GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-31 22:32:34 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge remote-tracking branch 'upstream/master'

Browse source
This commit is contained in:
Scott McCarty 2015-06-29 08:44:00 -04:00
commit 70c52ac5e8
11 changed files with 311 additions and 166 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
CONTRIBUTING.md Normal file
View file

@ -0,0 +1,51 @@
# Contributing to Docker Bench for Security
Want to hack on Docker Bench? Awesome! Here are instructions to get you
started.
The Docker Bench for Security is a part of the [Docker](https://www.docker.com) project, and follows
the same rules and principles. If you're already familiar with the way
Docker does things, you'll feel right at home.
Otherwise, go read
[Docker's contributions guidelines](https://github.com/docker/docker/blob/master/CONTRIBUTING.md).
### Development Environment Setup
The only thing you need to hack on Docker Bench for Security is a POSIX 2004 compliant shell. We try to keep the project compliant for maximum portability
#### Start hacking
You can build the container that wraps the docker-bench for security:
```sh
✗ git clone git@github.com:docker/docker-bench-security.git
✗ cd docker-bench-security
✗ docker build -t docker-bench-security .
```
Or you can simply run the shell script locally:
```sh
✗ git clone git@github.com:docker/docker-bench-security.git
✗ cd docker-bench-security
✗ sh docker-bench-security.sh
```
The Docker Bench has the main script called `docker-bench-security.sh`. This is the main script that checks for all the dependencies, deals with command line arguments and loads all the tests.
The tests are split in 6 different files:
```sh
✗ tree tests/
tests/
├── 1_host_configuration.sh
├── 2_docker_daemon_configuration.sh
├── 3_docker_daemon_configuration_files.sh
├── 4_container_images.sh
├── 5_container_runtime.sh
└── 6_docker_security_operations.sh
```
To modify the Docker Bench for Security you should first clone the repository, make your changes, check your code with `shellcheck`, `checkbashisms` or similar tools, and then sign off on your commits. After that feel free to send us a pull-request with the changes.
While this tool is inspired in the CIS Docker 1.6 Benchmark, feel free to add new tests. We will try to turn dockerbench.com into a list of good community benchmarks for both security and performance, and we would love community contributions.

6
Dockerfile
View file

@ -1,6 +1,8 @@
FROM gliderlabs/alpine:3.1 FROM alpine:3.1
RUN apk --update add docker RUN apk update && \
apk upgrade && \
apk --update add docker
RUN mkdir /docker-bench-security RUN mkdir /docker-bench-security

38
README.md
View file

@ -2,7 +2,7 @@
![Docker Bench for Security running](https://github.com/diogomonica/docker-bench-security/raw/master/benchmark_log.png?raw=true "Docker Bench for Security running") ![Docker Bench for Security running](https://github.com/diogomonica/docker-bench-security/raw/master/benchmark_log.png?raw=true "Docker Bench for Security running")
The Docker Bench for Security is a script that checks for all the automatable tests included in the [CIS Docker 1.6 Benchmark](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf). We are releasing this as a follow-up to our [Understanding Docker Security and Best Practices](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/) blog post. The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are inspired by the [CIS Docker 1.6 Benchmark](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf). We are releasing this as a follow-up to our [Understanding Docker Security and Best Practices](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/) blog post.
We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark. We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.
@ -10,13 +10,16 @@ We are making this available as an open-source utility so the Docker community c
We packaged docker bench as a small container for your convenience. Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host. We packaged docker bench as a small container for your convenience. Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.
The easiest way to run your hosts against the CIS Docker 1.6 benchmark is by running our pre-built container: The easiest way to run your hosts against the Docker Bench for Security is by running our pre-built container:
``` ```sh
docker run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock \ docker run -it --net host --pid host --cap-add audit_control \
-v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label docker-bench-security \ -v /var/lib:/var/lib \
diogomonica/docker-bench-security -v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/lib/systemd:/usr/lib/systemd \
-v /etc:/etc --label docker-bench-security \
diogomonica/docker-bench-security
``` ```
Docker bench requires Docker 1.6.2 or later in order to run, since it depends on the `--label` to exclude the current container from being inspected. If you can't upgrade to 1.6.2, I feel free to remove the `--label` flag or run the shell script locally (see below). Docker bench requires Docker 1.6.2 or later in order to run, since it depends on the `--label` to exclude the current container from being inspected. If you can't upgrade to 1.6.2, I feel free to remove the `--label` flag or run the shell script locally (see below).
@ -27,19 +30,24 @@ Additionally, there was a bug in Docker 1.6.0 that would not allow mounting `-v
If you wish to build and run this container yourself, you can follow the following steps: If you wish to build and run this container yourself, you can follow the following steps:
``` ```sh
git clone https://github.com/diogomonica/docker-bench-security.git git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security; docker build -t docker-bench-security . cd docker-bench-security
docker run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock \ docker build -t docker-bench-security .
-v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label security-benchmark \ docker run -it --net host --pid host --cap-add audit_control \
docker-bench-security -v /var/lib:/var/lib \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/lib/systemd:/usr/lib/systemd \
-v /etc:/etc --label docker-bench-security \
docker-bench-security
``` ```
Also, this script can also be simply run from your base host by running: Also, this script can also be simply run from your base host by running:
``` ```sh
git clone https://github.com/diogomonica/docker-bench-security.git git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security; sh docker-bench-security.sh cd docker-bench-security
sh docker-bench-security.sh
``` ```
This script was build to be POSIX 2004 compliant, so it should be portable across any Unix platform. This script was build to be POSIX 2004 compliant, so it should be portable across any Unix platform.

