GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-19 00:32:34 +01:00
Code Issues Projects Releases Packages Wiki Activity

*.sh: use the new POSIX syntax $(...)

Browse source 
Also, add quotes around command substitution
This commit is contained in:
Thomas Berger 2015-05-30 11:21:15 +02:00
parent 34c784dcbf
commit 67e0fedef2
8 changed files with 54 additions and 54 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
docker-bench-security.sh
View file

@ -15,8 +15,8 @@
# Setup the paths # Setup the paths
this_path=$(abspath $0) ## Path of this file including filenamel this_path=$(abspath $0) ## Path of this file including filenamel
dir_name=`dirname ${this_path}` ## Dir where this file is dir_name="$(dirname ${this_path})" ## Dir where this file is
myname=`basename ${this_path}` ## file name of this script. myname="$(basename ${this_path})" ## file name of this script.
logger="${myname}.log" logger="${myname}.log"
@ -27,7 +27,7 @@ for p in $req_progs; do
done done
# Ensure we can connect to docker daemon # Ensure we can connect to docker daemon
`docker ps -q >/dev/null 2>&1` "$(docker ps -q >/dev/null 2>&1)"
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
printf "Error connecting to docker daemon (does docker ps work?)\n" printf "Error connecting to docker daemon (does docker ps work?)\n"
exit 1 exit 1
@ -50,10 +50,10 @@ yell "# ------------------------------------------------------------------------
# https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf # https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf
# ------------------------------------------------------------------------------" # ------------------------------------------------------------------------------"
logit "Initializing `date`\n" logit "Initializing $(date)\n"
# Warn if not root # Warn if not root
ID=`id -u` ID="$(id -u)"
if [ "x$ID" != "x0" ]; then if [ "x$ID" != "x0" ]; then
warn "Some tests might require root to run" warn "Some tests might require root to run"
sleep 3 sleep 3
@ -72,15 +72,15 @@ done
# Load all the tests from tests/ and run them # Load all the tests from tests/ and run them
main () { main () {
# List all running containers # List all running containers
containers=`docker ps -q` containers="$(docker ps -q)"
# If there is a container with label docker-bench, memorize it: # If there is a container with label docker-bench, memorize it:
benchcont="nil" benchcont="nil"
for c in $containers; do for c in $containers; do
labels=`docker inspect --format '{{ .Config.Labels }}' $c` labels="$(docker inspect --format '{{ .Config.Labels }}' $c)"
contains "$labels" "docker-bench" && benchcont="$c" contains "$labels" "docker-bench" && benchcont="$c"
done done
# List all running containers except docker-bench # List all running containers except docker-bench
containers=`docker ps -q | grep -v $benchcont` containers="$(docker ps -q | grep -v $benchcont)"
for test in tests/*.sh for test in tests/*.sh
do do

8
helper_lib.sh
View file

@ -7,10 +7,10 @@ abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; es
do_version_check() { do_version_check() {
[ "$1" = "$2" ] && return 10 [ "$1" = "$2" ] && return 10
ver1front=`printf $1 | cut -d "." -f -1` ver1front="$(printf $1 | cut -d "." -f -1)"
ver1back=`printf $1 | cut -d "." -f 2-` ver1back="$(printf $1 | cut -d "." -f 2-)"
ver2front=`printf $2 | cut -d "." -f -1` ver2front="$(printf $2 | cut -d "." -f -1)"
ver2back=`printf $2 | cut -d "." -f 2-` ver2back="$(printf $2 | cut -d "." -f 2-)"
if [ "$ver1front" != "$1" ] || [ "$ver2front" != "$2" ]; then if [ "$ver1front" != "$1" ] || [ "$ver2front" != "$2" ]; then
[ "$ver1front" -gt "$ver2front" ] && return 11 [ "$ver1front" -gt "$ver2front" ] && return 11

