GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-31 22:32:34 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge remote-tracking branch 'upstream/master'

Browse source
This commit is contained in:
Scott McCarty 2015-06-29 08:44:00 -04:00
commit 70c52ac5e8
11 changed files with 311 additions and 166 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
CONTRIBUTING.md Normal file
View file

@ -0,0 +1,51 @@
# Contributing to Docker Bench for Security
Want to hack on Docker Bench? Awesome! Here are instructions to get you
started.
The Docker Bench for Security is a part of the [Docker](https://www.docker.com) project, and follows
the same rules and principles. If you're already familiar with the way
Docker does things, you'll feel right at home.
Otherwise, go read
[Docker's contributions guidelines](https://github.com/docker/docker/blob/master/CONTRIBUTING.md).
### Development Environment Setup
The only thing you need to hack on Docker Bench for Security is a POSIX 2004 compliant shell. We try to keep the project compliant for maximum portability
#### Start hacking
You can build the container that wraps the docker-bench for security:
```sh
✗ git clone git@github.com:docker/docker-bench-security.git
✗ cd docker-bench-security
✗ docker build -t docker-bench-security .
```
Or you can simply run the shell script locally:
```sh
✗ git clone git@github.com:docker/docker-bench-security.git
✗ cd docker-bench-security
✗ sh docker-bench-security.sh
```
The Docker Bench has the main script called `docker-bench-security.sh`. This is the main script that checks for all the dependencies, deals with command line arguments and loads all the tests.
The tests are split in 6 different files:
```sh
✗ tree tests/
tests/
├── 1_host_configuration.sh
├── 2_docker_daemon_configuration.sh
├── 3_docker_daemon_configuration_files.sh
├── 4_container_images.sh
├── 5_container_runtime.sh
└── 6_docker_security_operations.sh
```
To modify the Docker Bench for Security you should first clone the repository, make your changes, check your code with `shellcheck`, `checkbashisms` or similar tools, and then sign off on your commits. After that feel free to send us a pull-request with the changes.
While this tool is inspired in the CIS Docker 1.6 Benchmark, feel free to add new tests. We will try to turn dockerbench.com into a list of good community benchmarks for both security and performance, and we would love community contributions.

6
Dockerfile
View file

@ -1,6 +1,8 @@
FROM gliderlabs/alpine:3.1
FROM alpine:3.1
RUN apk --update add docker
RUN apk update && \
apk upgrade && \
apk --update add docker
RUN mkdir /docker-bench-security

38
README.md
View file

@ -2,7 +2,7 @@
![Docker Bench for Security running](https://github.com/diogomonica/docker-bench-security/raw/master/benchmark_log.png?raw=true "Docker Bench for Security running")
The Docker Bench for Security is a script that checks for all the automatable tests included in the [CIS Docker 1.6 Benchmark](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf). We are releasing this as a follow-up to our [Understanding Docker Security and Best Practices](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/) blog post.
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are inspired by the [CIS Docker 1.6 Benchmark](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf). We are releasing this as a follow-up to our [Understanding Docker Security and Best Practices](https://blog.docker.com/2015/05/understanding-docker-security-and-best-practices/) blog post.
We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and docker containers against this benchmark.
@ -10,13 +10,16 @@ We are making this available as an open-source utility so the Docker community c
We packaged docker bench as a small container for your convenience. Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.
The easiest way to run your hosts against the CIS Docker 1.6 benchmark is by running our pre-built container:
The easiest way to run your hosts against the Docker Bench for Security is by running our pre-built container:
```
docker run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label docker-bench-security \
diogomonica/docker-bench-security
```sh
docker run -it --net host --pid host --cap-add audit_control \
-v /var/lib:/var/lib \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/lib/systemd:/usr/lib/systemd \
-v /etc:/etc --label docker-bench-security \
diogomonica/docker-bench-security
```
Docker bench requires Docker 1.6.2 or later in order to run, since it depends on the `--label` to exclude the current container from being inspected. If you can't upgrade to 1.6.2, I feel free to remove the `--label` flag or run the shell script locally (see below).
