diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..e933130 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,51 @@ +# Contributing to Docker Bench for Security + +Want to hack on Docker Bench? Awesome! Here are instructions to get you +started. + +The Docker Bench for Security is a part of the [Docker](https://www.docker.com) project, and follows +the same rules and principles. If you're already familiar with the way +Docker does things, you'll feel right at home. + +Otherwise, go read +[Docker's contributions guidelines](https://github.com/docker/docker/blob/master/CONTRIBUTING.md). + +### Development Environment Setup + +The only thing you need to hack on Docker Bench for Security is a POSIX 2004 compliant shell. We try to keep the project compliant for maximum portability + +#### Start hacking + +You can build the container that wraps the docker-bench for security: +```sh +✗ git clone git@github.com:docker/docker-bench-security.git +✗ cd docker-bench-security +✗ docker build -t docker-bench-security . +``` + +Or you can simply run the shell script locally: + +```sh +✗ git clone git@github.com:docker/docker-bench-security.git +✗ cd docker-bench-security +✗ sh docker-bench-security.sh +``` + +The Docker Bench has the main script called `docker-bench-security.sh`. This is the main script that checks for all the dependencies, deals with command line arguments and loads all the tests. + +The tests are split in 6 different files: + +```sh +✗ tree tests/ +tests/ +├── 1_host_configuration.sh +├── 2_docker_daemon_configuration.sh +├── 3_docker_daemon_configuration_files.sh +├── 4_container_images.sh +├── 5_container_runtime.sh +└── 6_docker_security_operations.sh +``` + +To modify the Docker Bench for Security you should first clone the repository, make your changes, check your code with `shellcheck`, `checkbashisms` or similar tools, and then sign off on your commits. After that feel free to send us a pull-request with the changes. + +While this tool is inspired in the CIS Docker 1.6 Benchmark, feel free to add new tests. We will try to turn dockerbench.com into a list of good community benchmarks for both security and performance, and we would love community contributions. diff --git a/Dockerfile b/Dockerfile index 5b948bc..0449c05 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,8 @@ -FROM gliderlabs/alpine:3.1 +FROM alpine:3.1 -RUN apk --update add docker +RUN apk update && \ + apk upgrade && \ + apk --update add docker RUN mkdir /docker-bench-security diff --git a/README.md b/README.md index bcedb95..ca3371f 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ![Docker Bench for Security running](https://github.com/diogomonica/docker-bench-security/raw/master/benchmark_log.png?raw=true "Docker Bench for Security running") -The Docker Bench for Security is a script that checks for all the automatable tests included in the [CIS Docker 1.6 Benchmark](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf). We are releasing this as a follow-up to our [Understanding Docker Security and Best Practices](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/) blog post. +The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are inspired by the [CIS Docker 1.6 Benchmark](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf). We are releasing this as a follow-up to our [Understanding Docker Security and Best Practices](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/) blog post. We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark. @@ -10,13 +10,16 @@ We are making this available as an open-source utility so the Docker community c We packaged docker bench as a small container for your convenience. Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host. -The easiest way to run your hosts against the CIS Docker 1.6 benchmark is by running our pre-built container: +The easiest way to run your hosts against the Docker Bench for Security is by running our pre-built container: -``` -docker run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock \ --v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label docker-bench-security \ -diogomonica/docker-bench-security +```sh +docker run -it --net host --pid host --cap-add audit_control \ + -v /var/lib:/var/lib \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v /usr/lib/systemd:/usr/lib/systemd \ + -v /etc:/etc --label docker-bench-security \ + diogomonica/docker-bench-security ``` Docker bench requires Docker 1.6.2 or later in order to run, since it depends on the `--label` to exclude the current container from being inspected. If you can't upgrade to 1.6.2, I feel free to remove the `--label` flag or run the shell script locally (see below). @@ -27,19 +30,24 @@ Additionally, there was a bug in Docker 1.6.0 that would not allow mounting `-v If you wish to build and run this container yourself, you can follow the following steps: -``` -git clone https://github.com/diogomonica/docker-bench-security.git -cd docker-bench-security; docker build -t docker-bench-security . -docker run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock \ --v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label security-benchmark \ -docker-bench-security +```sh +git clone https://github.com/docker/docker-bench-security.git +cd docker-bench-security +docker build -t docker-bench-security . +docker run -it --net host --pid host --cap-add audit_control \ + -v /var/lib:/var/lib \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v /usr/lib/systemd:/usr/lib/systemd \ + -v /etc:/etc --label docker-bench-security \ + docker-bench-security ``` Also, this script can also be simply run from your base host by running: -``` -git clone https://github.com/diogomonica/docker-bench-security.git -cd docker-bench-security; sh docker-bench-security.sh +```sh +git clone https://github.com/docker/docker-bench-security.git +cd docker-bench-security +sh docker-bench-security.sh ``` This script was build to be POSIX 2004 compliant, so it should be portable across any Unix platform. diff --git a/distros/Dockerfile.alpine b/distros/Dockerfile.alpine new file mode 100644 index 0000000..76260c6 --- /dev/null +++ b/distros/Dockerfile.alpine @@ -0,0 +1,17 @@ +# REPOSITORY https://github.com/docker/docker-bench-security + +MAINTAINER dockerbench.com + +FROM alpine:3.1 + +RUN apk update && \ + apk upgrade && \ + apk --update add docker + +RUN mkdir /docker-bench-security + +COPY . /docker-bench-security + +WORKDIR /docker-bench-security + +ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"] diff --git a/distros/README.md b/distros/README.md new file mode 100644 index 0000000..a5686e1 --- /dev/null +++ b/distros/README.md @@ -0,0 +1,18 @@ +# Distribution specific Dockerfiles + +## Requirements + +### Dockerfile name +The format should be `Dockerfile.{distribution name}`. + +### Keep your images up-to-date +Use the distribution package manager to keep your image up-to-date. + +### REPOSITORY +Add a `REPOSITORY` comment with the URL to your GitHub repository where the Dockerfile is present. +`# REPOSITORY ` + +### MAINTAINER +Add the `MAINTAINER` instruction and your contact details, GitHub aliases are acceptable. + +For an example Dockerfile, please refer to `Dockerfile.alpine`. diff --git a/docker-bench-security.sh b/docker-bench-security.sh old mode 100644 new mode 100755 index d2cb12c..e1e6503 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -1,10 +1,11 @@ #!/bin/sh # ------------------------------------------------------------------------------ -# CIS Docker 1.6 Benchmark v1.0.0 checker +# Docker Bench for Security v1.0.0 # # Docker, Inc. (c) 2015 # -# Provides automated tests for the CIS Docker 1.6 Benchmark: +# Checks for dozens of common best-practices around deploying Docker containers in production. +# Inspired by the CIS Docker 1.6 Benchmark: # https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf # # ------------------------------------------------------------------------------ @@ -21,7 +22,7 @@ export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/ logger="${myname}.log" # Check for required program(s) -req_progs='docker netstat grep awk' +req_progs='awk docker grep netstat stat' for p in $req_progs; do command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; } done @@ -42,11 +43,12 @@ usage () { } yell "# ------------------------------------------------------------------------------ -# CIS Docker 1.6 Benchmark v1.0.0 checker +# Docker Bench for Security v1.0.0 # # Docker, Inc. (c) 2015 # -# Provides automated tests for the CIS Docker 1.6 Benchmark: +# Checks for dozens of common best-practices around deploying Docker containers in production. +# Inspired by the CIS Docker 1.6 Benchmark: # https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf # ------------------------------------------------------------------------------" @@ -73,11 +75,11 @@ done main () { # List all running containers containers=$(docker ps -q) - # If there is a container with label docker-bench, memorize it: + # If there is a container with label docker-bench-security, memorize it: benchcont="nil" for c in $containers; do labels=$(docker inspect --format '{{ .Config.Labels }}' "$c") - contains "$labels" "docker-bench" && benchcont="$c" + contains "$labels" "docker-bench-security" && benchcont="$c" done # List all running containers except docker-bench containers=$(docker ps -q | grep -v "$benchcont") diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index 6e2b66d..9d0b72d 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -40,9 +40,11 @@ fi # 1.6 check_1_6="1.6 - Keep Docker up to date" docker_version=$(docker version | grep 'Server version' | awk '{print $3}') -do_version_check 1.6.2 $docker_version +docker_current_version="1.7.0" +do_version_check "$docker_current_version" "$docker_version" if [ $? -eq 11 ]; then warn "$check_1_6" + warn " * Using $docker_version, when $docker_current_version is current." else pass "$check_1_6" fi @@ -71,140 +73,200 @@ fi # 1.9 check_1_9="1.9 - Audit Docker files and directories - /var/lib/docker" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /var/lib/docker >/dev/null 2>&1 +directory="/var/lib/docker" +if [ -d "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_9" + auditctl -l | grep $directory >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_9" + else + warn "$check_1_9" + fi else - warn "$check_1_9" + warn "1.9 - Failed to inspect: auditctl command not found." fi else - warn "1.9 - Failed to inspect: auditctl command not found." + info "$check_1_9" + info " * Directory not found" fi # 1.10 check_1_10="1.10 - Audit Docker files and directories - /etc/docker" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /etc/docker >/dev/null 2>&1 +directory="/etc/docker" +if [ -d "$directory" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_10" + auditctl -l | grep $directory >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_10" + else + warn "$check_1_10" + fi else - warn "$check_1_10" + warn "1.10 - Failed to inspect: auditctl command not found." fi else - warn "1.10 - Failed to inspect: auditctl command not found." + info "$check_1_10" + info " * Directory not found" fi # 1.11 check_1_11="1.11 - Audit Docker files and directories - docker-registry.service" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /usr/lib/systemd/system/docker-registry.service >/dev/null 2>&1 +file="/usr/lib/systemd/system/docker-registry.service" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_11" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_11" + else + warn "$check_1_11" + fi else - warn "$check_1_11" + warn "1.11 - Failed to inspect: auditctl command not found." fi else - warn "1.11 - Failed to inspect: auditctl command not found." + info "$check_1_11" + info " * File not found" fi # 1.12 check_1_12="1.12 - Audit Docker files and directories - docker.service" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /usr/lib/systemd/system/docker.service >/dev/null 2>&1 +file="/usr/lib/systemd/system/docker.service" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_12" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_12" + else + warn "$check_1_12" + fi else - warn "$check_1_12" + warn "1.12 - Failed to inspect: auditctl command not found." fi else - warn "1.12 - Failed to inspect: auditctl command not found." + info "$check_1_12" + info " * File not found" fi # 1.13 check_1_13="1.13 - Audit Docker files and directories - /var/run/docker.sock" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /var/run/docker.sock >/dev/null 2>&1 +file="/var/run/docker.sock" +if [ -e "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_13" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_13" + else + warn "$check_1_13" + fi else - warn "$check_1_13" + warn "1.13 - Failed to inspect: auditctl command not found." fi else - warn "1.13 - Failed to inspect: auditctl command not found." + info "$check_1_13" + info " * File not found" fi # 1.14 check_1_14="1.14 - Audit Docker files and directories - /etc/sysconfig/docker" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /etc/sysconfig/docker >/dev/null 2>&1 +file="/etc/sysconfig/docker" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_14" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_14" + else + warn "$check_1_14" + fi else - warn "$check_1_14" + warn "1.14 - Failed to inspect: auditctl command not found." fi else - warn "1.14 - Failed to inspect: auditctl command not found." + info "$check_1_14" + info " * File not found" fi # 1.15 check_1_15="1.15 - Audit Docker files and directories - /etc/sysconfig/docker-network" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /etc/sysconfig/docker-network >/dev/null 2>&1 +file="/etc/sysconfig/docker-network" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_15" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_15" + else + warn "$check_1_15" + fi else - warn "$check_1_15" + warn "1.15 - Failed to inspect: auditctl command not found." fi else - warn "1.15 - Failed to inspect: auditctl command not found." + info "$check_1_15" + info " * File not found" fi # 1.16 check_1_16="1.16 - Audit Docker files and directories - /etc/sysconfig/docker-registry" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /etc/sysconfig/docker-registry >/dev/null 2>&1 +file="/etc/sysconfig/docker-registry" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_16" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_16" + else + warn "$check_1_16" + fi else - warn "$check_1_16" + warn "1.16 - Failed to inspect: auditctl command not found." fi else - warn "1.16 - Failed to inspect: auditctl command not found." + info "$check_1_16" + info " * File not found" fi # 1.17 check_1_17="1.17 - Audit Docker files and directories - /etc/sysconfig/docker-storage" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /etc/sysconfig/docker-storage >/dev/null 2>&1 +file="/etc/sysconfig/docker-storage" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_17" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_17" + else + warn "$check_1_17" + fi else - warn "$check_1_17" + warn "1.17 - Failed to inspect: auditctl command not found." fi else - warn "1.17 - Failed to inspect: auditctl command not found." + info "$check_1_17" + info " * File not found" fi # 1.18 check_1_18="1.18 - Audit Docker files and directories - /etc/default/docker" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep /etc/default/docker >/dev/null 2>&1 +file="/etc/default/docker" +if [ -f "$file" ]; then + command -v auditctl >/dev/null 2>&1 if [ $? -eq 0 ]; then - pass "$check_1_18" + auditctl -l | grep $file >/dev/null 2>&1 + if [ $? -eq 0 ]; then + pass "$check_1_18" + else + warn "$check_1_18" + fi else - warn "$check_1_18" + warn "1.18 - Failed to inspect: auditctl command not found." fi else - warn "1.18 - Failed to inspect: auditctl command not found." + info "$check_1_18" + info " * File not found" fi diff --git a/tests/2_docker_daemon_configuration.sh b/tests/2_docker_daemon_configuration.sh index 8561f52..af443ca 100644 --- a/tests/2_docker_daemon_configuration.sh +++ b/tests/2_docker_daemon_configuration.sh @@ -5,7 +5,7 @@ info "2 - Docker Daemon Configuration" # 2.1 check_2_1="2.1 - Do not use lxc execution driver" -pgrep -U root -u root -lf docker | grep lxc >/dev/null 2>&1 +pgrep -lf docker | grep lxc >/dev/null 2>&1 if [ $? -eq 0 ]; then warn "$check_2_1" else @@ -14,7 +14,7 @@ fi # 2.2 check_2_2="2.2 - Restrict network traffic between containers" -pgrep -U root -u root -lf docker | grep "icc=false" >/dev/null 2>&1 +pgrep -lf docker | grep "icc=false" >/dev/null 2>&1 if [ $? -eq 0 ]; then pass "$check_2_2" else @@ -23,7 +23,7 @@ fi # 2.3 check_2_3="2.3 - Set the logging level" -pgrep -U root -u root -lf docker | grep "log-level=\"debug\"" >/dev/null 2>&1 +pgrep -lf docker | grep "log-level=\"debug\"" >/dev/null 2>&1 if [ $? -eq 0 ]; then warn "$check_2_3" else @@ -32,7 +32,7 @@ fi # 2.4 check_2_4="2.4 - Allow Docker to make changes to iptables" -pgrep -U root -u root -lf docker | grep "iptables=false" >/dev/null 2>&1 +pgrep -lf docker | grep "iptables=false" >/dev/null 2>&1 if [ $? -eq 0 ]; then warn "$check_2_4" else @@ -41,7 +41,7 @@ fi # 2.5 check_2_5="2.5 - Do not use insecure registries" -pgrep -U root -u root -lf docker | grep "insecure-registry" >/dev/null 2>&1 +pgrep -lf docker | grep "insecure-registry" >/dev/null 2>&1 if [ $? -eq 0 ]; then warn "$check_2_5" else @@ -50,7 +50,7 @@ fi # 2.6 check_2_6="2.6 - Setup a local registry mirror" -pgrep -U root -u root -lf docker | grep "registry-mirror" >/dev/null 2>&1 +pgrep -lf docker | grep "registry-mirror" >/dev/null 2>&1 if [ $? -eq 0 ]; then pass "$check_2_6" else @@ -69,7 +69,7 @@ fi # 2.8 check_2_8="2.8 - Do not bind Docker to another IP/Port or a Unix socket" -pgrep -U root -u root -lf docker | grep "\-H" >/dev/null 2>&1 +pgrep -lf docker | grep "\-H" >/dev/null 2>&1 if [ $? -eq 0 ]; then info "$check_2_8" info " * Docker daemon running with -H" @@ -79,9 +79,9 @@ fi # 2.9 check_2_9="2.9 - Configure TLS authentication for Docker daemon" -pgrep -U root -u root -lf docker | grep "tcp://" >/dev/null 2>&1 +pgrep -lf docker | grep "\-H" >/dev/null 2>&1 if [ $? -eq 0 ]; then - pgrep -U root -u root -lf docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1 + pgrep -lf docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1 if [ $? -eq 0 ]; then pass "$check_2_9" info " * Docker daemon currently listening on TCP" @@ -96,7 +96,7 @@ fi # 2.10 check_2_10="2.10 - Set default ulimit as appropriate" -pgrep -U root -u root -lf docker | grep "default-ulimit" >/dev/null 2>&1 +pgrep -lf docker | grep "default-ulimit" >/dev/null 2>&1 if [ $? -eq 0 ]; then pass "$check_2_10" else diff --git a/tests/3_docker_daemon_configuration_files.sh b/tests/3_docker_daemon_configuration_files.sh index 36e49ab..1f9cfe9 100644 --- a/tests/3_docker_daemon_configuration_files.sh +++ b/tests/3_docker_daemon_configuration_files.sh @@ -7,8 +7,7 @@ info "3 - Docker Daemon Configuration Files" check_3_1="3.1 - Verify that docker.service file ownership is set to root:root" file="/usr/lib/systemd/system/docker.service" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_1" else warn "$check_3_1" @@ -23,8 +22,7 @@ fi check_3_2="3.2 - Verify that docker.service file permissions are set to 644" file="/usr/lib/systemd/system/docker.service" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %a $file)" -eq 644 ]; then pass "$check_3_2" else warn "$check_3_2" @@ -39,8 +37,7 @@ fi check_3_3="3.3 - Verify that docker-registry.service file ownership is set to root:root" file="/usr/lib/systemd/system/docker-registry.service" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_3" else warn "$check_3_3" @@ -55,8 +52,7 @@ fi check_3_4="3.4 - Verify that docker-registry.service file permissions are set to 644" file="/usr/lib/systemd/system/docker-registry.service" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %a $file)" -eq 644 ]; then pass "$check_3_4" else warn "$check_3_4" @@ -71,8 +67,7 @@ fi check_3_5="3.5 - Verify that docker.socket file ownership is set to root:root" file="/usr/lib/systemd/system/docker.socket" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_5" else warn "$check_3_5" @@ -87,8 +82,7 @@ fi check_3_6="3.6 - Verify that docker.socket file permissions are set to 644" file="/usr/lib/systemd/system/docker.socket" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %a $file)" -eq 644 ]; then pass "$check_3_6" else warn "$check_3_6" @@ -103,8 +97,7 @@ fi check_3_7="3.7 - Verify that Docker environment file ownership is set to root:root " file="/etc/sysconfig/docker" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_7" else warn "$check_3_7" @@ -119,8 +112,7 @@ fi check_3_8="3.8 - Verify that Docker environment file permissions are set to 644" file="/etc/sysconfig/docker" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %a $file)" -eq 644 ]; then pass "$check_3_8" else warn "$check_3_8" @@ -135,8 +127,7 @@ fi check_3_9="3.9 - Verify that