17
distros/Dockerfile.alpine Normal file
View file

@ -0,0 +1,17 @@
# REPOSITORY https://github.com/docker/docker-bench-security
MAINTAINER dockerbench.com
FROM alpine:3.1
RUN apk update && \
apk upgrade && \
apk --update add docker
RUN mkdir /docker-bench-security
COPY . /docker-bench-security
WORKDIR /docker-bench-security
ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]

18
distros/README.md Normal file
View file

@ -0,0 +1,18 @@
# Distribution specific Dockerfiles
## Requirements
### Dockerfile name
The format should be `Dockerfile.{distribution name}`.
### Keep your images up-to-date
Use the distribution package manager to keep your image up-to-date.
### REPOSITORY
Add a `REPOSITORY` comment with the URL to your GitHub repository where the Dockerfile is present.
`# REPOSITORY <GitHub repository>`
### MAINTAINER
Add the `MAINTAINER` instruction and your contact details, GitHub aliases are acceptable.
For an example Dockerfile, please refer to `Dockerfile.alpine`.

16
docker-bench-security.sh Normal file → Executable file
View file

@ -1,10 +1,11 @@
#!/bin/sh #!/bin/sh
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# CIS Docker 1.6 Benchmark v1.0.0 checker # Docker Bench for Security v1.0.0
# #
# Docker, Inc. (c) 2015 # Docker, Inc. (c) 2015
# #
# Provides automated tests for the CIS Docker 1.6 Benchmark: # Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker 1.6 Benchmark:
# https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf # https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf
# #
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
@ -21,7 +22,7 @@ export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/
logger="${myname}.log" logger="${myname}.log"
# Check for required program(s) # Check for required program(s)
req_progs='docker netstat grep awk' req_progs='awk docker grep netstat stat'
for p in $req_progs; do for p in $req_progs; do
command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; } command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; }
done done
@ -42,11 +43,12 @@ usage () {
} }
yell "# ------------------------------------------------------------------------------ yell "# ------------------------------------------------------------------------------
# CIS Docker 1.6 Benchmark v1.0.0 checker # Docker Bench for Security v1.0.0
# #
# Docker, Inc. (c) 2015 # Docker, Inc. (c) 2015
# #
# Provides automated tests for the CIS Docker 1.6 Benchmark: # Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker 1.6 Benchmark:
# https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf # https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf
# ------------------------------------------------------------------------------" # ------------------------------------------------------------------------------"
@ -73,11 +75,11 @@ done
main () { main () {
# List all running containers # List all running containers
containers=$(docker ps -q) containers=$(docker ps -q)
# If there is a container with label docker-bench, memorize it: # If there is a container with label docker-bench-security, memorize it:
benchcont="nil" benchcont="nil"
for c in $containers; do for c in $containers; do
labels=$(docker inspect --format '{{ .Config.Labels }}' "$c") labels=$(docker inspect --format '{{ .Config.Labels }}' "$c")
contains "$labels" "docker-bench" && benchcont="$c" contains "$labels" "docker-bench-security" && benchcont="$c"
done done
# List all running containers except docker-bench # List all running containers except docker-bench
containers=$(docker ps -q | grep -v "$benchcont") containers=$(docker ps -q | grep -v "$benchcont")