@ -27,19 +30,24 @@ Additionally, there was a bug in Docker 1.6.0 that would not allow mounting `-v
If you wish to build and run this container yourself, you can follow the following steps:
```
git clone https://github.com/diogomonica/docker-bench-security.git
cd docker-bench-security; docker build -t docker-bench-security .
docker run -it --net host --pid host -v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/lib/systemd:/usr/lib/systemd -v /etc:/etc --label security-benchmark \
docker-bench-security
```sh
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
docker build -t docker-bench-security .
docker run -it --net host --pid host --cap-add audit_control \
-v /var/lib:/var/lib \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/lib/systemd:/usr/lib/systemd \
-v /etc:/etc --label docker-bench-security \
docker-bench-security
```
Also, this script can also be simply run from your base host by running:
```
git clone https://github.com/diogomonica/docker-bench-security.git
cd docker-bench-security; sh docker-bench-security.sh
```sh
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
sh docker-bench-security.sh
```
This script was build to be POSIX 2004 compliant, so it should be portable across any Unix platform.

17
distros/Dockerfile.alpine Normal file
View file

@ -0,0 +1,17 @@
# REPOSITORY https://github.com/docker/docker-bench-security
MAINTAINER dockerbench.com
FROM alpine:3.1
RUN apk update && \
apk upgrade && \
apk --update add docker
RUN mkdir /docker-bench-security
COPY . /docker-bench-security
WORKDIR /docker-bench-security
ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]

18
distros/README.md Normal file
View file

@ -0,0 +1,18 @@
# Distribution specific Dockerfiles
## Requirements
### Dockerfile name
The format should be `Dockerfile.{distribution name}`.
### Keep your images up-to-date
Use the distribution package manager to keep your image up-to-date.
### REPOSITORY
Add a `REPOSITORY` comment with the URL to your GitHub repository where the Dockerfile is present.
`# REPOSITORY <GitHub repository>`
### MAINTAINER
Add the `MAINTAINER` instruction and your contact details, GitHub aliases are acceptable.
For an example Dockerfile, please refer to `Dockerfile.alpine`.

16
docker-bench-security.sh Normal file → Executable file
View file

@ -1,10 +1,11 @@
#!/bin/sh
# ------------------------------------------------------------------------------
# CIS Docker 1.6 Benchmark v1.0.0 checker
# Docker Bench for Security v1.0.0
#
# Docker, Inc. (c) 2015
#
# Provides automated tests for the CIS Docker 1.6 Benchmark:
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker 1.6 Benchmark:
# https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf
#
# ------------------------------------------------------------------------------
@ -21,7 +22,7 @@ export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/
logger="${myname}.log"
# Check for required program(s)
req_progs='docker netstat grep awk'
req_progs='awk docker grep netstat stat'
for p in $req_progs; do
command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; }
done
@ -42,11 +43,12 @@ usage () {
}
yell "# ------------------------------------------------------------------------------
# CIS Docker 1.6 Benchmark v1.0.0 checker
# Docker Bench for Security v1.0.0
#
# Docker, Inc. (c) 2015
#
# Provides automated tests for the CIS Docker 1.6 Benchmark:
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Inspired by the CIS Docker 1.6 Benchmark:
# https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf
# ------------------------------------------------------------------------------"
@ -73,11 +75,11 @@ done
main () {
# List all running containers
containers=$(docker ps -q)
# If there is a container with label docker-bench, memorize it:
# If there is a container with label docker-bench-security, memorize it:
benchcont="nil"
for c in $containers; do
labels=$(docker inspect --format '{{ .Config.Labels }}' "$c")
contains "$labels" "docker-bench" && benchcont="$c"
contains "$labels" "docker-bench-security" && benchcont="$c"
done
# List all running containers except docker-bench
containers=$(docker ps -q | grep -v "$benchcont")

184
tests/1_host_configuration.sh
View file

@ -40,9 +40,11 @@ fi
# 1.6
check_1_6="1.6 - Keep Docker up to date"
docker_version=$(docker version | grep 'Server version' | awk '{print $3}')
do_version_check 1.6.2 $docker_version
docker_current_version="1.7.0"
do_version_check "$docker_current_version" "$docker_version"
if [ $? -eq 11 ]; then
warn "$check_1_6"
warn " * Using $docker_version, when $docker_current_version is current."
