From 6c586b4e08f7a81f3510a9fb2cd4b7c1b113997d Mon Sep 17 00:00:00 2001 From: Razvan Stoica Date: Wed, 10 Mar 2021 21:47:52 +0200 Subject: [PATCH] Print remediation measures at the end of the logs --- docker-bench-security.sh | 10 +- output_lib.sh | 50 ++++++++- tests/1_host_configuration.sh | 110 ++++++++----------- tests/2_docker_daemon_configuration.sh | 9 +- tests/3_docker_daemon_configuration_files.sh | 6 +- tests/4_container_images.sh | 9 +- tests/5_container_runtime.sh | 6 +- tests/6_docker_security_operations.sh | 6 +- tests/7_docker_swarm_configuration.sh | 6 +- tests/8_docker_enterprise_configuration.sh | 7 +- tests/99_community_checks.sh | 6 +- 11 files changed, 128 insertions(+), 97 deletions(-) diff --git a/docker-bench-security.sh b/docker-bench-security.sh index 1773d88..f8849ba 100755 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -109,6 +109,9 @@ beginjson "$version" "$(date +%s)" # Load all the tests from tests/ and run them main () { + logit "\n${bldylw}Section A - Checks result${txtrsr}" + globalRemediation="" + # Get configuration location get_docker_configuration_file @@ -193,9 +196,12 @@ main () { fi done - printf "\n" + logit "\n\n${bldylw}Section B - Remediation measures${txtrst}" + logit "${globalRemediation}" + + logit "\n\n${bldylw}Section C - Score${txtrst}\n" info "Checks: $totalChecks" - info "Score: $currentScore" + info "Score: $currentScore\n" endjson "$totalChecks" "$currentScore" "$(date +%s)" } diff --git a/output_lib.sh b/output_lib.sh index 0e4c6a0..29083ba 100644 --- a/output_lib.sh +++ b/output_lib.sh @@ -7,10 +7,10 @@ if [ -n "$nocolor" ] && [ "$nocolor" = "nocolor" ]; then bldylw='' txtrst='' else - bldred='\033[1;31m' - bldgrn='\033[1;32m' - bldblu='\033[1;34m' - bldylw='\033[1;33m' # Yellow + bldred='\033[1;31m' # Bold Red + bldgrn='\033[1;32m' # Bold Green + bldblu='\033[1;34m' # Bold Blue + bldylw='\033[1;33m' # Bold Yellow txtrst='\033[0m' fi @@ -111,3 +111,45 @@ resulttestjson() { fi printf "}" | tee -a "$logger.json" 2>/dev/null 1>&2 } + +saveRemediation() { + local id remediation remediationImpact + while [ "${1}" ]; do + case "${1}" in + --id) + id="${2}" + shift + ;; + --rem) + remediation="${2}" + shift + ;; + --imp) + remediationImpact="${2}" + shift + ;; + *) + echo "Unknown parameter: ${1}" >&2 + return 1 + esac + if ! shift; then + echo 'Missing parameter argument.' >&2 + return 1 + fi + done + + if [ -n "${remediation}" ]; then + if [ -n "${checkHeader}" ]; then + if [ -n "${addSpaceHeader}" ]; then + globalRemediation="${globalRemediation}\n" + fi + globalRemediation="${globalRemediation}\n${bldblu}[INFO]${txtrst} ${checkHeader}" + checkHeader="" + addSpaceHeader="1" + fi + globalRemediation="${globalRemediation}\n${bldblu}[INFO]${txtrst} ${id} - ${remediation}" + if [ -n "${remediationImpact}" ]; then + globalRemediation="${globalRemediation} Impact: ${remediationImpact}" + fi + fi +} diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index b2aa611..9069d33 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -4,13 +4,12 @@ check_1() { logit "" local id="1" local desc="Host Configuration" - local check="$id - $desc" - info "$check" + checkHeader="$id - $desc" + info "$checkHeader" startsectionjson "$id" "$desc" } check_1_1() { - logit "" local id="1.1" local desc="General Configuration" local check="$id - $desc" @@ -58,7 +57,6 @@ check_1_1_2() { } check_1_2() { - logit "" local id="1.2" local desc="Linux Hosts Specific Configuration" local check="$id - $desc" @@ -69,7 +67,7 @@ check_1_2() { check_1_2_1() { local id="1.2.1" local desc="Ensure a separate partition for containers has been created (Scored)" - local remediation="For new installations, you should create a separate partition for the /var/lib/docker mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition." + local remediation="For new installations, you should create a separate partition for the \"/var/lib/docker\" mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition." local check="$id - $desc" starttestjson "$id" "$desc" @@ -85,7 +83,7 @@ check_1_2_1() { currentScore=$((currentScore + 1)) else warn "$check" - info " * Remediation: $remediation" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -116,8 +114,8 @@ check_1_2_2() { check_1_2_3() { local id="1.2.3" local desc="Ensure auditing is configured for the Docker daemon (Scored)" - local remediation="Install and configure auditd using the following command: sudo apt-get install auditd. Add the following line to the /etc/audit/rules.d/audit.rules file: -w /usr/bin/dockerd -k docker. Then restart the audit daemon using the following command: service auditd restart." - local remediationImpact="Because the audit can generate large log files, you need to make sure that they are rotated and archived periodically. It is a good idea to create a separate partition for audit logs to avoid filling up other critical partitions." + local remediation="Install and configure auditd using command \"sudo apt-get install auditd\". Add \"-w /usr/bin/dockerd -k docker\" to the \"/etc/audit/rules.d/audit.rules\" file. Then restart the audit daemon using command \"service auditd restart\"." + local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions." local check="$id - $desc" starttestjson "$id" "$desc" @@ -130,8 +128,7 @@ check_1_2_3() { currentScore=$((currentScore + 1)) else warn "$check" - info " * Remediation: $remediation" - info " * Remediation impact: $remediationImpact" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -141,8 +138,7 @@ check_1_2_3() { currentScore=$((currentScore + 1)) else warn "$check" - info " * Remediation: $remediation" - info " * Remediation impact: $remediationImpact" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -152,8 +148,8 @@ check_1_2_3() { check_1_2_4() { local id="1.2.4" local desc="Ensure auditing is configured for Docker files and directories - /var/lib/docker (Scored)" - local remediation="Install and configure auditd using the following command: sudo apt-get install auditd. Add the following line to the /etc/audit/rules.d/audit.rules file: -w /var/lib/docker -k docker. Then restart the audit daemon using the following command: service auditd restart." - local remediationImpact="Because the audit can generate large log files, you need to make sure that they are rotated and archived periodically. It is a good idea to create a separate partition for audit logs to avoid filling up other critical partitions." + local remediation="Install and configure auditd using command \"sudo apt-get install auditd\". Add \"-w /var/lib/docker -k docker\" to the \"/etc/audit/rules.d/audit.rules\" file. Then restart the audit daemon using command \"service auditd restart\"." + local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions." local check="$id - $desc" starttestjson "$id" "$desc" @@ -167,8 +163,7 @@ check_1_2_4() { currentScore=$((currentScore + 1)) else warn "$check" - info " * Remediation: $remediation" - info " * Remediation impact: $remediationImpact" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -178,8 +173,7 @@ check_1_2_4() { currentScore=$((currentScore + 1)) else warn "$check" - info " * Remediation: $remediation" - info " * Remediation impact: $remediationImpact" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -195,8 +189,8 @@ check_1_2_4() { check_1_2_5() { local id="1.2.5" local desc="Ensure auditing is configured for Docker files and directories - /etc/docker (Scored)" - local remediation="Install and configure auditd using the following command: sudo apt-get install auditd. Add the following line to the /etc/audit/rules.d/audit.rules file: -w /etc/docker -k docker. Then restart the audit daemon using the following command: service auditd restart." - local remediationImpact="Because the audit can generate large log files, you need to make sure that they are rotated and archived periodically. It is a good idea to create a separate partition for audit logs to avoid filling up other critical partitions." + local remediation="Install and configure auditd using command \"sudo apt-get install auditd\". Add \"-w /etc/docker -k docker\" to the \"/etc/audit/rules.d/audit.rules\" file. Then restart the audit daemon using command \"service auditd restart\"." + local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions." local check="$id - $desc" starttestjson "$id" "$desc" @@ -210,8 +204,7 @@ check_1_2_5() { currentScore=$((currentScore + 1)) else warn "$check" - info " * Remediation: $remediation" - info " * Remediation impact: $remediationImpact" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -221,8 +214,7 @@ check_1_2_5() { currentScore=$((currentScore + 1)) else warn "$check" - info " * Remediation: $remediation" - info " * Remediation impact: $remediationImpact" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -238,8 +230,8 @@ fi check_1_2_6() { local id="1.2.6" local desc="Ensure auditing is configured for Docker files and directories - docker.service (Scored)" - local remediation="Install and configure auditd using the following command: sudo apt-get install auditd. Add the following line to the /etc/audit/rules.d/audit.rules file: -w $(systemctl show -p FragmentPath docker.service | sed 's/.*=//') -k docker. Then restart the audit daemon using the following command: service auditd restart." - local remediationImpact="Because the audit can generate large log files, you need to make sure that they are rotated and archived periodically. It is a good idea to create a separate partition for audit logs to avoid filling up other critical partitions." + local remediation="Install and configure auditd using command \"sudo apt-get install auditd\". Add \"-w $(systemctl show -p FragmentPath docker.service | sed 's/.*=//') -k docker\" to the \"/etc/audit/rules.d/audit.rules\" file. Then restart the audit daemon using command \"service auditd restart\"." + local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions." local check="$id - $desc" starttestjson "$id" "$desc" @@ -253,8 +245,7 @@ check_1_2_6() { currentScore=$((currentScore + 1)) else warn "$check" - info " * Remediation: $remediation" - info " * Remediation impact: $remediationImpact" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -264,8 +255,7 @@ check_1_2_6() { currentScore=$((currentScore + 1)) else warn "$check" - info " * Remediation: $remediation" - info " * Remediation impact: $remediationImpact" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -281,8 +271,8 @@ check_1_2_6() { check_1_2_7() { local id="1.2.7" local desc="Ensure auditing is configured for Docker files and directories - docker.socket (Scored)" - local remediation="Install and configure auditd using the following command: sudo apt-get install auditd. Add the following line to the /etc/audit/rules.d/audit.rules file: -w $(systemctl show -p FragmentPath docker.socket | sed 's/.*=//') -k docker. Then restart the audit daemon using the following command: service auditd restart." - local remediationImpact="Because the audit can generate large log files, you need to make sure that they are rotated and archived periodically. It is a good idea to create a separate partition for audit logs to avoid filling up other critical partitions." + local remediation="Install and configure auditd using command \"sudo apt-get install auditd\". Add \"-w $(systemctl show -p FragmentPath docker.socket | sed 's/.*=//') -k docker\" to the \"/etc/audit/rules.d/audit.rules\" file. Then restart the audit daemon using command \"service auditd restart\"." + local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions." local check="$id - $desc" starttestjson "$id" "$desc" @@ -296,8 +286,7 @@ check_1_2_7() { currentScore=$((currentScore + 1)) else warn "$check" - info " * Remediation: $remediation" - info " * Remediation impact: $remediationImpact" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -307,8 +296,7 @@ check_1_2_7() { currentScore=$((currentScore + 1)) else warn "$check" - info " * Remediation: $remediation" - info " * Remediation impact: $remediationImpact" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -324,8 +312,8 @@ check_1_2_7() { check_1_2_8() { local id="1.2.8" local desc="Ensure auditing is configured for Docker files and directories - /etc/default/docker (Scored)" - local remediation="Install and configure auditd using the following command: sudo apt-get install auditd. Add the following line to the /etc/audit/rules.d/audit.rules file: -w /etc/default/docker -k docker. Then restart the audit daemon using the following command: service auditd restart." - local remediationImpact="Because the audit can generate large log files, you need to make sure that they are rotated and archived periodically. It is a good idea to create a separate partition for audit logs to avoid filling up other critical partitions." + local remediation="Install and configure auditd using command \"sudo apt-get install auditd\". Add \"-w /etc/default/docker -k docker\" to the \"/etc/audit/rules.d/audit.rules\" file. Then restart the audit daemon using command \"service auditd restart\"." + local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions." local check="$id - $desc" starttestjson "$id" "$desc" @@ -339,8 +327,7 @@ check_1_2_8() { currentScore=$((currentScore + 1)) else warn "$check" - info " * Remediation: $remediation" - info " * Remediation impact: $remediationImpact" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -350,8 +337,7 @@ check_1_2_8() { currentScore=$((currentScore + 1)) else warn "$check" - info " * Remediation: $remediation" - info " * Remediation impact: $remediationImpact" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -367,8 +353,8 @@ check_1_2_8() { check_1_2_9() { local id="1.2.9" local desc="Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Scored)" - local remediation="Install and configure auditd using the following command: sudo apt-get install auditd. Add the following line to the /etc/audit/rules.d/audit.rules file: -w /etc/sysconfig/docker -k docker. Then restart the audit daemon using the following command: service auditd restart." - local remediationImpact="Because the audit can generate large log files, you need to make sure that they are rotated and archived periodically. It is a good idea to create a separate partition for audit logs to avoid filling up other critical partitions." + local remediation="Install and configure auditd using command \"sudo apt-get install auditd\". Add \"-w /etc/sysconfig/docker -k docker\" to the \"/etc/audit/rules.d/audit.rules\" file. Then restart the audit daemon using command \"service auditd restart\"." + local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions." local check="$id - $desc" starttestjson "$id" "$desc" @@ -382,8 +368,7 @@ check_1_2_9() { currentScore=$((currentScore + 1)) else warn "$check" - info " * Remediation: $remediation" - info " * Remediation impact: $remediationImpact" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -393,8 +378,7 @@ check_1_2_9() { currentScore=$((currentScore + 1)) else warn "$check" - info " * Remediation: $remediation" - info " * Remediation impact: $remediationImpact" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -410,8 +394,8 @@ check_1_2_9() { check_1_2_10() { local id="1.2.10" local desc="Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json (Scored)" - local remediation="Install and configure auditd using the following command: sudo apt-get install auditd. Add the following line to the /etc/audit/rules.d/audit.rules file: -w /etc/docker/daemon.json -k docker. Then restart the audit daemon using the following command: service auditd restart." - local remediationImpact="Because the audit can generate large log files, you need to make sure that they are rotated and archived periodically. It is a good idea to create a separate partition for audit logs to avoid filling up other critical partitions." + local remediation="Install and configure auditd using command \"sudo apt-get install auditd\". Add \"-w /etc/docker/daemon.json -k docker\" to the \"/etc/audit/rules.d/audit.rules\" file. Then restart the audit daemon using command \"service auditd restart\"." + local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions." local check="$id - $desc" starttestjson "$id" "$desc" @@ -425,8 +409,7 @@ check_1_2_10() { currentScore=$((currentScore + 1)) else warn "$check" - info " * Remediation: $remediation" - info " * Remediation impact: $remediationImpact" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -436,8 +419,7 @@ check_1_2_10() { currentScore=$((currentScore + 1)) else warn "$check" - info " * Remediation: $remediation" - info " * Remediation impact: $remediationImpact" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -453,8 +435,8 @@ check_1_2_10() { check_1_2_11() { local id="1.2.11" local desc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Scored)" - local remediation="Install and configure auditd using the following command: sudo apt-get install auditd. Add the following line to the /etc/audit/rules.d/audit.rules file: -w /usr/bin/containerd -k docker. Then restart the audit daemon using the following command: service auditd restart." - local remediationImpact="Because the audit can generate large log files, you need to make sure that they are rotated and archived periodically. It is a good idea to create a separate partition for audit logs to avoid filling up other critical partitions." + local remediation="Install and configure auditd using command \"sudo apt-get install auditd\". Add \"-w /usr/bin/containerd -k docker\" to the \"/etc/audit/rules.d/audit.rules\" file. Then restart the audit daemon using command \"service auditd restart\"." + local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions." local check="$id - $desc" starttestjson "$id" "$desc" @@ -468,8 +450,7 @@ check_1_2_11() { currentScore=$((currentScore + 1)) else warn "$check" - info " * Remediation: $remediation" - info " * Remediation impact: $remediationImpact" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -479,8 +460,7 @@ check_1_2_11() { currentScore=$((currentScore + 1)) else warn "$check" - info " * Remediation: $remediation" - info " * Remediation impact: $remediationImpact" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -496,8 +476,8 @@ check_1_2_11() { check_1_2_12() { local id="1.2.12" local desc="Ensure auditing is configured for Docker files and directories - /usr/sbin/runc (Scored)" - local remediation="Install and configure auditd using the following command: sudo apt-get install auditd. Add the following line to the /etc/audit/rules.d/audit.rules file: -w /usr/sbin/runc -k docker. Then restart the audit daemon using the following command: service auditd restart." - local remediationImpact="Because the audit can generate large log files, you need to make sure that they are rotated and archived periodically. It is a good idea to create a separate partition for audit logs to avoid filling up other critical partitions." + local remediation="Install and configure auditd using command \"sudo apt-get install auditd\". Add \"-w /usr/sbin/runc -k docker\" to the \"/etc/audit/rules.d/audit.rules\" file. Then restart the audit daemon using command \"service auditd restart\"." + local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions." local check="$id - $desc" starttestjson "$id" "$desc" @@ -511,8 +491,7 @@ check_1_2_12() { currentScore=$((currentScore + 1)) else warn "$check" - info " * Remediation: $remediation" - info " * Remediation impact: $remediationImpact" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -522,8 +501,7 @@ check_1_2_12() { currentScore=$((currentScore + 1)) else warn "$check" - info " * Remediation: $remediation" - info " * Remediation impact: $remediationImpact" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi diff --git a/tests/2_docker_daemon_configuration.sh b/tests/2_docker_daemon_configuration.sh index 3f27d5d..7836002 100644 --- a/tests/2_docker_daemon_configuration.sh +++ b/tests/2_docker_daemon_configuration.sh @@ -1,11 +1,11 @@ #!/bin/sh check_2() { - logit "\n" + logit "" local id="2" local desc="Docker daemon configuration" - local check="$id - $desc" - info "$check" + checkHeader="$id - $desc" + info "$checkHeader" startsectionjson "$id" "$desc" } @@ -13,6 +13,8 @@ check_2() { check_2_1() { local id="2.1" local desc="Ensure network traffic is restricted between containers on the default bridge (Scored)" + local remediation="Edit the Docker daemon configuration file to ensure that inter-container communication is disabled: \"icc\": false" + local remediationImpact="Inter-container communication is disabled on the default network bridge. If any communication between containers on the same host is desired, it needs to be explicitly defined using container linking or custom networks." local check="$id - $desc" starttestjson "$id" "$desc" @@ -27,6 +29,7 @@ check_2_1() { currentScore=$((currentScore + 1)) else warn "$check" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi diff --git a/tests/3_docker_daemon_configuration_files.sh b/tests/3_docker_daemon_configuration_files.sh index 850948b..f5ea624 100644 --- a/tests/3_docker_daemon_configuration_files.sh +++ b/tests/3_docker_daemon_configuration_files.sh @@ -1,11 +1,11 @@ #!