GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-19 00:32:34 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #300 from konstruktoid/lint

Browse source 
Lint and yell function
This commit is contained in:
Thomas Sjögren 2018-05-10 15:43:30 +02:00 committed by GitHub
commit 6829756643
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 86 additions and 79 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
docker-bench-security.sh
View file

@ -1,22 +1,27 @@
#!/bin/sh #!/bin/sh
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# Docker Bench for Security v1.3.4 # Docker Bench for Security
# #
# Docker, Inc. (c) 2015- # Docker, Inc. (c) 2015-
# #
# Checks for dozens of common best-practices around deploying Docker containers in production. # Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
version='1.3.4'
# Load dependencies # Load dependencies
. ./functions_lib.sh . ./functions_lib.sh
. ./helper_lib.sh . ./helper_lib.sh
. ./output_lib.sh . ./output_lib.sh
# Setup the paths # Setup the paths
this_path=$(abspath "$0") ## Path of this file including filenamel this_path=$(abspath "$0") ## Path of this file including filename
myname=$(basename "${this_path}") ## file name of this script. myname=$(basename "${this_path}") ## file name of this script.
readonly version
readonly this_path
readonly myname
export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/ export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/
# Check for required program(s) # Check for required program(s)
@ -62,20 +67,13 @@ if [ -z "$logger" ]; then
logger="${myname}.log" logger="${myname}.log"
fi fi
yell "# ------------------------------------------------------------------------------ yell_info
# Docker Bench for Security v1.3.4
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
# ------------------------------------------------------------------------------"
# Warn if not root # Warn if not root
ID=$(id -u) ID=$(id -u)
if [ "x$ID" != "x0" ]; then if [ "x$ID" != "x0" ]; then
warn "Some tests might require root to run" warn "Some tests might require root to run"
sleep 3 sleep 3
fi fi
# Total Score # Total Score
@ -85,7 +83,7 @@ totalChecks=0
currentScore=0 currentScore=0
logit "Initializing $(date)\n" logit "Initializing $(date)\n"
beginjson "1.3.4" "$(date +%s)" beginjson "$version" "$(date +%s)"
# Load all the tests from tests/ and run them # Load all the tests from tests/ and run them
main () { main () {
@ -118,15 +116,14 @@ main () {
running_containers=1 running_containers=1
fi fi
for test in tests/*.sh for test in tests/*.sh; do
do . ./"$test"
. ./"$test"
done done
if [ -z "$check" ] && [ ! "$checkexclude" ] ; then if [ -z "$check" ] && [ ! "$checkexclude" ]; then
cis cis
elif [ -z "$check" ] && [ "$checkexclude" ]; then elif [ -z "$check" ] && [ "$checkexclude" ]; then
checkexcluded="$(echo $checkexclude | sed 's/,/|/g')" checkexcluded="$(echo "$checkexclude" | sed 's/,/|/g')"
for c in $(grep 'check_[0-9]_' functions_lib.sh | grep -vE "$checkexcluded"); do for c in $(grep 'check_[0-9]_' functions_lib.sh | grep -vE "$checkexcluded"); do
"$c" "$c"
done done

