From 6f574b07c1a9a8f4c1381801e9f8c5ccaf5075c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 25 May 2021 20:49:45 +0200 Subject: [PATCH] initial commit of tests/3_docker_daemon_configuration_files.sh v1.3.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/3_docker_daemon_configuration_files.sh | 212 ++++++++++++------- 1 file changed, 131 insertions(+), 81 deletions(-) diff --git a/tests/3_docker_daemon_configuration_files.sh b/tests/3_docker_daemon_configuration_files.sh index 6d8c984..ea7b759 100644 --- a/tests/3_docker_daemon_configuration_files.sh +++ b/tests/3_docker_daemon_configuration_files.sh @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash check_3() { logit "" @@ -11,15 +11,15 @@ check_3() { check_3_1() { local id="3.1" - local desc="Ensure that the docker.service file ownership is set to root:root (Scored)" + local desc="Ensure that the docker.service file ownership is set to root:root (Automated)" local remediation="Find out the file location: systemctl show -p FragmentPath docker.service. If the file does not exist, this recommendation is not applicable. If the file does exist, you should run the command chown root:root , in order to set the ownership and group ownership for the file to root." local remediationImpact="None." - local check="$id - $desc" + local check="$id - $desc" starttestjson "$id" "$desc" - file="$(get_service_file docker.service)" + file=$(get_service_file docker.service) if [ -f "$file" ]; then - if [ "$(stat -c %u%g $file)" -eq 00 ]; then + if [ "$(stat -c %u%g "$file")" -eq 00 ]; then pass -s "$check" logcheckresult "PASS" return @@ -36,15 +36,15 @@ check_3_1() { check_3_2() { local id="3.2" - local desc="Ensure that docker.service file permissions are appropriately set (Scored)" + local desc="Ensure that docker.service file permissions are appropriately set (Automated)" local remediation="Find out the file location: systemctl show -p FragmentPath docker.service. If the file does not exist, this recommendation is not applicable. If the file exists, run the command chmod 644 to set the file permissions to 644." local remediationImpact="None." - local check="$id - $desc" + local check="$id - $desc" starttestjson "$id" "$desc" - file="$(get_service_file docker.service)" + file=$(get_service_file docker.service) if [ -f "$file" ]; then - if [ "$(stat -c %a $file)" -le 644 ]; then + if [ "$(stat -c %a "$file")" -le 644 ]; then pass -s "$check" logcheckresult "PASS" return @@ -61,15 +61,15 @@ check_3_2() { check_3_3() { local id="3.3" - local desc="Ensure that docker.socket file ownership is set to root:root (Scored)" + local desc="Ensure that docker.socket file ownership is set to root:root (Automated)" local remediation="Find out the file location: systemctl show -p FragmentPath docker.socket. If the file does not exist, this recommendation is not applicable. If the file exists, run the command chown root:root to set the ownership and group ownership for the file to root." local remediationImpact="None." - local check="$id - $desc" + local check="$id - $desc" starttestjson "$id" "$desc" - file="$(get_service_file docker.socket)" + file=$(get_service_file docker.socket) if [ -f "$file" ]; then - if [ "$(stat -c %u%g $file)" -eq 00 ]; then + if [ "$(stat -c %u%g "$file")" -eq 00 ]; then pass -s "$check" logcheckresult "PASS" return @@ -86,15 +86,15 @@ check_3_3() { check_3_4() { local id="3.4" - local desc="Ensure that docker.socket file permissions are set to 644 or more restrictive (Scored)" + local desc="Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated)" local remediation="Find out the file location: systemctl show -p FragmentPath docker.socket. If the file does not exist, this recommendation is not applicable. If the file does exist, you should run the command chmod 644 to set the file permissions to 644." local remediationImpact="None." - local check="$id - $desc" + local check="$id - $desc" starttestjson "$id" "$desc" - file="$(get_service_file docker.socket)" + file=$(get_service_file docker.socket) if [ -f "$file" ]; then - if [ "$(stat -c %a $file)" -le 644 ]; then + if [ "$(stat -c %a "$file")" -le 644 ]; then pass -s "$check" logcheckresult "PASS" return @@ -111,10 +111,10 @@ check_3_4() { check_3_5() { local id="3.5" - local desc="Ensure that the /etc/docker directory ownership is set to root:root (Scored)" + local desc="Ensure that the /etc/docker directory ownership is set to root:root (Automated)" local remediation="You should run the following