else
pass "$check_1_6"
fi
@ -71,140 +73,200 @@ fi
# 1.9
check_1_9="1.9 - Audit Docker files and directories - /var/lib/docker"
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep /var/lib/docker >/dev/null 2>&1
directory="/var/lib/docker"
if [ -d "$file" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_9"
auditctl -l | grep $directory >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_9"
else
warn "$check_1_9"
fi
else
warn "$check_1_9"
warn "1.9 - Failed to inspect: auditctl command not found."
fi
else
warn "1.9 - Failed to inspect: auditctl command not found."
info "$check_1_9"
info " * Directory not found"
fi
# 1.10
check_1_10="1.10 - Audit Docker files and directories - /etc/docker"
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep /etc/docker >/dev/null 2>&1
directory="/etc/docker"
if [ -d "$directory" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_10"
auditctl -l | grep $directory >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_10"
else
warn "$check_1_10"
fi
else
warn "$check_1_10"
warn "1.10 - Failed to inspect: auditctl command not found."
fi
else
warn "1.10 - Failed to inspect: auditctl command not found."
info "$check_1_10"
info " * Directory not found"
fi
# 1.11
check_1_11="1.11 - Audit Docker files and directories - docker-registry.service"
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep /usr/lib/systemd/system/docker-registry.service >/dev/null 2>&1
file="/usr/lib/systemd/system/docker-registry.service"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_11"
auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_11"
else
warn "$check_1_11"
fi
else
warn "$check_1_11"
warn "1.11 - Failed to inspect: auditctl command not found."
fi
else
warn "1.11 - Failed to inspect: auditctl command not found."
info "$check_1_11"
info " * File not found"
fi
# 1.12
check_1_12="1.12 - Audit Docker files and directories - docker.service"
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep /usr/lib/systemd/system/docker.service >/dev/null 2>&1
file="/usr/lib/systemd/system/docker.service"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_12"
auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_12"
else
warn "$check_1_12"
fi
else
warn "$check_1_12"
warn "1.12 - Failed to inspect: auditctl command not found."
fi
else
warn "1.12 - Failed to inspect: auditctl command not found."
info "$check_1_12"
info " * File not found"
fi
# 1.13
check_1_13="1.13 - Audit Docker files and directories - /var/run/docker.sock"
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep /var/run/docker.sock >/dev/null 2>&1
file="/var/run/docker.sock"
if [ -e "$file" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_13"
auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_13"
else
warn "$check_1_13"
fi
else
warn "$check_1_13"
warn "1.13 - Failed to inspect: auditctl command not found."
fi
else
warn "1.13 - Failed to inspect: auditctl command not found."
info "$check_1_13"
info " * File not found"
fi
# 1.14
check_1_14="1.14 - Audit Docker files and directories - /etc/sysconfig/docker"
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep /etc/sysconfig/docker >/dev/null 2>&1
file="/etc/sysconfig/docker"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_14"
auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_14"
else
warn "$check_1_14"
fi
else
warn "$check_1_14"
warn "1.14 - Failed to inspect: auditctl command not found."
fi
else
warn "1.14 - Failed to inspect: auditctl command not found."
info "$check_1_14"
info " * File not found"
fi
# 1.15
check_1_15="1.15 - Audit Docker files and directories - /etc/sysconfig/docker-network"
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep /etc/sysconfig/docker-network >/dev/null 2>&1
file="/etc/sysconfig/docker-network"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_15"
auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_15"
else
warn "$check_1_15"
fi
else
warn "$check_1_15"
warn "1.15 - Failed to inspect: auditctl command not found."
fi
else
warn "1.15 - Failed to inspect: auditctl command not found."
info "$check_1_15"
info " * File not found"
fi
# 1.16
check_1_16="1.16 - Audit Docker files and directories - /etc/sysconfig/docker-registry"
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep /etc/sysconfig/docker-registry >/dev/null 2>&1
file="/etc/sysconfig/docker-registry"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_16"
auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_16"
else
warn "$check_1_16"
fi
else
warn "$check_1_16"
warn "1.16 - Failed to inspect: auditctl command not found."
fi
else
warn "1.16 - Failed to inspect: auditctl command not found."
info "$check_1_16"
info " * File not found"
fi
# 1.17
check_1_17="1.17 - Audit Docker files and directories - /etc/sysconfig/docker-storage"
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep /etc/sysconfig/docker-storage >/dev/null 2>&1
file="/etc/sysconfig/docker-storage"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_17"
auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_17"
else
warn "$check_1_17"
fi
else
warn "$check_1_17"
warn "1.17 - Failed to inspect: auditctl command not found."
fi
else
warn "1.17 - Failed to inspect: auditctl command not found."
info "$check_1_17"
info " * File not found"
fi
# 1.18
check_1_18="1.18 - Audit Docker files and directories - /etc/default/docker"
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
auditctl -l | grep /etc/default/docker >/dev/null 2>&1
file="/etc/default/docker"
if [ -f "$file" ]; then
command -v auditctl >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_18"
auditctl -l | grep $file >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_1_18"
else
warn "$check_1_18"
fi
else
warn "$check_1_18"
warn "1.18 - Failed to inspect: auditctl command not found."
fi
else
warn "1.18 - Failed to inspect: auditctl command not found."
info "$check_1_18"
info " * File not found"
fi

20
tests/2_docker_daemon_configuration.sh
View file

@ -5,7 +5,7 @@ info "2 - Docker Daemon Configuration"
# 2.1
check_2_1="2.1 - Do not use lxc execution driver"
pgrep -U root -u root -lf docker | grep lxc >/dev/null 2>&1
pgrep -lf docker | grep lxc >/dev/null 2>&1
if [ $? -eq 0 ]; then
warn "$check_2_1"
else
@ -14,7 +14,7 @@ fi
# 2.2
check_2_2="2.2 - Restrict network traffic between containers"
pgrep -U root -u root -lf docker | grep "icc=false" >/dev/null 2>&1
pgrep -lf docker | grep "icc=false" >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_2_2"
else
@ -23,7 +23,7 @@ fi
# 2.3
check_2_3="2.3 - Set the logging level"
pgrep -U root -u root -lf docker | grep "log-level=\"debug\"" >/dev/null 2>&1
pgrep -lf docker | grep "log-level=\"debug\"" >/dev/null 2>&1
if [ $? -eq 0 ]; then
warn "$check_2_3"
else
@ -32,7 +32,7 @@ fi
# 2.4
check_2_4="2.4 - Allow Docker to make changes to iptables"
pgrep -U root -u root -lf docker | grep "iptables=false" >/dev/null 2>&1
pgrep -lf docker | grep "iptables=false" >/dev/null 2>&1
if [ $? -eq 0 ]; then
warn "$check_2_4"
else
@ -41,7 +41,7 @@ fi
# 2.5
check_2_5="2.5 - Do not use insecure registries"
pgrep -U root -u root -lf docker | grep "insecure-registry" >/dev/null 2>&1
pgrep -lf docker | grep "insecure-registry" >/dev/null 2>&1
if [ $? -eq 0 ]; then
warn "$check_2_5"
else
@ -50,7 +50,7 @@ fi
# 2.6
check_2_6="2.6 - Setup a local registry mirror"
pgrep -U root -u root -lf docker | grep "registry-mirror" >/dev/null 2>&1
pgrep -lf docker | grep "registry-mirror" >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_2_6"
else
@ -69,7 +69,7 @@ fi
# 2.8
check_2_8="2.8 - Do not bind Docker to another IP/Port or a Unix socket"