/bin/sh check_3() { - logit "\n" + logit "" local id="3" local desc="Docker daemon configuration files" - local check="$id - $desc" - info "$check" + checkHeader="$id - $desc" + info "$checkHeader" startsectionjson "$id" "$desc" } diff --git a/tests/4_container_images.sh b/tests/4_container_images.sh index 32deeca..beb4418 100644 --- a/tests/4_container_images.sh +++ b/tests/4_container_images.sh @@ -1,11 +1,11 @@ #!/bin/sh check_4() { - logit "\n" + logit "" local id="4" local desc="Container Images and Build File" - local check="$id - $desc" - info "$check" + checkHeader="$id - $desc" + info "$checkHeader" startsectionjson "$id" "$desc" } @@ -104,6 +104,8 @@ check_4_4() { check_4_5() { local id="4.5" local desc="Ensure Content trust for Docker is Enabled (Scored)" + local remediation="Add \"DOCKER_CONTENT_TRUST\" variable to the \"/etc/environment\" file using command \"echo \"DOCKER_CONTENT_TRUST=1\" | sudo tee -a /etc/environment\"." + local remediationImpact="This prevents users from working with tagged images unless they contain a signature." local check="$id - $desc" starttestjson "$id" "$desc" @@ -114,6 +116,7 @@ check_4_5() { currentScore=$((currentScore + 1)) else warn "$check" + saveRemediation --id "${id}" --rem "${remediation}" --imp "${remediationImpact}" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh index acf0ab5..6b7955d 100644 --- a/tests/5_container_runtime.sh +++ b/tests/5_container_runtime.sh @@ -1,11 +1,11 @@ #!/bin/sh check_5() { - logit "\n" + logit "" local id="5" local desc="Container Runtime" - local check="$id - $desc" - info "$check" + checkHeader="$id - $desc" + info "$checkHeader" startsectionjson "$id" "$desc" } diff --git a/tests/6_docker_security_operations.sh b/tests/6_docker_security_operations.sh index 5dbfd20..35f4f03 100644 --- a/tests/6_docker_security_operations.sh +++ b/tests/6_docker_security_operations.sh @@ -1,11 +1,11 @@ #!/bin/sh check_6() { - logit "\n" + logit "" local id="6" local desc="Docker Security Operations" - local check="$id - $desc" - info "$check" + checkHeader="$id - $desc" + info "$checkHeader" startsectionjson "$id" "$desc" } diff --git a/tests/7_docker_swarm_configuration.sh b/tests/7_docker_swarm_configuration.sh index fcc987f..63b65ab 100644 --- a/tests/7_docker_swarm_configuration.sh +++ b/tests/7_docker_swarm_configuration.sh @@ -1,11 +1,11 @@ #!/bin/sh check_7() { - logit "\n" + logit "" local id="7" local desc="Docker Swarm Configuration" - local check="$id - $desc" - info "$check" + checkHeader="$id - $desc" + info "$checkHeader" startsectionjson "$id" "$desc" } diff --git a/tests/8_docker_enterprise_configuration.sh b/tests/8_docker_enterprise_configuration.sh index bb95a7d..a1d2e65 100644 --- a/tests/8_docker_enterprise_configuration.sh +++ b/tests/8_docker_enterprise_configuration.sh @@ -1,11 +1,11 @@ #!/bin/sh check_8() { - logit "\n" + logit "" local id="8" local desc="Docker Enterprise Configuration" - local check="$id - $desc" - info "$check" + checkHeader="$id - $desc" + info "$checkHeader" startsectionjson "$id" "$desc" } @@ -153,7 +153,6 @@ check_8_2() { return fi - logit "\n" local id="8.2" local desc="Docker Trusted Registry Configuration" local check="$id - $desc" diff --git a/tests/99_community_checks.sh b/tests/99_community_checks.sh index e0da5e0..3a14619 100644 --- a/tests/99_community_checks.sh +++ b/tests/99_community_checks.sh @@ -1,10 +1,10 @@ #!/bin/sh check_c() { - logit "\n" + logit "" local id="99" local desc="Community contributed checks" - local check="$id - $desc" - info "$check" + checkHeader="$id - $desc" + info "$checkHeader" startsectionjson "$id" "$desc" }