command: chown root:root /etc/docker. This sets the ownership and group ownership for the directory to root." local remediationImpact="None." - local check="$id - $desc" + local check="$id - $desc" starttestjson "$id" "$desc" directory="/etc/docker" @@ -136,10 +136,10 @@ check_3_5() { check_3_6() { local id="3.6" - local desc="Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Scored)" + local desc="Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated)" local remediation="You should run the following command: chmod 755 /etc/docker. This sets the permissions for the directory to 755." local remediationImpact="None." - local check="$id - $desc" + local check="$id - $desc" starttestjson "$id" "$desc" directory="/etc/docker" @@ -161,10 +161,10 @@ check_3_6() { check_3_7() { local id="3.7" - local desc="Ensure that registry certificate file ownership is set to root:root (Scored)" + local desc="Ensure that registry certificate file ownership is set to root:root (Automated)" local remediation="You should run the following command: chown root:root /etc/docker/certs.d//*. This would set the individual ownership and group ownership for the registry certificate files to root." local remediationImpact="None." - local check="$id - $desc" + local check="$id - $desc" starttestjson "$id" "$desc" directory="/etc/docker/certs.d/" @@ -172,7 +172,7 @@ check_3_7() { fail=0 owners=$(find "$directory" -type f -name '*.crt') for p in $owners; do - if [ "$(stat -c %u $p)" -ne 0 ]; then + if [ "$(stat -c %u "$p")" -ne 0 ]; then fail=1 fi done @@ -193,10 +193,10 @@ check_3_7() { check_3_8() { local id="3.8" - local desc="Ensure that registry certificate file permissions are set to 444 or more restrictively (Scored)" + local desc="Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated)" local remediation="You should run the following command: chmod 444 /etc/docker/certs.d//*. This would set the permissions for the registry certificate files to 444." local remediationImpact="None." - local check="$id - $desc" + local check="$id - $desc" starttestjson "$id" "$desc" directory="/etc/docker/certs.d/" @@ -204,7 +204,7 @@ check_3_8() { fail=0 perms=$(find "$directory" -type f -name '*.crt') for p in $perms; do - if [ "$(stat -c %a $p)" -gt 444 ]; then + if [ "$(stat -c %a "$p")" -gt 444 ]; then fail=1 fi done @@ -225,10 +225,10 @@ check_3_8() { check_3_9() { local id="3.9" - local desc="Ensure that TLS CA certificate file ownership is set to root:root (Scored)" + local desc="Ensure that TLS CA certificate file ownership is set to root:root (Automated)" local remediation="You should run the following command: chown root:root . This sets the individual ownership and group ownership for the TLS CA certificate file to root." local remediationImpact="None." - local check="$id - $desc" + local check="$id - $desc" starttestjson "$id" "$desc" tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) @@ -253,10 +253,10 @@ check_3_9() { check_3_10() { local id="3.10" - local desc="Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Scored)" + local desc="Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated)" local remediation="You should run the following command: chmod 444 . This sets the file permissions on the TLS CA file to 444." local remediationImpact="None." - local check="$id - $desc" + local check="$id - $desc" starttestjson "$id" "$desc" tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) @@ -264,7 +264,7 @@ check_3_10() { tlscacert=$(get_docker_configuration_file_args 'tlscacert') fi if [ -f "$tlscacert" ]; then - if [ "$(stat -c %a $tlscacert)" -le 444 ]; then + if [ "$(stat -c %a "$tlscacert")" -le 444 ]; then pass -s "$check" logcheckresult "PASS" return @@ -281,10 +281,10 @@ check_3_10() { check_3_11() { local id="3.11" - local desc="Ensure that Docker server certificate file ownership is set to root:root (Scored)" + local desc="Ensure that Docker server certificate file ownership is set to root:root (Automated)" local remediation="You should run the following command: chown root:root . This sets the individual ownership and the group ownership for the Docker server certificate file to root." local remediationImpact="None." - local check="$id - $desc" + local check="$id - $desc" starttestjson "$id" "$desc" tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) @@ -309,10 +309,10 @@ check_3_11() { check_3_12() { local id="3.12" - local desc="Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Scored)" + local