184
tests/1_host_configuration.sh
View file

@ -40,9 +40,11 @@ fi
# 1.6 # 1.6
check_1_6="1.6 - Keep Docker up to date" check_1_6="1.6 - Keep Docker up to date"
docker_version=$(docker version | grep 'Server version' | awk '{print $3}') docker_version=$(docker version | grep 'Server version' | awk '{print $3}')
do_version_check 1.6.2 $docker_version docker_current_version="1.7.0"
do_version_check "$docker_current_version" "$docker_version"
if [ $? -eq 11 ]; then if [ $? -eq 11 ]; then
warn "$check_1_6" warn "$check_1_6"
warn " * Using $docker_version, when $docker_current_version is current."
else else
pass "$check_1_6" pass "$check_1_6"
fi fi
@ -71,140 +73,200 @@ fi
# 1.9 # 1.9
check_1_9="1.9 - Audit Docker files and directories - /var/lib/docker" check_1_9="1.9 - Audit Docker files and directories - /var/lib/docker"
command -v auditctl >/dev/null 2>&1 directory="/var/lib/docker"
if [ $? -eq 0 ]; then if [ -d "$file" ]; then
auditctl -l | grep /var/lib/docker >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_9" auditctl -l | grep $directory >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_9"
else
warn "$check_1_9"
fi
else else
warn "$check_1_9" warn "1.9 - Failed to inspect: auditctl command not found."
fi fi
else else
warn "1.9 - Failed to inspect: auditctl command not found." info "$check_1_9"
info " * Directory not found"
fi fi
# 1.10 # 1.10
check_1_10="1.10 - Audit Docker files and directories - /etc/docker" check_1_10="1.10 - Audit Docker files and directories - /etc/docker"
command -v auditctl >/dev/null 2>&1 directory="/etc/docker"
if [ $? -eq 0 ]; then if [ -d "$directory" ]; then
auditctl -l | grep /etc/docker >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_10" auditctl -l | grep $directory >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_10"
else
warn "$check_1_10"
fi
else else
warn "$check_1_10" warn "1.10 - Failed to inspect: auditctl command not found."
fi fi
else else
warn "1.10 - Failed to inspect: auditctl command not found." info "$check_1_10"
info " * Directory not found"
fi fi
# 1.11 # 1.11
check_1_11="1.11 - Audit Docker files and directories - docker-registry.service" check_1_11="1.11 - Audit Docker files and directories - docker-registry.service"
command -v auditctl >/dev/null 2>&1 file="/usr/lib/systemd/system/docker-registry.service"
if [ $? -eq 0 ]; then if [ -f "$file" ]; then
auditctl -l | grep /usr/lib/systemd/system/docker-registry.service >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_11" auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_11"
else
warn "$check_1_11"
fi
else else
warn "$check_1_11" warn "1.11 - Failed to inspect: auditctl command not found."
fi fi
else else
warn "1.11 - Failed to inspect: auditctl command not found." info "$check_1_11"
info " * File not found"
fi fi
# 1.12 # 1.12
check_1_12="1.12 - Audit Docker files and directories - docker.service" check_1_12="1.12 - Audit Docker files and directories - docker.service"
command -v auditctl >/dev/null 2>&1 file="/usr/lib/systemd/system/docker.service"
if [ $? -eq 0 ]; then if [ -f "$file" ]; then
auditctl -l | grep /usr/lib/systemd/system/docker.service >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_12" auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_12"
else
warn "$check_1_12"
fi
else else
warn "$check_1_12" warn "1.12 - Failed to inspect: auditctl command not found."
fi fi
else else
warn "1.12 - Failed to inspect: auditctl command not found." info "$check_1_12"
info " * File not found"
fi fi
# 1.13 # 1.13
check_1_13="1.13 - Audit Docker files and directories - /var/run/docker.sock" check_1_13="1.13 - Audit Docker files and directories - /var/run/docker.sock"
command -v auditctl >/dev/null 2>&1 file="/var/run/docker.sock"
if [ $? -eq 0 ]; then if [ -e "$file" ]; then
auditctl -l | grep /var/run/docker.sock >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_13" auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_13"
else
warn "$check_1_13"
fi
else else
warn "$check_1_13" warn "1.13 - Failed to inspect: auditctl command not found."
fi fi
else else
warn "1.13 - Failed to inspect: auditctl command not found." info "$check_1_13"
info " * File not found"
fi fi
# 1.14 # 1.14
check_1_14="1.14 - Audit Docker files and directories - /etc/sysconfig/docker" check_1_14="1.14 - Audit Docker files and directories - /etc/sysconfig/docker"
command -v auditctl >/dev/null 2>&1 file="/etc/sysconfig/docker"
if [ $? -eq 0 ]; then if [ -f "$file" ]; then
auditctl -l | grep /etc/sysconfig/docker >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_14" auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_14"
else
warn "$check_1_14"
fi
else else
warn "$check_1_14" warn "1.14 - Failed to inspect: auditctl command not found."
fi fi
else else
warn "1.14 - Failed to inspect: auditctl command not found." info "$check_1_14"
info " * File not found"
fi fi
# 1.15 # 1.15
check_1_15="1.15 - Audit Docker files and directories - /etc/sysconfig/docker-network" check_1_15="1.15 - Audit Docker files and directories - /etc/sysconfig/docker-network"
command -v auditctl >/dev/null 2>&1 file="/etc/sysconfig/docker-network"
if [ $? -eq 0 ]; then if [ -f "$file" ]; then
auditctl -l | grep /etc/sysconfig/docker-network >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_15" auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_15"
else
warn "$check_1_15"
fi
else else
warn "$check_1_15" warn "1.15 - Failed to inspect: auditctl command not found."
fi fi
else else
warn "1.15 - Failed to inspect: auditctl command not found." info "$check_1_15"
info " * File not found"
fi fi
# 1.16 # 1.16
check_1_16="1.16 - Audit Docker files and directories - /etc/sysconfig/docker-registry" check_1_16="1.16 - Audit Docker files and directories - /etc/sysconfig/docker-registry"
command -v auditctl >/dev/null 2>&1 file="/etc/sysconfig/docker-registry"
if [ $? -eq 0 ]; then if [ -f "$file" ]; then
auditctl -l | grep /etc/sysconfig/docker-registry >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_16" auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_16"
else
warn "$check_1_16"
fi
else else
warn "$check_1_16" warn "1.16 - Failed to inspect: auditctl command not found."
fi fi
else else
warn "1.16 - Failed to inspect: auditctl command not found." info "$check_1_16"
info " * File not found"
fi fi
# 1.17 # 1.17
check_1_17="1.17 - Audit Docker files and directories - /etc/sysconfig/docker-storage" check_1_17="1.17 - Audit Docker files and directories - /etc/sysconfig/docker-storage"
command -v auditctl >/dev/null 2>&1 file="/etc/sysconfig/docker-storage"
if [ $? -eq 0 ]; then if [ -f "$file" ]; then
auditctl -l | grep /etc/sysconfig/docker-storage >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_17" auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_17"
else
warn "$check_1_17"
fi
else else
warn "$check_1_17" warn "1.17 - Failed to inspect: auditctl command not found."
fi fi
else else
warn "1.17 - Failed to inspect: auditctl command not found." info "$check_1_17"
info " * File not found"
fi fi
# 1.18 # 1.18
check_1_18="1.18 - Audit Docker files and directories - /etc/default/docker" check_1_18="1.18 - Audit Docker files and directories - /etc/default/docker"
command -v auditctl >/dev/null 2>&1 file="/etc/default/docker"
if [ $? -eq 0 ]; then if [ -f "$file" ]; then
auditctl -l | grep /etc/default/docker >/dev/null 2>&1 command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_1_18" auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_18"
else
warn "$check_1_18"
fi
else else
warn "$check_1_18" warn "1.18 - Failed to inspect: auditctl command not found."
fi fi
else else
warn "1.18 - Failed to inspect: auditctl command not found." info "$check_1_18"
info " * File not found"
fi fi

