mirror of
https://github.com/docker/docker-bench-security.git
synced 2025-01-19 00:32:34 +01:00
Thomas Sjögren
GitHub
commit
6829756643
2 changed files with 86 additions and 79 deletions
|
|
@ -1,22 +1,27 @@
|
|||
#!/bin/sh
|
||||
# ------------------------------------------------------------------------------
|
||||
# Docker Bench for Security v1.3.4
|
||||
# Docker Bench for Security
|
||||
#
|
||||
# Docker, Inc. (c) 2015-
|
||||
#
|
||||
# Checks for dozens of common best-practices around deploying Docker containers in production.
|
||||
# Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
|
||||
# ------------------------------------------------------------------------------
|
||||
|
||||
version='1.3.4'
|
||||
|
||||
# Load dependencies
|
||||
. ./functions_lib.sh
|
||||
. ./helper_lib.sh
|
||||
. ./output_lib.sh
|
||||
|
||||
# Setup the paths
|
||||
this_path=$(abspath "$0") ## Path of this file including filenamel
|
||||
this_path=$(abspath "$0") ## Path of this file including filename
|
||||
myname=$(basename "${this_path}") ## file name of this script.
|
||||
|
||||
readonly version
|
||||
readonly this_path
|
||||
readonly myname
|
||||
|
||||
export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/
|
||||
|
||||
# Check for required program(s)
|
||||
|
|
@ -62,14 +67,7 @@ if [ -z "$logger" ]; then
|
|||
logger="${myname}.log"
|
||||
fi
|
||||
|
||||
yell "# ------------------------------------------------------------------------------
|
||||
# Docker Bench for Security v1.3.4
|
||||
#
|
||||
# Docker, Inc. (c) 2015-
|
||||
#
|
||||
# Checks for dozens of common best-practices around deploying Docker containers in production.
|
||||
# Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
|
||||
# ------------------------------------------------------------------------------"
|
||||
yell_info
|
||||
|
||||
# Warn if not root
|
||||
ID=$(id -u)
|
||||
|
|
@ -85,7 +83,7 @@ totalChecks=0
|
|||
currentScore=0
|
||||
|
||||
logit "Initializing $(date)\n"
|
||||
beginjson "1.3.4" "$(date +%s)"
|
||||
beginjson "$version" "$(date +%s)"
|
||||
|
||||
# Load all the tests from tests/ and run them
|
||||
main () {
|
||||
|
|
@ -118,15 +116,14 @@ main () {
|
|||
running_containers=1
|
||||
fi
|
||||
|
||||
for test in tests/*.sh
|
||||
do
|
||||
for test in tests/*.sh; do
|
||||
. ./"$test"
|
||||
done
|
||||
|
||||
if [ -z "$check" ] && [ ! "$checkexclude" ] ; then
|
||||
if [ -z "$check" ] && [ ! "$checkexclude" ]; then
|
||||
cis
|
||||
elif [ -z "$check" ] && [ "$checkexclude" ]; then
|
||||
checkexcluded="$(echo $checkexclude | sed 's/,/|/g')"
|
||||
checkexcluded="$(echo "$checkexclude" | sed 's/,/|/g')"
|
||||
for c in $(grep 'check_[0-9]_' functions_lib.sh | grep -vE "$checkexcluded"); do
|
||||
"$c"
|
||||
done
|
||||
|
|
|
|||
|
|
@ -32,8 +32,7 @@ do_version_check() {
|
|||
get_command_line_args() {
|
||||
PROC="$1"
|
||||
|
||||
for PID in $(pgrep -f -n "$PROC")
|
||||
do
|
||||
for PID in $(pgrep -f -n "$PROC"); do
|
||||
tr "\0" " " < /proc/"$PID"/cmdline
|
||||
done
|
||||
}
|
||||
|
|
@ -99,7 +98,7 @@ get_docker_configuration_file_args() {
|
|||
grep "$OPTION" "$CONFIG_FILE" | sed 's/.*: //g' | tr -d \",
|
||||
}
|
||||
|
||||
get_systemd_service_file(){
|
||||
get_systemd_service_file() {
|
||||
SERVICE="$1"
|
||||
|
||||
if [ -f "/etc/systemd/system/$SERVICE" ]; then
|
||||
|
|
@ -110,3 +109,14 @@ get_systemd_service_file(){
|
|||
echo "/usr/lib/systemd/system/$SERVICE"
|
||||
fi
|
||||
}
|
||||
|
||||
yell_info() {
|
||||
yell "# ------------------------------------------------------------------------------
|
||||
# Docker Bench for Security v$version
|
||||
#
|
||||
# Docker, Inc. (c) 2015-
|
||||
#
|
||||
# Checks for dozens of common best-practices around deploying Docker containers in production.
|
||||
# Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
|
||||
# ------------------------------------------------------------------------------"
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue