "User=" -o "$user" = "User=[]" -o "$user" = "User=" ]; then # If it's the first container, fail the test diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh index 3cd9495..12a511c 100644 --- a/tests/5_container_runtime.sh +++ b/tests/5_container_runtime.sh @@ -15,7 +15,7 @@ else fail=0 for c in $containers; do - policy=`docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' $c` + policy="$(docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' $c)" if [ "$policy" = "AppArmorProfile=" -o "$policy" = "AppArmorProfile=[]" -o "$policy" = "AppArmorProfile=" ]; then # If it's the first container, fail the test @@ -38,7 +38,7 @@ else fail=0 for c in $containers; do - policy=`docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' $c` + policy="$(docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' $c)" if [ "$policy" = "SecurityOpt=" -o "$policy" = "SecurityOpt=[]" -o "$policy" = "SecurityOpt=" ]; then # If it's the first container, fail the test @@ -61,7 +61,7 @@ else fail=0 for c in $containers; do - processes=`docker exec $c ps -el 2>/dev/null | wc -l | awk '{print $1}'` + processes="$(docker exec $c ps -el 2>/dev/null | wc -l | awk '{print $1}')" if [ $processes -gt 5 ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then @@ -83,7 +83,7 @@ else fail=0 for c in $containers; do - caps=`docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' $c` + caps="$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' $c)" if [ "$caps" != "CapAdd=" -a "$caps" != "CapAdd=[]" -a "$caps" != "CapAdd=" ]; then # If it's the first container, fail the test @@ -106,7 +106,7 @@ else fail=0 for c in $containers; do - privileged=`docker inspect --format '{{ .HostConfig.Privileged }}' $c` + privileged="$(docker inspect --format '{{ .HostConfig.Privileged }}' $c)" if [ "$privileged" = "true" ]; then # If it's the first container, fail the test @@ -138,7 +138,7 @@ else /usr' fail=0 for c in $containers; do - volumes=`docker inspect --format '{{ .VolumesRW }}' $c` + volumes="$(docker inspect --format '{{ .VolumesRW }}' $c)" # Go over each directory in sensitive dir and see if they exist in the volumes for v in $sensitive_dirs; do sensitive=0 @@ -165,7 +165,7 @@ else fail=0 for c in $containers; do - processes=`docker exec $c ps -el 2>/dev/null | grep sshd | wc -l | awk '{print $1}'` + processes="$(docker exec $c ps -el 2>/dev/null | grep sshd | wc -l | awk '{print $1}')" if [ $processes -gt 1 ]; then # If it's the first container, fail the test @@ -188,7 +188,7 @@ else fail=0 for c in $containers; do - port=`docker port $c | awk '{print $1}' | cut -d '/' -f1` + port="$(docker port $c | awk '{print $1}' | cut -d '/' -f1)" if [ ! -z "$port" ] && [ "$port" -lt 1025 ]; then # If it's the first container, fail the test @@ -211,7 +211,7 @@ else fail=0 for c in $containers; do - mode=`docker inspect --format 'NetworkMode={{ .HostConfig.NetworkMode }}' $c` + mode="$(docker inspect --format 'NetworkMode={{ .HostConfig.NetworkMode }}' $c)" if [ "$mode" = "NetworkMode=host" ]; then # If it's the first container, fail the test @@ -234,7 +234,7 @@ else fail=0 for c in $containers; do - memory=`docker inspect --format '{{ .Config.Memory }}' $c` + memory="$(docker inspect --format '{{ .Config.Memory }}' $c)" if [ $memory = "0" ]; then # If it's the first container, fail the test @@ -257,7 +257,7 @@ else fail=0 for c in $containers; do - shares=`docker inspect --format '{{ .Config.CpuShares }}' $c` + shares="$(docker inspect --format '{{ .Config.CpuShares }}' $c)" if [ "$shares" = "0" ]; then # If it's the first container, fail the test @@ -280,7 +280,7 @@ else fail=0 for c in $containers; do - read_status=`docker inspect --format '{{ .HostConfig.ReadonlyRootfs }}' $c` + read_status="$(docker inspect --format '{{ .HostConfig.ReadonlyRootfs }}' $c)" if [ "$read_status" = "false" ]; then # If it's the first container, fail the test @@ -303,7 +303,7 @@ else fail=0 for c in $containers; do - ip=`docker port $c | awk '{print $3}' | cut -d ':' -f1` + ip="$(docker port $c | awk '{print $3}' | cut -d ':' -f1)" if [ "$ip" = "0.0.0.0" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then @@ -325,7 +325,7 @@ else fail=0 for c in $containers; do - policy=`docker inspect --format 'RestartPolicyName={{ .HostConfig.RestartPolicy.Name }}' $c` + policy="$(docker inspect --format 'RestartPolicyName={{ .HostConfig.RestartPolicy.Name }}' $c)" if [ "$policy" = "RestartPolicyName=always" ]; then # If it's the first container, fail the test @@ -348,7 +348,7 @@ else fail=0 for c in $containers; do - mode=`docker inspect --format 'PidMode={{.HostConfig.PidMode }}' $c` + mode="$(docker inspect --format 'PidMode={{.HostConfig.PidMode }}' $c)" if [ "$mode" = "PidMode=host" ]; then # If it's the first container, fail the test @@ -371,7 +371,7 @@ else fail=0 for c in $containers; do - mode=`docker inspect --format 'IpcMode={{.HostConfig.IpcMode }}' $c` + mode="$(docker inspect --format 'IpcMode={{.HostConfig.IpcMode }}' $c)" if [ "$mode" = "IpcMode=host" ]; then # If it's the first container, fail the test @@ -394,7 +394,7 @@ else fail=0 for c in $containers; do - devices=`docker inspect --format 'Devices={{ .HostConfig.Devices }}' $c` + devices="$(docker inspect --format 'Devices={{ .HostConfig.Devices }}' $c)" if [ "$devices" != "Devices=" -a "$devices" != "Devices=[]" -a "$devices" != "Devices=" ]; then # If it's the first container, fail the test @@ -418,7 +418,7 @@ else # List all the running containers, ouput their ID and host devices fail=0 for c in $containers; do - ulimits=`docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' $c` + ulimits="$(docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' $c)" if [ "$ulimits" = "Ulimits=" -o "$ulimits" = "Ulimits=[]" -o "$ulimits" = "Ulimits=" ]; then # If it's the first container, fail the test diff --git a/tests/6_docker_security_operations.sh b/tests/6_docker_security_operations.sh index 8c300ce..ae6edef 100644 --- a/tests/6_docker_security_operations.sh +++ b/tests/6_docker_security_operations.sh @@ -15,7 +15,7 @@ else set -f; IFS=$' ' for c in $containers; do - volumes=`docker inspect --format '{{ .Volumes }}' $c` + volumes="$(docker inspect --format '{{ .Volumes }}' $c)" if [ "$volumes" = "map[]" ]; then # If it's the first container, fail the test @@ -36,7 +36,7 @@ set +f; unset IFS # 6.6 check_6_6="6.6 - Avoid image sprawl" -images=`docker images | wc -l | awk '{print $1}'` +images="$(docker images | wc -l | awk '{print $1}')" if [ $images -gt 100 ]; then warn "$check_6_6" warn " * There are currently: $images images" @@ -47,9 +47,9 @@ fi # 6.7 check_6_7="6.7 - Avoid container sprawl" -total_containers=`docker info 2>/dev/null | grep "Containers" | awk '{print $2}'` -running_containers=`docker ps -q | wc -l | awk '{print $1}'` -diff=`expr "$total_containers" - "$running_containers"` +total_containers="$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}')" +running_containers="$(docker ps -q | wc -l | awk '{print $1}')" +diff="$(expr "$total_containers" - "$running_containers")" if [ $diff -gt 25 ]; then warn "$check_6_7" warn " * There are currently a total of $total_containers containers, with only $running_containers of them currently running"