20
tests/2_docker_daemon_configuration.sh
View file

@ -5,7 +5,7 @@ info "2 - Docker Daemon Configuration"
# 2.1 # 2.1
check_2_1="2.1 - Do not use lxc execution driver" check_2_1="2.1 - Do not use lxc execution driver"
pgrep -U root -u root -lf docker | grep lxc >/dev/null 2>&1 pgrep -lf docker | grep lxc >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
warn "$check_2_1" warn "$check_2_1"
else else
@ -14,7 +14,7 @@ fi
# 2.2 # 2.2
check_2_2="2.2 - Restrict network traffic between containers" check_2_2="2.2 - Restrict network traffic between containers"
pgrep -U root -u root -lf docker | grep "icc=false" >/dev/null 2>&1 pgrep -lf docker | grep "icc=false" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_2_2" pass "$check_2_2"
else else
@ -23,7 +23,7 @@ fi
# 2.3 # 2.3
check_2_3="2.3 - Set the logging level" check_2_3="2.3 - Set the logging level"
pgrep -U root -u root -lf docker | grep "log-level=\"debug\"" >/dev/null 2>&1 pgrep -lf docker | grep "log-level=\"debug\"" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
warn "$check_2_3" warn "$check_2_3"
else else
@ -32,7 +32,7 @@ fi
# 2.4 # 2.4
check_2_4="2.4 - Allow Docker to make changes to iptables" check_2_4="2.4 - Allow Docker to make changes to iptables"
pgrep -U root -u root -lf docker | grep "iptables=false" >/dev/null 2>&1 pgrep -lf docker | grep "iptables=false" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
warn "$check_2_4" warn "$check_2_4"
else else
@ -41,7 +41,7 @@ fi
# 2.5 # 2.5
check_2_5="2.5 - Do not use insecure registries" check_2_5="2.5 - Do not use insecure registries"
pgrep -U root -u root -lf docker | grep "insecure-registry" >/dev/null 2>&1 pgrep -lf docker | grep "insecure-registry" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
warn "$check_2_5" warn "$check_2_5"
else else
@ -50,7 +50,7 @@ fi
# 2.6 # 2.6
check_2_6="2.6 - Setup a local registry mirror" check_2_6="2.6 - Setup a local registry mirror"
pgrep -U root -u root -lf docker | grep "registry-mirror" >/dev/null 2>&1 pgrep -lf docker | grep "registry-mirror" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_2_6" pass "$check_2_6"
else else
@ -69,7 +69,7 @@ fi
# 2.8 # 2.8
check_2_8="2.8 - Do not bind Docker to another IP/Port or a Unix socket" check_2_8="2.8 - Do not bind Docker to another IP/Port or a Unix socket"
pgrep -U root -u root -lf docker | grep "\-H" >/dev/null 2>&1 pgrep -lf docker | grep "\-H" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
info "$check_2_8" info "$check_2_8"
info " * Docker daemon running with -H" info " * Docker daemon running with -H"
@ -79,9 +79,9 @@ fi
# 2.9 # 2.9
check_2_9="2.9 - Configure TLS authentication for Docker daemon" check_2_9="2.9 - Configure TLS authentication for Docker daemon"
pgrep -U root -u root -lf docker | grep "tcp://" >/dev/null 2>&1 pgrep -lf docker | grep "\-H" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pgrep -U root -u root -lf docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1 pgrep -lf docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_2_9" pass "$check_2_9"
info " * Docker daemon currently listening on TCP" info " * Docker daemon currently listening on TCP"
@ -96,7 +96,7 @@ fi
# 2.10 # 2.10
check_2_10="2.10 - Set default ulimit as appropriate" check_2_10="2.10 - Set default ulimit as appropriate"
pgrep -U root -u root -lf docker | grep "default-ulimit" >/dev/null 2>&1 pgrep -lf docker | grep "default-ulimit" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_2_10" pass "$check_2_10"
else else