8
tests/1_host_configuration.sh
View file

@ -14,7 +14,7 @@ fi
# 1.2 # 1.2
check_1_2="1.2 - Use an updated Linux Kernel" check_1_2="1.2 - Use an updated Linux Kernel"
kernel_version=`uname -r | cut -d "-" -f 1` kernel_version="$(uname -r | cut -d "-" -f 1)"
do_version_check 3.10 $kernel_version do_version_check 3.10 $kernel_version
if [ $? -eq 11 ]; then if [ $? -eq 11 ]; then
warn "$check_1_2" warn "$check_1_2"
@ -25,7 +25,7 @@ fi
# 1.5 # 1.5
check_1_5="1.5 - Remove all non-essential services from the host - Network" check_1_5="1.5 - Remove all non-essential services from the host - Network"
# Check for listening network services. # Check for listening network services.
listening_services=`netstat -na | grep -v tcp6 | grep -v unix | grep LISTEN | wc -l` listening_services="$(netstat -na | grep -v tcp6 | grep -v unix | grep LISTEN | wc -l)"
if [ $listening_services -eq 0 ]; then if [ $listening_services -eq 0 ]; then
warn "1.5 - Failed to get listening services for check: $check_1_5" warn "1.5 - Failed to get listening services for check: $check_1_5"
else else
@ -39,7 +39,7 @@ fi
# 1.6 # 1.6
check_1_6="1.6 - Keep Docker up to date" check_1_6="1.6 - Keep Docker up to date"
docker_version=`docker version | grep 'Server version' | awk '{print $3}'` docker_version="$(docker version | grep 'Server version' | awk '{print $3}')"
if [ $? -eq 11 ]; then if [ $? -eq 11 ]; then
warn "$check_1_6" warn "$check_1_6"
else else
@ -48,7 +48,7 @@ fi
# 1.7 # 1.7
check_1_7="1.7 - Only allow trusted users to control Docker daemon" check_1_7="1.7 - Only allow trusted users to control Docker daemon"
docker_users=`cat /etc/group | grep docker` docker_users="$(cat /etc/group | grep docker)"
info "$check_1_7" info "$check_1_7"
for u in $docker_users; do for u in $docker_users; do
info " * $u" info " * $u"

2
tests/2_docker_daemon_configuration.sh
View file

@ -60,7 +60,7 @@ fi
# 2.7 # 2.7
check_2_7="2.7 - Do not use the aufs storage driver" check_2_7="2.7 - Do not use the aufs storage driver"
storage_driver=`docker info 2>/dev/null| grep -e "^Storage Driver:\s*aufs\s*$"` storage_driver="$(docker info 2>/dev/null| grep -e "^Storage Driver:\s*aufs\s*$")"
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
warn "$check_2_7" warn "$check_2_7"
else else