pgrep -U root -u root -lf docker | grep "\-H" >/dev/null 2>&1
pgrep -lf docker | grep "\-H" >/dev/null 2>&1
if [ $? -eq 0 ]; then
info "$check_2_8"
info " * Docker daemon running with -H"
@ -79,9 +79,9 @@ fi
# 2.9
check_2_9="2.9 - Configure TLS authentication for Docker daemon"
pgrep -U root -u root -lf docker | grep "tcp://" >/dev/null 2>&1
pgrep -lf docker | grep "\-H" >/dev/null 2>&1
if [ $? -eq 0 ]; then
pgrep -U root -u root -lf docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1
pgrep -lf docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_2_9"
info " * Docker daemon currently listening on TCP"
@ -96,7 +96,7 @@ fi
# 2.10
check_2_10="2.10 - Set default ulimit as appropriate"
pgrep -U root -u root -lf docker | grep "default-ulimit" >/dev/null 2>&1
pgrep -lf docker | grep "default-ulimit" >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_2_10"
else

72
tests/3_docker_daemon_configuration_files.sh
View file

@ -7,8 +7,7 @@ info "3 - Docker Daemon Configuration Files"
check_3_1="3.1 - Verify that docker.service file ownership is set to root:root"
file="/usr/lib/systemd/system/docker.service"
if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_1"
else
warn "$check_3_1"
@ -23,8 +22,7 @@ fi
check_3_2="3.2 - Verify that docker.service file permissions are set to 644"
file="/usr/lib/systemd/system/docker.service"
if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_2"
else
warn "$check_3_2"
@ -39,8 +37,7 @@ fi
check_3_3="3.3 - Verify that docker-registry.service file ownership is set to root:root"
file="/usr/lib/systemd/system/docker-registry.service"
if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_3"
else
warn "$check_3_3"
@ -55,8 +52,7 @@ fi
check_3_4="3.4 - Verify that docker-registry.service file permissions are set to 644"
file="/usr/lib/systemd/system/docker-registry.service"
if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_4"
else
warn "$check_3_4"
@ -71,8 +67,7 @@ fi
check_3_5="3.5 - Verify that docker.socket file ownership is set to root:root"
file="/usr/lib/systemd/system/docker.socket"
if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_5"
else
warn "$check_3_5"
@ -87,8 +82,7 @@ fi
check_3_6="3.6 - Verify that docker.socket file permissions are set to 644"
file="/usr/lib/systemd/system/docker.socket"
if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_6"
else
warn "$check_3_6"
@ -103,8 +97,7 @@ fi
check_3_7="3.7 - Verify that Docker environment file ownership is set to root:root "
file="/etc/sysconfig/docker"
if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_7"
else
warn "$check_3_7"
@ -119,8 +112,7 @@ fi
check_3_8="3.8 - Verify that Docker environment file permissions are set to 644"
file="/etc/sysconfig/docker"
if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_8"
else
warn "$check_3_8"
@ -135,8 +127,7 @@ fi
check_3_9="3.9 - Verify that docker-network environment file ownership is set to root:root"
file="/etc/sysconfig/docker-network"
if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_9"
else
warn "$check_3_9"
@ -151,8 +142,7 @@ fi
check_3_10="3.10 - Verify that docker-network environment file permissions are set to 644"
file="/etc/sysconfig/docker-network"
if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_10"
else
warn "$check_3_10"
@ -167,8 +157,7 @@ fi
check_3_11="3.11 - Verify that docker-registry environment file ownership is set to root:root"
file="/etc/sysconfig/docker-registry"
if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_11"
else
warn "$check_3_11"
@ -183,8 +172,7 @@ fi
check_3_12="3.12 - Verify that docker-registry environment file permissions are set to 644"