72
tests/3_docker_daemon_configuration_files.sh
View file

@ -7,8 +7,7 @@ info "3 - Docker Daemon Configuration Files"
check_3_1="3.1 - Verify that docker.service file ownership is set to root:root" check_3_1="3.1 - Verify that docker.service file ownership is set to root:root"
file="/usr/lib/systemd/system/docker.service" file="/usr/lib/systemd/system/docker.service"
if [ -f "$file" ]; then if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 if [ "$(stat -c %u%g $file)" -eq 00 ]; then
if [ $? -eq 0 ]; then
pass "$check_3_1" pass "$check_3_1"
else else
warn "$check_3_1" warn "$check_3_1"
@ -23,8 +22,7 @@ fi
check_3_2="3.2 - Verify that docker.service file permissions are set to 644" check_3_2="3.2 - Verify that docker.service file permissions are set to 644"
file="/usr/lib/systemd/system/docker.service" file="/usr/lib/systemd/system/docker.service"
if [ -f "$file" ]; then if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1 if [ "$(stat -c %a $file)" -eq 644 ]; then
if [ $? -eq 0 ]; then
pass "$check_3_2" pass "$check_3_2"
else else
warn "$check_3_2" warn "$check_3_2"
@ -39,8 +37,7 @@ fi
check_3_3="3.3 - Verify that docker-registry.service file ownership is set to root:root" check_3_3="3.3 - Verify that docker-registry.service file ownership is set to root:root"
file="/usr/lib/systemd/system/docker-registry.service" file="/usr/lib/systemd/system/docker-registry.service"
if [ -f "$file" ]; then if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 if [ "$(stat -c %u%g $file)" -eq 00 ]; then
if [ $? -eq 0 ]; then
pass "$check_3_3" pass "$check_3_3"
else else
warn "$check_3_3" warn "$check_3_3"
@ -55,8 +52,7 @@ fi
check_3_4="3.4 - Verify that docker-registry.service file permissions are set to 644" check_3_4="3.4 - Verify that docker-registry.service file permissions are set to 644"
file="/usr/lib/systemd/system/docker-registry.service" file="/usr/lib/systemd/system/docker-registry.service"
if [ -f "$file" ]; then if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1 if [ "$(stat -c %a $file)" -eq 644 ]; then
if [ $? -eq 0 ]; then
pass "$check_3_4" pass "$check_3_4"
else else
warn "$check_3_4" warn "$check_3_4"
@ -71,8 +67,7 @@ fi
check_3_5="3.5 - Verify that docker.socket file ownership is set to root:root" check_3_5="3.5 - Verify that docker.socket file ownership is set to root:root"
file="/usr/lib/systemd/system/docker.socket" file="/usr/lib/systemd/system/docker.socket"
if [ -f "$file" ]; then if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 if [ "$(stat -c %u%g $file)" -eq 00 ]; then
if [ $? -eq 0 ]; then
pass "$check_3_5" pass "$check_3_5"
else else
warn "$check_3_5" warn "$check_3_5"
@ -87,8 +82,7 @@ fi
check_3_6="3.6 - Verify that docker.socket file permissions are set to 644" check_3_6="3.6 - Verify that docker.socket file permissions are set to 644"
file="/usr/lib/systemd/system/docker.socket" file="/usr/lib/systemd/system/docker.socket"
if [ -f "$file" ]; then if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1 if [ "$(stat -c %a $file)" -eq 644 ]; then
if [ $? -eq 0 ]; then
pass "$check_3_6" pass "$check_3_6"
else else
warn "$check_3_6" warn "$check_3_6"
@ -103,8 +97,7 @@ fi
check_3_7="3.7 - Verify that Docker environment file ownership is set to root:root " check_3_7="3.7 - Verify that Docker environment file ownership is set to root:root "
file="/etc/sysconfig/docker" file="/etc/sysconfig/docker"
if [ -f "$file" ]; then if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 if [ "$(stat -c %u%g $file)" -eq 00 ]; then
if [ $? -eq 0 ]; then
pass "$check_3_7" pass "$check_3_7"
else else
warn "$check_3_7" warn "$check_3_7"
@ -119,8 +112,7 @@ fi
check_3_8="3.8 - Verify that Docker environment file permissions are set to 644" check_3_8="3.8 - Verify that Docker environment file permissions are set to 644"
file="/etc/sysconfig/docker" file="/etc/sysconfig/docker"
if [ -f "$file" ]; then if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1 if [ "$(stat -c %a $file)" -eq 644 ]; then
if [ $? -eq 0 ]; then
pass "$check_3_8" pass "$check_3_8"
else else
warn "$check_3_8" warn "$check_3_8"
@ -135,8 +127,7 @@ fi
check_3_9="3.9 - Verify that docker-network environment file ownership is set to root:root" check_3_9="3.9 - Verify that docker-network environment file ownership is set to root:root"