desc="Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated)" local remediation="You should run the following command: chmod 444 . This sets the file permissions of the Docker server certificate file to 444." local remediationImpact="None." - local check="$id - $desc" + local check="$id - $desc" starttestjson "$id" "$desc" tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) @@ -320,7 +320,7 @@ check_3_12() { tlscert=$(get_docker_configuration_file_args 'tlscert') fi if [ -f "$tlscert" ]; then - if [ "$(stat -c %a $tlscert)" -le 444 ]; then + if [ "$(stat -c %a "$tlscert")" -le 444 ]; then pass -s "$check" logcheckresult "PASS" return @@ -337,10 +337,10 @@ check_3_12() { check_3_13() { local id="3.13" - local desc="Ensure that the Docker server certificate key file ownership is set to root:root (Scored)" + local desc="Ensure that the Docker server certificate key file ownership is set to root:root (Automated)" local remediation="You should run the following command: chown root:root . This sets the individual ownership and group ownership for the Docker server certificate key file to root." local remediationImpact="None." - local check="$id - $desc" + local check="$id - $desc" starttestjson "$id" "$desc" tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) @@ -365,10 +365,10 @@ check_3_13() { check_3_14() { local id="3.14" - local desc="Ensure that the Docker server certificate key file permissions are set to 400 (Scored)" + local desc="Ensure that the Docker server certificate key file permissions are set to 400 (Automated)" local remediation="You should run the following command: chmod 400 . This sets the Docker server certificate key file permissions to 400." local remediationImpact="None." - local check="$id - $desc" + local check="$id - $desc" starttestjson "$id" "$desc" tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) @@ -376,7 +376,7 @@ check_3_14() { tlskey=$(get_docker_configuration_file_args 'tlskey') fi if [ -f "$tlskey" ]; then - if [ "$(stat -c %a $tlskey)" -eq 400 ]; then + if [ "$(stat -c %a "$tlskey")" -eq 400 ]; then pass -s "$check" logcheckresult "PASS" return @@ -393,10 +393,10 @@ check_3_14() { check_3_15() { local id="3.15" - local desc="Ensure that the Docker socket file ownership is set to root:docker (Scored)" + local desc="Ensure that the Docker socket file ownership is set to root:docker (Automated)" local remediation="You should run the following command: chown root:docker /var/run/docker.sock. This sets the ownership to root and group ownership to docker for the default Docker socket file." local remediationImpact="None." - local check="$id - $desc" + local check="$id - $desc" starttestjson "$id" "$desc" file="/var/run/docker.sock" @@ -418,10 +418,10 @@ check_3_15() { check_3_16() { local id="3.16" - local desc="Ensure that the Docker socket file permissions are set to 660 or more restrictively (Scored)" + local desc="Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated)" local remediation="You should run the following command: chmod 660 /var/run/docker.sock. This sets the file permissions of the Docker socket file to 660." local remediationImpact="None." - local check="$id - $desc" + local check="$id - $desc" starttestjson "$id" "$desc" file="/var/run/docker.sock" @@ -443,10 +443,10 @@ check_3_16() { check_3_17() { local id="3.17" - local desc="Ensure that the daemon.json file ownership is set to root:root (Scored)" + local desc="Ensure that the daemon.json file ownership is set to root:root (Automated)" local remediation="You should run the following command: chown root:root /etc/docker/daemon.json. This sets the ownership and group ownership for the file to root." local remediationImpact="None." - local check="$id - $desc" + local check="$id - $desc" starttestjson "$id" "$desc" file="/etc/docker/daemon.json" @@ -468,10 +468,10 @@ check_3_17() { check_3_18() { local id="3.18" - local desc="Ensure that daemon.json file permissions are set to 644 or more restrictive (Scored)" + local desc="Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated)" local remediation="You should run the following command: chmod 644 /etc/docker/daemon.json. This sets the file permissions for this file to 644." local remediationImpact="None." - local check="$id - $desc" + local check="$id - $desc" starttestjson "$id" "$desc" file="/etc/docker/daemon.json" @@ -493,10 +493,10 @@ check_3_18() { check_3_19() { local id="3.19" - local desc="Ensure that the /etc/default/docker file ownership is set to