130
helper_lib.sh
View file

@ -8,34 +8,33 @@ auditrules="/etc/audit/audit.rules"
# Compares versions of software of the format X.Y.Z # Compares versions of software of the format X.Y.Z
do_version_check() { do_version_check() {
[ "$1" = "$2" ] && return 10 [ "$1" = "$2" ] && return 10
ver1front=$(printf "%s" "$1" | cut -d "." -f -1) ver1front=$(printf "%s" "$1" | cut -d "." -f -1)
ver1back=$(printf "%s" "$1" | cut -d "." -f 2-) ver1back=$(printf "%s" "$1" | cut -d "." -f 2-)
ver2front=$(printf "%s" "$2" | cut -d "." -f -1) ver2front=$(printf "%s" "$2" | cut -d "." -f -1)
ver2back=$(printf "%s" "$2" | cut -d "." -f 2-) ver2back=$(printf "%s" "$2" | cut -d "." -f 2-)
if [ "$ver1front" != "$1" ] || [ "$ver2front" != "$2" ]; then if [ "$ver1front" != "$1" ] || [ "$ver2front" != "$2" ]; then
[ "$ver1front" -gt "$ver2front" ] && return 11 [ "$ver1front" -gt "$ver2front" ] && return 11
[ "$ver1front" -lt "$ver2front" ] && return 9 [ "$ver1front" -lt "$ver2front" ] && return 9
[ "$ver1front" = "$1" ] || [ -z "$ver1back" ] && ver1back=0 [ "$ver1front" = "$1" ] || [ -z "$ver1back" ] && ver1back=0
[ "$ver2front" = "$2" ] || [ -z "$ver2back" ] && ver2back=0 [ "$ver2front" = "$2" ] || [ -z "$ver2back" ] && ver2back=0
do_version_check "$ver1back" "$ver2back" do_version_check "$ver1back" "$ver2back"
return $? return $?
else else
[ "$1" -gt "$2" ] && return 11 || return 9 [ "$1" -gt "$2" ] && return 11 || return 9
fi fi
} }
# Extracts commandline args from the newest running processes named like the first parameter # Extracts commandline args from the newest running processes named like the first parameter
get_command_line_args() { get_command_line_args() {
PROC="$1" PROC="$1"
for PID in $(pgrep -f -n "$PROC") for PID in $(pgrep -f -n "$PROC"); do
do tr "\0" " " < /proc/"$PID"/cmdline
tr "\0" " " < /proc/"$PID"/cmdline done
done
} }
# Extract the cumulative command line arguments for the docker daemon # Extract the cumulative command line arguments for the docker daemon
@ -44,33 +43,33 @@ get_command_line_args() {
# Accounts for long and short variants, call with short option. # Accounts for long and short variants, call with short option.
# Does not account for option defaults or implicit options. # Does not account for option defaults or implicit options.
get_docker_cumulative_command_line_args() { get_docker_cumulative_command_line_args() {
OPTION="$1" OPTION="$1"
if ! get_command_line_args "docker daemon" >/dev/null 2>&1 ; then if ! get_command_line_args "docker daemon" >/dev/null 2>&1 ; then
line_arg="docker daemon" line_arg="docker daemon"
else else
line_arg="dockerd" line_arg="dockerd"
fi fi
get_command_line_args "$line_arg" | get_command_line_args "$line_arg" |
# normalize known long options to their short versions # normalize known long options to their short versions
sed \ sed \
-e 's/\-\-debug/-D/g' \ -e 's/\-\-debug/-D/g' \
-e 's/\-\-host/-H/g' \ -e 's/\-\-host/-H/g' \
-e 's/\-\-log-level/-l/g' \ -e 's/\-\-log-level/-l/g' \
-e 's/\-\-version/-v/g' \ -e 's/\-\-version/-v/g' \
| |
# normalize parameters separated by space(s) to -O=VALUE # normalize parameters separated by space(s) to -O=VALUE
sed \ sed \
-e 's/\-\([DHlv]\)[= ]\([^- ][^ ]\)/-\1=\2/g' \ -e 's/\-\([DHlv]\)[= ]\([^- ][^ ]\)/-\1=\2/g' \
| |
# get the last interesting option # get the last interesting option
tr ' ' "\n" | tr ' ' "\n" |
grep "^${OPTION}" | grep "^${OPTION}" |
# normalize quoting of values # normalize quoting of values
sed \ sed \
-e 's/"//g' \ -e 's/"//g' \
-e "s/'//g" -e "s/'//g"
} }
# Extract the effective command line arguments for the docker daemon # Extract the effective command line arguments for the docker daemon
@ -79,34 +78,45 @@ get_docker_cumulative_command_line_args() {
# Accounts for long and short variants, call with short option # Accounts for long and short variants, call with short option
# Does not account for option default or implicit options. # Does not account for option default or implicit options.
get_docker_effective_command_line_args() { get_docker_effective_command_line_args() {
OPTION="$1" OPTION="$1"
get_docker_cumulative_command_line_args "$OPTION" | tail -n1 get_docker_cumulative_command_line_args "$OPTION" | tail -n1
} }
get_docker_configuration_file_args() { get_docker_configuration_file_args() {
OPTION="$1" OPTION="$1"
FILE="$(get_docker_effective_command_line_args '--config-file' | \ FILE="$(get_docker_effective_command_line_args '--config-file' | \
sed 's/.*=//g')" sed 's/.*=//g')"
if [ -f "$FILE" ]; then if [ -f "$FILE" ]; then
CONFIG_FILE="$FILE" CONFIG_FILE="$FILE"
elif [ -f '/etc/docker/daemon.json' ]; then elif [ -f '/etc/docker/daemon.json' ]; then
CONFIG_FILE='/etc/docker/daemon.json' CONFIG_FILE='/etc/docker/daemon.json'
else else
CONFIG_FILE='/dev/null' CONFIG_FILE='/dev/null'
fi fi
grep "$OPTION" "$CONFIG_FILE" | sed 's/.*: //g' | tr -d \", grep "$OPTION" "$CONFIG_FILE" | sed 's/.*: //g' | tr -d \",
} }
get_systemd_service_file(){ get_systemd_service_file() {
SERVICE="$1" SERVICE="$1"
if [ -f "/etc/systemd/system/$SERVICE" ]; then if [ -f "/etc/systemd/system/$SERVICE" ]; then
echo "/etc/systemd/system/$SERVICE" echo "/etc/systemd/system/$SERVICE"
elif systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then elif systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then
systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//' systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
else else
echo "/usr/lib/systemd/system/$SERVICE" echo "/usr/lib/systemd/system/$SERVICE"
fi fi
}
yell_info() {
yell "# ------------------------------------------------------------------------------
# Docker Bench for Security v$version
#
# Docker, Inc. (c) 2015-
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
# ------------------------------------------------------------------------------"
} }