file="/etc/sysconfig/docker-network" file="/etc/sysconfig/docker-network"
if [ -f "$file" ]; then if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 if [ "$(stat -c %u%g $file)" -eq 00 ]; then
if [ $? -eq 0 ]; then
pass "$check_3_9" pass "$check_3_9"
else else
warn "$check_3_9" warn "$check_3_9"
@ -151,8 +142,7 @@ fi
check_3_10="3.10 - Verify that docker-network environment file permissions are set to 644" check_3_10="3.10 - Verify that docker-network environment file permissions are set to 644"
file="/etc/sysconfig/docker-network" file="/etc/sysconfig/docker-network"
if [ -f "$file" ]; then if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1 if [ "$(stat -c %a $file)" -eq 644 ]; then
if [ $? -eq 0 ]; then
pass "$check_3_10" pass "$check_3_10"
else else
warn "$check_3_10" warn "$check_3_10"
@ -167,8 +157,7 @@ fi
check_3_11="3.11 - Verify that docker-registry environment file ownership is set to root:root" check_3_11="3.11 - Verify that docker-registry environment file ownership is set to root:root"
file="/etc/sysconfig/docker-registry" file="/etc/sysconfig/docker-registry"
if [ -f "$file" ]; then if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 if [ "$(stat -c %u%g $file)" -eq 00 ]; then
if [ $? -eq 0 ]; then
pass "$check_3_11" pass "$check_3_11"
else else
warn "$check_3_11" warn "$check_3_11"
@ -183,8 +172,7 @@ fi
check_3_12="3.12 - Verify that docker-registry environment file permissions are set to 644" check_3_12="3.12 - Verify that docker-registry environment file permissions are set to 644"
file="/etc/sysconfig/docker-registry" file="/etc/sysconfig/docker-registry"
if [ -f "$file" ]; then if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1 if [ "$(stat -c %a $file)" -eq 644 ]; then
if [ $? -eq 0 ]; then
pass "$check_3_12" pass "$check_3_12"
else else
warn "$check_3_12" warn "$check_3_12"
@ -199,8 +187,7 @@ fi
check_3_13="3.13 - Verify that docker-storage environment file ownership is set to root:root" check_3_13="3.13 - Verify that docker-storage environment file ownership is set to root:root"
file="/etc/sysconfig/docker-storage" file="/etc/sysconfig/docker-storage"
if [ -f "$file" ]; then if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 if [ "$(stat -c %u%g $file)" -eq 00 ]; then
if [ $? -eq 0 ]; then
pass "$check_3_13" pass "$check_3_13"
else else
warn "$check_3_13" warn "$check_3_13"
@ -215,8 +202,7 @@ fi
check_3_14="3.14 - Verify that docker-storage environment file permissions are set to 644" check_3_14="3.14 - Verify that docker-storage environment file permissions are set to 644"
file="/etc/sysconfig/docker-storage" file="/etc/sysconfig/docker-storage"
if [ -f "$file" ]; then if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1 if [ "$(stat -c %a $file)" -eq 644 ]; then
if [ $? -eq 0 ]; then
pass "$check_3_14" pass "$check_3_14"
else else
warn "$check_3_14" warn "$check_3_14"
@ -231,8 +217,7 @@ fi
check_3_15="3.15 - Verify that /etc/docker directory ownership is set to root:root" check_3_15="3.15 - Verify that /etc/docker directory ownership is set to root:root"
directory="/etc/docker" directory="/etc/docker"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
ls -ld "$directory" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 if [ "$(stat -c %u%g $directory)" -eq 00 ]; then
if [ $? -eq 0 ]; then
pass "$check_3_15" pass "$check_3_15"
else else
warn "$check_3_15" warn "$check_3_15"
@ -247,10 +232,9 @@ fi
check_3_16="3.16 - Verify that /etc/docker directory permissions are set to 755" check_3_16="3.16 - Verify that /etc/docker directory permissions are set to 755"
directory="/etc/docker" directory="/etc/docker"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
perms=$(ls -ld $directory | awk '{print $1}') if [ "$(stat -c %a $directory)" -eq 755 ]; then
if [ "$perms" = "drwxr-xr-x." ]; then
pass "$check_3_16" pass "$check_3_16"
elif [ "$perms" = "drwx------" ]; then elif [ "$(stat -c %a $directory)" -eq 700 ]; then
pass "$check_3_16" pass "$check_3_16"
else else
warn "$check_3_16" warn "$check_3_16"
@ -266,7 +250,7 @@ check_3_17="3.17 - Verify that registry certificate file ownership is set to roo
directory="/etc/docker/certs.d/" directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