26
tests/3_docker_daemon_configuration_files.sh
View file

@ -247,7 +247,7 @@ fi
check_3_16="3.16 - Verify that /etc/docker directory permissions are set to 755" check_3_16="3.16 - Verify that /etc/docker directory permissions are set to 755"
directory="/etc/docker" directory="/etc/docker"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
perms=`ls -ld $directory | awk '{print $1}'` perms="$(ls -ld $directory | awk '{print $1}')"
if [ $perms = "drwxr-xr-x." ]; then if [ $perms = "drwxr-xr-x." ]; then
pass "$check_3_16" pass "$check_3_16"
elif [ $perms = "drwx------" ]; then elif [ $perms = "drwx------" ]; then
@ -266,7 +266,7 @@ check_3_17="3.17 - Verify that registry certificate file ownership is set to roo
directory="/etc/docker/certs.d/" directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
fail=0 fail=0
owners=`ls -lL $directory/* | grep .crt | awk '{print $3, $4}'` owners="$(ls -lL $directory/* | grep .crt | awk '{print $3, $4}')"
for p in $owners; do for p in $owners; do
printf "$p" | grep "root" >/dev/null 2>&1 printf "$p" | grep "root" >/dev/null 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
@ -289,7 +289,7 @@ check_3_18="3.18 - Verify that registry certificate file permissions are set to
directory="/etc/docker/certs.d/" directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
fail=0 fail=0
perms=`ls -lL $directory/* | grep .crt | awk '{print $1}'` perms="$(ls -lL $directory/* | grep .crt | awk '{print $1}')"
for p in $perms; do for p in $perms; do
if [ "$p" != "-rw-r--r--." -a "$p" = "-rw-------." ]; then if [ "$p" != "-rw-r--r--." -a "$p" = "-rw-------." ]; then
fail=1 fail=1
@ -308,7 +308,7 @@ fi
# 3.19 # 3.19
check_3_19="3.19 - Verify that TLS CA certificate file ownership is set to root:root" check_3_19="3.19 - Verify that TLS CA certificate file ownership is set to root:root"
tlscacert=`ps -ef | grep docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1` tlscacert="$(ps -ef | grep docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1)"
if [ -f "$tlscacert" ]; then if [ -f "$tlscacert" ]; then
ls -ld "$tlscacert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 ls -ld "$tlscacert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
@ -324,9 +324,9 @@ fi
# 3.20 # 3.20
check_3_20="3.20 - Verify that TLS CA certificate file permissions are set to 444" check_3_20="3.20 - Verify that TLS CA certificate file permissions are set to 444"
tlscacert=`ps -ef | grep docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1` tlscacert="$(ps -ef | grep docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1)"
if [ -f "$tlscacert" ]; then if [ -f "$tlscacert" ]; then
perms=`ls -ld "$tlscacert" | awk '{print $1}'` perms="$(ls -ld "$tlscacert" | awk '{print $1}')"
if [ "$perms" = "-rw-r--r--" ]; then if [ "$perms" = "-rw-r--r--" ]; then
pass "$check_3_20" pass "$check_3_20"
else else
@ -340,7 +340,7 @@ fi
# 3.21 # 3.21
check_3_21="3.21 - Verify that Docker server certificate file ownership is set to root:root" check_3_21="3.21 - Verify that Docker server certificate file ownership is set to root:root"
tlscert=`ps -ef | grep docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1` tlscert="$(ps -ef | grep docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1)"
if [ -f "$tlscert" ]; then if [ -f "$tlscert" ]; then
ls -ld "$tlscert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 ls -ld "$tlscert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
@ -356,9 +356,9 @@ fi
# 3.22 # 3.22
check_3_22="3.22 - Verify that Docker server certificate file permissions are set to 444" check_3_22="3.22 - Verify that Docker server certificate file permissions are set to 444"
tlscacert=`ps -ef | grep docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1` tlscacert="$(ps -ef | grep docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1)"
if [ -f "$tlscert" ]; then if [ -f "$tlscert" ]; then
perms=`ls -ld "$tlscert" | awk '{print $1}'` perms="$(ls -ld "$tlscert" | awk '{print $1}')"
if [ "$perms" = "-rw-r--r--" ]; then if [ "$perms" = "-rw-r--r--" ]; then
pass "$check_3_22" pass "$check_3_22"
else else
@ -372,7 +372,7 @@ fi
# 3.23 # 3.23
check_3_23="3.23 - Verify that Docker server key file ownership is set to root:root" check_3_23="3.23 - Verify that Docker server key file ownership is set to root:root"
tlskey=`ps -ef | grep docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1` tlskey="$(ps -ef | grep docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1)"
if [ -f "$tlskey" ]; then if [ -f "$tlskey" ]; then
ls -ld "$tlskey" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 ls -ld "$tlskey" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
@ -388,9 +388,9 @@ fi
# 3.24 # 3.24
check_3_24="3.24 - Verify that Docker server key file permissions are set to 400" check_3_24="3.24 - Verify that Docker server key file permissions are set to 400"
tlskey=`ps -ef | grep docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1` tlskey="$(ps -ef | grep docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1)"
if [ -f "$tlskey" ]; then if [ -f "$tlskey" ]; then
perms=`ls -ld "$tlskey" | awk '{print $1}'` perms="$(ls -ld "$tlskey" | awk '{print $1}')"
if [ "$perms" = "-r--------" ]; then if [ "$perms" = "-r--------" ]; then
pass "$check_3_24" pass "$check_3_24"
else else
@ -422,7 +422,7 @@ fi
check_3_26="3.26 - Verify that Docker socket file permissions are set to 660" check_3_26="3.26 - Verify that Docker socket file permissions are set to 660"
file="/var/run/docker.sock" file="/var/run/docker.sock"
if [ -f "$file" ]; then if [ -f "$file" ]; then
perms=`ls -ld "$file" | awk '{print $1}'` perms="$(ls -ld "$file" | awk '{print $1}')"
if [ "$perms" = "srw-rw----" ]; then if [ "$perms" = "srw-rw----" ]; then
pass "$check_3_26" pass "$check_3_26"
else else