file="/etc/sysconfig/docker-registry"
if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_12"
else
warn "$check_3_12"
@ -199,8 +187,7 @@ fi
check_3_13="3.13 - Verify that docker-storage environment file ownership is set to root:root"
file="/etc/sysconfig/docker-storage"
if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_13"
else
warn "$check_3_13"
@ -215,8 +202,7 @@ fi
check_3_14="3.14 - Verify that docker-storage environment file permissions are set to 644"
file="/etc/sysconfig/docker-storage"
if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $1}' | grep "rw-r--r--" >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_14"
else
warn "$check_3_14"
@ -231,8 +217,7 @@ fi
check_3_15="3.15 - Verify that /etc/docker directory ownership is set to root:root"
directory="/etc/docker"
if [ -d "$directory" ]; then
ls -ld "$directory" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ "$(stat -c %u%g $directory)" -eq 00 ]; then
pass "$check_3_15"
else
warn "$check_3_15"
@ -247,10 +232,9 @@ fi
check_3_16="3.16 - Verify that /etc/docker directory permissions are set to 755"
directory="/etc/docker"
if [ -d "$directory" ]; then
perms=$(ls -ld $directory | awk '{print $1}')
if [ "$perms" = "drwxr-xr-x." ]; then
if [ "$(stat -c %a $directory)" -eq 755 ]; then
pass "$check_3_16"
elif [ "$perms" = "drwx------" ]; then
elif [ "$(stat -c %a $directory)" -eq 700 ]; then
pass "$check_3_16"
else
warn "$check_3_16"
@ -266,7 +250,7 @@ check_3_17="3.17 - Verify that registry certificate file ownership is set to roo
directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then
fail=0
owners=$(ls -lL "$directory"/*.crt | awk '{print "$3", "$4"}')
owners=$(ls -lL $directory | grep ".crt" | awk '{print $3, $4}')
for p in $owners; do
printf "%s" "$p" | grep "root" >/dev/null 2>&1
if [ $? -ne 0 ]; then
@ -289,9 +273,9 @@ check_3_18="3.18 - Verify that registry certificate file permissions are set to
directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then
fail=0
perms=$(ls -lL "$directory"/*.crt | awk '{print $1}')
perms=$(ls -lL $directory | grep ".crt" | awk '{print $1}')
for p in $perms; do
if [ "$p" != "-rw-r--r--." -a "$p" = "-rw-------." ]; then
if [ "$p" != "-r--r--r--." -a "$p" = "-r--------." ]; then
fail=1
fi
done
@ -310,8 +294,7 @@ fi
check_3_19="3.19 - Verify that TLS CA certificate file ownership is set to root:root"
tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1)
if [ -f "$tlscacert" ]; then
ls -ld "$tlscacert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_19"
else
warn "$check_3_19"
@ -327,7 +310,7 @@ check_3_20="3.20 - Verify that TLS CA certificate file permissions are set to 44
tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | cut -d " " -f 1)
if [ -f "$tlscacert" ]; then
perms=$(ls -ld "$tlscacert" | awk '{print $1}')
if [ "$perms" = "-rw-r--r--" ]; then
if [ "$perms" = "-r--r--r--" ]; then
pass "$check_3_20"
else
warn "$check_3_20"
@ -342,8 +325,7 @@ fi
check_3_21="3.21 - Verify that Docker server certificate file ownership is set to root:root"
tlscert=$(pgrep -lf docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1)
if [ -f "$tlscert" ]; then
ls -ld "$tlscert" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_21"
else
warn "$check_3_21"
@ -359,7 +341,7 @@ check_3_22="3.22 - Verify that Docker server certificate file permissions are se
tlscacert=$(pgrep -lf docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | cut -d " " -f 1)
if [ -f "$tlscert" ]; then
perms=$(ls -ld "$tlscert" | awk '{print $1}')
if [ "$perms" = "-rw-r--r--" ]; then