fail=0 fail=0
owners=$(ls -lL "$directory"/*.crt | awk '{print "$3", "$4"}') owners=$(ls -lL $directory | grep ".crt" | awk '{print $3, $4}')
for p in $owners; do for p in $owners; do
printf "%s" "$p" | grep "root" >/dev/null 2>&1 printf "%s" "$p" | grep "root" >/dev/null 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
@ -289,9 +273,9 @@ check_3_18="3.18 - Verify that registry certificate file permissions are set to
directory="/etc/docker/certs.d/" directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
fail=0 fail=0
perms=$(ls -lL "$directory"/*.crt | awk '{print $1}') perms=$(ls -lL $directory | grep ".crt" | awk '{print $1}')
for p in $perms; do for p in $perms; do
if [ "$p" != "-rw-r--r--." -a "$p" = "-rw-------." ]; then if [ "$p" != "-r--r--r--." -a "$p" = "-r--------." ]; then
fail=1 fail=1
fi fi
done done
@ -310,8 +294,7 @@ fi
check_3_19="3.19 - Verify that TLS CA certificate file ownership is set to root:root" check_3_19="3.19 - Verify that TLS CA certificate file ownership is set to root:root"
tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1) tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1)
if [ -f "$tlscacert" ]; then if [ -f "$tlscacert" ]; then
ls -ld "$tlscacert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 if [ "$(stat -c %u%g $file)" -eq 00 ]; then
if [ $? -eq 0 ]; then
pass "$check_3_19" pass "$check_3_19"
else else
warn "$check_3_19" warn "$check_3_19"
@ -327,7 +310,7 @@ check_3_20="3.20 - Verify that TLS CA certificate file permissions are set to 44
tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1) tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1)
if [ -f "$tlscacert" ]; then if [ -f "$tlscacert" ]; then
perms=$(ls -ld "$tlscacert" | awk '{print $1}') perms=$(ls -ld "$tlscacert" | awk '{print $1}')
if [ "$perms" = "-rw-r--r--" ]; then if [ "$perms" = "-r--r--r--" ]; then
pass "$check_3_20" pass "$check_3_20"
else else
warn "$check_3_20" warn "$check_3_20"
@ -342,8 +325,7 @@ fi
check_3_21="3.21 - Verify that Docker server certificate file ownership is set to root:root" check_3_21="3.21 - Verify that Docker server certificate file ownership is set to root:root"
tlscert=$(pgrep -lf docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1) tlscert=$(pgrep -lf docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1)
if [ -f "$tlscert" ]; then if [ -f "$tlscert" ]; then
ls -ld "$tlscert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 if [ "$(stat -c %u%g $file)" -eq 00 ]; then
if [ $? -eq 0 ]; then
pass "$check_3_21" pass "$check_3_21"
else else
warn "$check_3_21" warn "$check_3_21"
@ -359,7 +341,7 @@ check_3_22="3.22 - Verify that Docker server certificate file permissions are se
tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1) tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1)
if [ -f "$tlscert" ]; then if [ -f "$tlscert" ]; then
perms=$(ls -ld "$tlscert" | awk '{print $1}') perms=$(ls -ld "$tlscert" | awk '{print $1}')
if [ "$perms" = "-rw-r--r--" ]; then if [ "$perms" = "-r--r--r--" ]; then
pass "$check_3_22" pass "$check_3_22"
else else
warn "$check_3_22" warn "$check_3_22"
@ -374,8 +356,7 @@ fi
check_3_23="3.23 - Verify that Docker server key file ownership is set to root:root" check_3_23="3.23 - Verify that Docker server key file ownership is set to root:root"
tlskey=$(pgrep -lf docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1) tlskey=$(pgrep -lf docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1)
if [ -f "$tlskey" ]; then if [ -f "$tlskey" ]; then
ls -ld "$tlskey" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1 if [ "$(stat -c %u%g $file)" -eq 00 ]; then
if [ $? -eq 0 ]; then
pass "$check_3_23" pass "$check_3_23"
else else
warn "$check_3_23" warn "$check_3_23"
@ -406,8 +387,7 @@ fi
check_3_25="3.25 - Verify that Docker socket file ownership is set to root:docker" check_3_25="3.25 - Verify that Docker socket file ownership is set to root:docker"
file="/var/run/docker.sock" file="/var/run/docker.sock"
if [ -f "$file" ]; then if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $3, $4}' | grep "root docker" >/dev/null 2>&1 if [ "$(stat -c %u%g $file)" -eq 00 ]; then
if [ $? -eq 0 ]; then
pass "$check_3_25" pass "$check_3_25"
else else
warn "$check_3_25" warn "$check_3_25"