2
tests/4_container_images.sh
View file

@ -17,7 +17,7 @@ else
set -f; IFS=$' set -f; IFS=$'
' '
for c in $containers; do for c in $containers; do
user=`docker inspect --format 'User={{.Config.User}}' $c` user="$(docker inspect --format 'User={{.Config.User}}' $c)"
if [ "$user" = "User=" -o "$user" = "User=[]" -o "$user" = "User=<no value>" ]; then if [ "$user" = "User=" -o "$user" = "User=[]" -o "$user" = "User=<no value>" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test

36
tests/5_container_runtime.sh
View file

@ -15,7 +15,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
policy=`docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' $c` policy="$(docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' $c)"
if [ "$policy" = "AppArmorProfile=" -o "$policy" = "AppArmorProfile=[]" -o "$policy" = "AppArmorProfile=<no value>" ]; then if [ "$policy" = "AppArmorProfile=" -o "$policy" = "AppArmorProfile=[]" -o "$policy" = "AppArmorProfile=<no value>" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -38,7 +38,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
policy=`docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' $c` policy="$(docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' $c)"
if [ "$policy" = "SecurityOpt=" -o "$policy" = "SecurityOpt=[]" -o "$policy" = "SecurityOpt=<no value>" ]; then if [ "$policy" = "SecurityOpt=" -o "$policy" = "SecurityOpt=[]" -o "$policy" = "SecurityOpt=<no value>" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -61,7 +61,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
processes=`docker exec $c ps -el 2>/dev/null | wc -l | awk '{print $1}'` processes="$(docker exec $c ps -el 2>/dev/null | wc -l | awk '{print $1}')"
if [ $processes -gt 5 ]; then if [ $processes -gt 5 ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
@ -83,7 +83,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
caps=`docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' $c` caps="$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' $c)"
if [ "$caps" != "CapAdd=" -a "$caps" != "CapAdd=[]" -a "$caps" != "CapAdd=<no value>" ]; then if [ "$caps" != "CapAdd=" -a "$caps" != "CapAdd=[]" -a "$caps" != "CapAdd=<no value>" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -106,7 +106,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
privileged=`docker inspect --format '{{ .HostConfig.Privileged }}' $c` privileged="$(docker inspect --format '{{ .HostConfig.Privileged }}' $c)"
if [ "$privileged" = "true" ]; then if [ "$privileged" = "true" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -138,7 +138,7 @@ else
/usr' /usr'
fail=0 fail=0
for c in $containers; do for c in $containers; do
volumes=`docker inspect --format '{{ .VolumesRW }}' $c` volumes="$(docker inspect --format '{{ .VolumesRW }}' $c)"
# Go over each directory in sensitive dir and see if they exist in the volumes # Go over each directory in sensitive dir and see if they exist in the volumes
for v in $sensitive_dirs; do for v in $sensitive_dirs; do
sensitive=0 sensitive=0
@ -165,7 +165,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
processes=`docker exec $c ps -el 2>/dev/null | grep sshd | wc -l | awk '{print $1}'` processes="$(docker exec $c ps -el 2>/dev/null | grep sshd | wc -l | awk '{print $1}')"
if [ $processes -gt 1 ]; then if [ $processes -gt 1 ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -188,7 +188,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
port=`docker port $c | awk '{print $1}' | cut -d '/' -f1` port="$(docker port $c | awk '{print $1}' | cut -d '/' -f1)"
if [ ! -z "$port" ] && [ "$port" -lt 1025 ]; then if [ ! -z "$port" ] && [ "$port" -lt 1025 ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -211,7 +211,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
mode=`docker inspect --format 'NetworkMode={{ .HostConfig.NetworkMode }}' $c` mode="$(docker inspect --format 'NetworkMode={{ .HostConfig.NetworkMode }}' $c)"
if [ "$mode" = "NetworkMode=host" ]; then if [ "$mode" = "NetworkMode=host" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -234,7 +234,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
memory=`docker inspect --format '{{ .Config.Memory }}' $c` memory="$(docker inspect --format '{{ .Config.Memory }}' $c)"
if [ $memory = "0" ]; then if [ $memory = "0" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -257,7 +257,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
shares=`docker inspect --format '{{ .Config.CpuShares }}' $c` shares="$(docker inspect --format '{{ .Config.CpuShares }}' $c)"
if [ "$shares" = "0" ]; then if [ "$shares" = "0" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -280,7 +280,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
read_status=`docker inspect --format '{{ .HostConfig.ReadonlyRootfs }}' $c` read_status="$(docker inspect --format '{{ .HostConfig.ReadonlyRootfs }}' $c)"
if [ "$read_status" = "false" ]; then if [ "$read_status" = "false" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -303,7 +303,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
ip=`docker port $c | awk '{print $3}' | cut -d ':' -f1` ip="$(docker port $c | awk '{print $3}' | cut -d ':' -f1)"
if [ "$ip" = "0.0.0.0" ]; then if [ "$ip" = "0.0.0.0" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
@ -325,7 +325,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
policy=`docker inspect --format 'RestartPolicyName={{ .HostConfig.RestartPolicy.Name }}' $c` policy="$(docker inspect --format 'RestartPolicyName={{ .HostConfig.RestartPolicy.Name }}' $c)"
if [ "$policy" = "RestartPolicyName=always" ]; then if [ "$policy" = "RestartPolicyName=always" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -348,7 +348,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
mode=`docker inspect --format 'PidMode={{.HostConfig.PidMode }}' $c` mode="$(docker inspect --format 'PidMode={{.HostConfig.PidMode }}' $c)"
if [ "$mode" = "PidMode=host" ]; then if [ "$mode" = "PidMode=host" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -371,7 +371,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
mode=`docker inspect --format 'IpcMode={{.HostConfig.IpcMode }}' $c` mode="$(docker inspect --format 'IpcMode={{.HostConfig.IpcMode }}' $c)"
if [ "$mode" = "IpcMode=host" ]; then if [ "$mode" = "IpcMode=host" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -394,7 +394,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
devices=`docker inspect --format 'Devices={{ .HostConfig.Devices }}' $c` devices="$(docker inspect --format 'Devices={{ .HostConfig.Devices }}' $c)"
if [ "$devices" != "Devices=" -a "$devices" != "Devices=[]" -a "$devices" != "Devices=<no value>" ]; then if [ "$devices" != "Devices=" -a "$devices" != "Devices=[]" -a "$devices" != "Devices=<no value>" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -418,7 +418,7 @@ else
# List all the running containers, ouput their ID and host devices # List all the running containers, ouput their ID and host devices
fail=0 fail=0
for c in $containers; do for c in $containers; do
ulimits=`docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' $c` ulimits="$(docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' $c)"
if [ "$ulimits" = "Ulimits=" -o "$ulimits" = "Ulimits=[]" -o "$ulimits" = "Ulimits=<no value>" ]; then if [ "$ulimits" = "Ulimits=" -o "$ulimits" = "Ulimits=[]" -o "$ulimits" = "Ulimits=<no value>" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test