docker-network environment file ownership is set to root:root" file="/etc/sysconfig/docker-network" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_9" else warn "$check_3_9" @@ -151,8 +142,7 @@ fi check_3_10="3.10 - Verify that docker-network environment file permissions are set to 644" file="/etc/sysconfig/docker-network" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %a $file)" -eq 644 ]; then pass "$check_3_10" else warn "$check_3_10" @@ -167,8 +157,7 @@ fi check_3_11="3.11 - Verify that docker-registry environment file ownership is set to root:root" file="/etc/sysconfig/docker-registry" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_11" else warn "$check_3_11" @@ -183,8 +172,7 @@ fi check_3_12="3.12 - Verify that docker-registry environment file permissions are set to 644" file="/etc/sysconfig/docker-registry" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %a $file)" -eq 644 ]; then pass "$check_3_12" else warn "$check_3_12" @@ -199,8 +187,7 @@ fi check_3_13="3.13 - Verify that docker-storage environment file ownership is set to root:root" file="/etc/sysconfig/docker-storage" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_13" else warn "$check_3_13" @@ -215,8 +202,7 @@ fi check_3_14="3.14 - Verify that docker-storage environment file permissions are set to 644" file="/etc/sysconfig/docker-storage" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %a $file)" -eq 644 ]; then pass "$check_3_14" else warn "$check_3_14" @@ -231,8 +217,7 @@ fi check_3_15="3.15 - Verify that /etc/docker directory ownership is set to root:root" directory="/etc/docker" if [ -d "$directory" ]; then - ls -ld "$directory" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $directory)" -eq 00 ]; then pass "$check_3_15" else warn "$check_3_15" @@ -247,10 +232,9 @@ fi check_3_16="3.16 - Verify that /etc/docker directory permissions are set to 755" directory="/etc/docker" if [ -d "$directory" ]; then - perms=$(ls -ld $directory | awk '{print $1}') - if [ "$perms" = "drwxr-xr-x." ]; then + if [ "$(stat -c %a $directory)" -eq 755 ]; then pass "$check_3_16" - elif [ "$perms" = "drwx------" ]; then + elif [ "$(stat -c %a $directory)" -eq 700 ]; then pass "$check_3_16" else warn "$check_3_16" @@ -266,7 +250,7 @@ check_3_17="3.17 - Verify that registry certificate file ownership is set to roo directory="/etc/docker/certs.d/" if [ -d "$directory" ]; then fail=0 - owners=$(ls -lL "$directory"/*.crt | awk '{print "$3", "$4"}') + owners=$(ls -lL $directory | grep ".crt" | awk '{print $3, $4}') for p in $owners; do printf "%s" "$p" | grep "root" >/dev/null 2>&1 if [ $? -ne 0 ]; then @@ -289,9 +273,9 @@ check_3_18="3.18 - Verify that registry certificate file permissions are set to directory="/etc/docker/certs.d/" if [ -d "$directory" ]; then fail=0 - perms=$(ls -lL "$directory"/*.crt | awk '{print $1}') + perms=$(ls -lL $directory | grep ".crt" | awk '{print $1}') for p in $perms; do - if [ "$p" != "-rw-r--r--." -a "$p" = "-rw-------." ]; then + if [ "$p" != "-r--r--r--." -a "$p" = "-r--------." ]; then fail=1 fi done @@ -310,8 +294,7 @@ fi check_3_19="3.19 - Verify that TLS CA certificate file ownership is set to root:root" tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1) if [ -f "$tlscacert" ]; then - ls -ld "$tlscacert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_19" else warn "$check_3_19" @@ -327,7 +310,7 @@ check_3_20="3.20 - Verify that TLS CA certificate file permissions are set to 44 tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1) if [ -f "$tlscacert" ]; then perms=$(ls -ld "$tlscacert" | awk '{print $1}') - if [ "$perms" = "-rw-r--r--" ]; then + if [ "$perms" = "-r--r--r--" ]; then pass "$check_3_20" else warn "$check_3_20" @@ -342,8 +325,7 @@ fi check_3_21="3.21 - Verify that Docker server certificate file ownership is set to root:root" tlscert=$(pgrep -lf docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1) if [ -f "$tlscert" ]; then - ls -ld "$tlscert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_21" else warn "$check_3_21" @@ -359,7 +341,7 @@ check_3_22="3.22 - Verify that Docker server certificate file permissions are se tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1) if [ -f "$tlscert" ]; then perms=$(ls -ld "$tlscert" | awk '{print $1}') - if [ "$perms" = "-rw-r--r--" ]; then + if [ "$perms" = "-r--r--r--" ]; then pass "$check_3_22" else warn "$check_3_22" @@ -374,8 +356,7 @@ fi check_3_23="3.23 - Verify that Docker server key file ownership is set to root:root" tlskey=$(pgrep -lf docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1) if [ -f "$tlskey" ]; then - ls -ld "$tlskey" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_23" else warn "$check_3_23" @@ -406,8 +387,7 @@ fi check_3_25="3.25 - Verify that Docker socket file ownership is set to root:docker" file="/var/run/docker.sock" if [ -f "$file" ]; then - ls -ld "$file" | awk '{print $3, $4}' | grep "root docker" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_25" else warn "$check_3_25" diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh index 11e14df..c6e6f66 100644 --- a/tests/5_container_runtime.sh +++ b/tests/5_container_runtime.sh @@ -180,7 +180,7 @@ else fi processes=$(docker exec "$c" ps -el 2>/dev/null | grep -c sshd | awk '{print $1}') - if [ $processes -gt 1 ]; then + if [ "$processes" -ge 1 ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_7" @@ -201,18 +201,22 @@ else fail=0 for c in $containers; do - port=$(docker port "$c" | awk '{print $1}' | cut -d '/' -f1) + # Port format is private port -> ip: public port + ports=$(docker port "$c" | awk '{print $0}' | cut -d ':' -f2) - if [ ! -z "$port" ] && [ "$port" -lt 1025 ]; then - # If it's the first container, fail the test - if [ $fail -eq 0 ]; then - warn "$check_5_8" - warn " * Privileged Port in use: $port in $c" - fail=1 - else - warn " * Privileged Port in use: $port in $c" + # iterate through port range (line delimited) + for port in $ports; do + if [ ! -z "$port" ] && [ "0$port" -lt 1024 ]; then + # If it's the first container, fail the test + if [ $fail -eq 0 ]; then + warn "$check_5_8" + warn " * Privileged Port in use: $port in $c" + fail=1 + else + warn " * Privileged Port in use: $port in $c" + fi fi - fi + done done # We went through all the containers and found no privileged ports if [ $fail -eq 0 ]; then @@ -316,17 +320,18 @@ else fail=0 for c in $containers; do - ip=$(docker port "$c" | awk '{print $3}' | cut -d ':' -f1) - if [ "$ip" = "0.0.0.0" ]; then - # If it's the first container, fail the test - if [ $fail -eq 0 ]; then - warn "$check_5_14" - warn " * Port being bound to wildcard IP: $ip in $c" - fail=1 - else - warn " * Port being bound to wildcard IP: $ip in $c" + for ip in $(docker port "$c" | awk '{print $3}' | cut -d ':' -f1); do + if [ "$ip" = "0.0.0.0" ]; then + # If it's the first container, fail the test + if [ $fail -eq 0 ]; then + warn "$check_5_14" + warn " * Port being bound to wildcard IP: $ip in $c" + fail=1 + else + warn " * Port being bound to wildcard IP: $ip in $c" + fi fi - fi + done done # We went through all the containers and found no ports bound to 0.0.0.0 if [ $fail -eq 0 ]; then diff --git a/tests/6_docker_security_operations.sh b/tests/6_docker_security_operations.sh index f5b1f01..28d6916 100644 --- a/tests/6_docker_security_operations.sh +++ b/tests/6_docker_security_operations.sh @@ -40,8 +40,8 @@ images=$(docker images -q | wc -l | awk '{print $1}') active_images=0 for c in $(docker inspect -f "{{.Image}}" $(docker ps -qa)); do - if [[ $(docker images --no-trunc -a | grep $c) ]]; then - ((active_images++)) + if docker images --no-trunc -a | grep "$c" > /dev/null ; then + active_images=$(( active_images += 1 )) fi done @@ -53,7 +53,7 @@ else info " * There are currently: $images images" fi -if [[ "$active_images" -lt "$((images / 2))" ]]; then +if [ "$active_images" -lt "$((images / 2))" ]; then warn " * Only $active_images out of $images are in use" fi @@ -61,7 +61,7 @@ fi check_6_7="6.7 - Avoid container sprawl" total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}') running_containers=$(docker ps -q | wc -l | awk '{print $1}') -diff="$(($total_containers - $running_containers))" +diff="$((total_containers - running_containers))" if [ "$diff" -gt 25 ]; then warn "$check_6_7" warn " * There are currently a total of $total_containers containers, with only $running_containers of them currently running"