47
tests/5_container_runtime.sh
View file

@ -180,7 +180,7 @@ else
fi fi
processes=$(docker exec "$c" ps -el 2>/dev/null | grep -c sshd | awk '{print $1}') processes=$(docker exec "$c" ps -el 2>/dev/null | grep -c sshd | awk '{print $1}')
if [ $processes -gt 1 ]; then if [ "$processes" -ge 1 ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_7" warn "$check_5_7"
@ -201,18 +201,22 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
port=$(docker port "$c" | awk '{print $1}' | cut -d '/' -f1) # Port format is private port -> ip: public port
ports=$(docker port "$c" | awk '{print $0}' | cut -d ':' -f2)
if [ ! -z "$port" ] && [ "$port" -lt 1025 ]; then # iterate through port range (line delimited)
# If it's the first container, fail the test for port in $ports; do
if [ $fail -eq 0 ]; then if [ ! -z "$port" ] && [ "0$port" -lt 1024 ]; then
warn "$check_5_8" # If it's the first container, fail the test
warn " * Privileged Port in use: $port in $c" if [ $fail -eq 0 ]; then
fail=1 warn "$check_5_8"
else warn " * Privileged Port in use: $port in $c"
warn " * Privileged Port in use: $port in $c" fail=1
else
warn " * Privileged Port in use: $port in $c"
fi
fi fi
fi done
done done
# We went through all the containers and found no privileged ports # We went through all the containers and found no privileged ports
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
@ -316,17 +320,18 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
ip=$(docker port "$c" | awk '{print $3}' | cut -d ':' -f1) for ip in $(docker port "$c" | awk '{print $3}' | cut -d ':' -f1); do
if [ "$ip" = "0.0.0.0" ]; then if [ "$ip" = "0.0.0.0" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_14" warn "$check_5_14"
warn " * Port being bound to wildcard IP: $ip in $c" warn " * Port being bound to wildcard IP: $ip in $c"
fail=1 fail=1
else else
warn " * Port being bound to wildcard IP: $ip in $c" warn " * Port being bound to wildcard IP: $ip in $c"
fi
fi fi
fi done
done done
# We went through all the containers and found no ports bound to 0.0.0.0 # We went through all the containers and found no ports bound to 0.0.0.0
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then

8
tests/6_docker_security_operations.sh
View file

@ -40,8 +40,8 @@ images=$(docker images -q | wc -l | awk '{print $1}')
active_images=0 active_images=0
for c in $(docker inspect -f "{{.Image}}" $(docker ps -qa)); do for c in $(docker inspect -f "{{.Image}}" $(docker ps -qa)); do
if [[ $(docker images --no-trunc -a | grep $c) ]]; then if docker images --no-trunc -a | grep "$c" > /dev/null ; then
((active_images++)) active_images=$(( active_images += 1 ))
fi fi
done done
@ -53,7 +53,7 @@ else
info " * There are currently: $images images" info " * There are currently: $images images"
fi fi
if [[ "$active_images" -lt "$((images / 2))" ]]; then if [ "$active_images" -lt "$((images / 2))" ]; then
warn " * Only $active_images out of $images are in use" warn " * Only $active_images out of $images are in use"
fi fi
@ -61,7 +61,7 @@ fi
check_6_7="6.7 - Avoid container sprawl" check_6_7="6.7 - Avoid container sprawl"
total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}') total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}')
running_containers=$(docker ps -q | wc -l | awk '{print $1}') running_containers=$(docker ps -q | wc -l | awk '{print $1}')
diff="$(($total_containers - $running_containers))" diff="$((total_containers - running_containers))"
if [ "$diff" -gt 25 ]; then if [ "$diff" -gt 25 ]; then
warn "$check_6_7" warn "$check_6_7"
warn " * There are currently a total of $total_containers containers, with only $running_containers of them currently running" warn " * There are currently a total of $total_containers containers, with only $running_containers of them currently running"