if [ "$perms" = "-r--r--r--" ]; then
pass "$check_3_22"
else
warn "$check_3_22"
@ -374,8 +356,7 @@ fi
check_3_23="3.23 - Verify that Docker server key file ownership is set to root:root"
tlskey=$(pgrep -lf docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | cut -d " " -f 1)
if [ -f "$tlskey" ]; then
ls -ld "$tlskey" | awk '{print $3, $4}' | grep "root root" >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_23"
else
warn "$check_3_23"
@ -406,8 +387,7 @@ fi
check_3_25="3.25 - Verify that Docker socket file ownership is set to root:docker"
file="/var/run/docker.sock"
if [ -f "$file" ]; then
ls -ld "$file" | awk '{print $3, $4}' | grep "root docker" >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_25"
else
warn "$check_3_25"

47
tests/5_container_runtime.sh
View file

@ -180,7 +180,7 @@ else
fi
processes=$(docker exec "$c" ps -el 2>/dev/null | grep -c sshd | awk '{print $1}')
if [ $processes -gt 1 ]; then
if [ "$processes" -ge 1 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_7"
@ -201,18 +201,22 @@ else
fail=0
for c in $containers; do
port=$(docker port "$c" | awk '{print $1}' | cut -d '/' -f1)
# Port format is private port -> ip: public port
ports=$(docker port "$c" | awk '{print $0}' | cut -d ':' -f2)
if [ ! -z "$port" ] && [ "$port" -lt 1025 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_8"
warn " * Privileged Port in use: $port in $c"
fail=1
else
warn " * Privileged Port in use: $port in $c"
# iterate through port range (line delimited)
for port in $ports; do
if [ ! -z "$port" ] && [ "0$port" -lt 1024 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_8"
warn " * Privileged Port in use: $port in $c"
fail=1
else
warn " * Privileged Port in use: $port in $c"
fi
fi
fi
done
done
# We went through all the containers and found no privileged ports
if [ $fail -eq 0 ]; then
@ -316,17 +320,18 @@ else
fail=0
for c in $containers; do
ip=$(docker port "$c" | awk '{print $3}' | cut -d ':' -f1)
if [ "$ip" = "0.0.0.0" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_14"
warn " * Port being bound to wildcard IP: $ip in $c"
fail=1
else
warn " * Port being bound to wildcard IP: $ip in $c"
for ip in $(docker port "$c" | awk '{print $3}' | cut -d ':' -f1); do
if [ "$ip" = "0.0.0.0" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_14"
warn " * Port being bound to wildcard IP: $ip in $c"
fail=1
else
warn " * Port being bound to wildcard IP: $ip in $c"
fi
fi
fi
done
done
# We went through all the containers and found no ports bound to 0.0.0.0
if [ $fail -eq 0 ]; then

8
tests/6_docker_security_operations.sh
View file

@ -40,8 +40,8 @@ images=$(docker images -q | wc -l | awk '{print $1}')
active_images=0
for c in $(docker inspect -f "{{.Image}}" $(docker ps -qa)); do
if [[ $(docker images --no-trunc -a | grep $c) ]]; then
((active_images++))
if docker images --no-trunc -a | grep "$c" > /dev/null ; then
active_images=$(( active_images += 1 ))
fi
done
@ -53,7 +53,7 @@ else
info " * There are currently: $images images"
fi
if [[ "$active_images" -lt "$((images / 2))" ]]; then
if [ "$active_images" -lt "$((images / 2))" ]; then
warn " * Only $active_images out of $images are in use"
fi
@ -61,7 +61,7 @@ fi
check_6_7="6.7 - Avoid container sprawl"
total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}')
running_containers=$(docker ps -q | wc -l | awk '{print $1}')
diff="$(($total_containers - $running_containers))"
diff="$((total_containers - running_containers))"
if [ "$diff" -gt 25 ]; then
warn "$check_6_7"
warn " * There are currently a total of $total_containers containers, with only $running_containers of them currently running"