10
tests/6_docker_security_operations.sh
View file

@ -15,7 +15,7 @@ else
set -f; IFS=$' set -f; IFS=$'
' '
for c in $containers; do for c in $containers; do
volumes=`docker inspect --format '{{ .Volumes }}' $c` volumes="$(docker inspect --format '{{ .Volumes }}' $c)"
if [ "$volumes" = "map[]" ]; then if [ "$volumes" = "map[]" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
@ -36,7 +36,7 @@ set +f; unset IFS
# 6.6 # 6.6
check_6_6="6.6 - Avoid image sprawl" check_6_6="6.6 - Avoid image sprawl"
images=`docker images | wc -l | awk '{print $1}'` images="$(docker images | wc -l | awk '{print $1}')"
if [ $images -gt 100 ]; then if [ $images -gt 100 ]; then
warn "$check_6_6" warn "$check_6_6"
warn " * There are currently: $images images" warn " * There are currently: $images images"
@ -47,9 +47,9 @@ fi
# 6.7 # 6.7
check_6_7="6.7 - Avoid container sprawl" check_6_7="6.7 - Avoid container sprawl"
total_containers=`docker info 2>/dev/null | grep "Containers" | awk '{print $2}'` total_containers="$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}')"
running_containers=`docker ps -q | wc -l | awk '{print $1}'` running_containers="$(docker ps -q | wc -l | awk '{print $1}')"
diff=`expr "$total_containers" - "$running_containers"` diff="$(expr "$total_containers" - "$running_containers")"
if [ $diff -gt 25 ]; then if [ $diff -gt 25 ]; then
warn "$check_6_7" warn "$check_6_7"
warn " * There are currently a total of $total_containers containers, with only $running_containers of them currently running" warn " * There are currently a total of $total_containers containers, with only $running_containers of them currently running"