root:root (Scored)" + local desc="Ensure that the /etc/default/docker file ownership is set to root:root (Automated)" local remediation="You should run the following command: chown root:root /etc/default/docker. This sets the ownership and group ownership of the file to root." local remediationImpact="None." - local check="$id - $desc" + local check="$id - $desc" starttestjson "$id" "$desc" file="/etc/default/docker" @@ -518,10 +518,35 @@ check_3_19() { check_3_20() { local id="3.20" - local desc="Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Scored)" + local desc="Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated)" + local remediation="You should run the following command: chmod 644 /etc/sysconfig/docker. This sets the file permissions for this file to 644." + local remediationImpact="None." + local check="$id - $desc" + starttestjson "$id" "$desc" + + file="/etc/sysconfig/docker" + if [ -f "$file" ]; then + if [ "$(stat -c %a $file)" -le 644 ]; then + pass -s "$check" + logcheckresult "PASS" + return + fi + warn -s "$check" + warn " * Wrong permissions for $file" + logcheckresult "WARN" "Wrong permissions for $file" + return + fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" +} + +check_3_21() { + local id="3.21" + local desc="Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated)" local remediation="You should run the following command: chown root:root /etc/sysconfig/docker. This sets the ownership and group ownership for the file to root." local remediationImpact="None." - local check="$id - $desc" + local check="$id - $desc" starttestjson "$id" "$desc" file="/etc/sysconfig/docker" @@ -541,37 +566,12 @@ check_3_20() { logcheckresult "INFO" "File not found" } -check_3_21() { - local id="3.21" - local desc="Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Scored)" - local remediation="You should run the following command: chmod 644 /etc/sysconfig/docker. This sets the file permissions for this file to 644." - local remediationImpact="None." - local check="$id - $desc" - starttestjson "$id" "$desc" - - file="/etc/sysconfig/docker" - if [ -f "$file" ]; then - if [ "$(stat -c %a $file)" -le 644 ]; then - pass -s "$check" - logcheckresult "PASS" - return - fi - warn -s "$check" - warn " * Wrong permissions for $file" - logcheckresult "WARN" "Wrong permissions for $file" - return - fi - info -c "$check" - info " * File not found" - logcheckresult "INFO" "File not found" -} - check_3_22() { local id="3.22" - local desc="Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Scored)" + local desc="Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated)" local remediation="You should run the following command: chmod 644 /etc/default/docker. This sets the file permissions for this file to 644." local remediationImpact="None." - local check="$id - $desc" + local check="$id - $desc" starttestjson "$id" "$desc" file="/etc/default/docker" @@ -591,6 +591,56 @@ check_3_22() { logcheckresult "INFO" "File not found" } +check_3_23() { + local id="3.23" + local desc="Ensure that the Containerd socket file ownership is set to root:root (Automated)" + local remediation="You should run the following command: chown root:root /run/containerd/containerd.sock. This sets the ownership and group ownership for the file to root." + local remediationImpact="None." + local check="$id - $desc" + starttestjson "$id" "$desc" + + file="/run/containerd/containerd.sock" + if [ -f "$file" ]; then + if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then + pass -s "$check" + logcheckresult "PASS" + return + fi + warn -s "$check" + warn " * Wrong ownership for $file" + logcheckresult "WARN" "Wrong ownership for $file" + return + fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" +} + +check_3_24() { + local id="3.24" + local desc="Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated)" + local remediation="You should run the following command: chmod 660 /run/containerd/containerd.sock. This sets the file permissions for this file to 660." + local remediationImpact="None." + local check="$id - $desc" + starttestjson "$id" "$desc" + + file="/run/containerd/containerd.sock" + if [ -f "$file" ]; then + if [ "$(stat -c %a $file)" -le 660 ]; then + pass -s "$check" + logcheckresult "PASS" + return + fi + warn -s "$check" + warn " * Wrong permissions for $file" + logcheckresult "WARN" "Wrong permissions for $file" + return + fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" +} + check_3_end() { endsectionjson }