mirror of
https://github.com/docker/docker-bench-security.git
synced 2025-01-18 16:22:33 +01:00
update info messages, not scored
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
This commit is contained in:
Thomas Sjögren
parent
ceb516fc29
commit
77617321df
5 changed files with 73 additions and 23 deletions
|
|
@ -22,16 +22,20 @@ else
|
|||
pass "$check_1_2"
|
||||
fi
|
||||
|
||||
# 1.3
|
||||
check_1_3="1.3 - Harden the container host"
|
||||
info "$check_1_3"
|
||||
|
||||
# 1.4
|
||||
check_1_4="1.4 - Remove all non-essential services from the host - Network"
|
||||
# Check for listening network services.
|
||||
listening_services=$(netstat -na | grep -v tcp6 | grep -v unix | grep -c LISTEN)
|
||||
if [ "$listening_services" -eq 0 ]; then
|
||||
warn "1.4 - Failed to get listening services for check: $check_1_4"
|
||||
info "1.4 - Failed to get listening services for check: $check_1_4"
|
||||
else
|
||||
if [ "$listening_services" -gt 5 ]; then
|
||||
warn "$check_1_4"
|
||||
warn " * Host listening on: $listening_services ports"
|
||||
info "$check_1_4"
|
||||
info " * Host listening on: $listening_services ports"
|
||||
else
|
||||
pass "$check_1_4"
|
||||
fi
|
||||
|
|
@ -45,8 +49,8 @@ docker_current_version="1.13.0"
|
|||
docker_current_date="2017-01-18"
|
||||
do_version_check "$docker_current_version" "$docker_version"
|
||||
if [ $? -eq 11 ]; then
|
||||
warn "$check_1_5"
|
||||
warn " * Using $docker_version, when $docker_current_version is current as of $docker_current_date"
|
||||
info "$check_1_5"
|
||||
info " * Using $docker_version, when $docker_current_version is current as of $docker_current_date"
|
||||
info " * Your operating system vendor may provide support and security maintenance for docker"
|
||||
else
|
||||
pass "$check_1_5"
|
||||
|
|
|
|||
|
|
@ -78,7 +78,7 @@ fi
|
|||
|
||||
|
||||
# 2.7
|
||||
check_2_7="2.7 - Set default ulimit as appropriate"
|
||||
check_2_7="2.7 - Set default ulimit as appropriate"
|
||||
get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
pass "$check_2_7"
|
||||
|
|
|
|||
|
|
@ -40,6 +40,18 @@ set +f; unset IFS
|
|||
|
||||
images=$(docker images -q)
|
||||
|
||||
# 4.2
|
||||
check_4_2="4.2 - Use trusted base images for containers"
|
||||
info "$check_4_2"
|
||||
|
||||
# 4.3
|
||||
check_4_3="4.3 - Do not install unnecessary packages in the container"
|
||||
info "$check_4_3"
|
||||
|
||||
# 4.4
|
||||
check_4_4="4.4 - Scan and rebuild the images to include security patches"
|
||||
info "$check_4_4"
|
||||
|
||||
# 4.5
|
||||
check_4_5="4.5 - Enable Content trust for Docker"
|
||||
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
|
||||
|
|
@ -88,6 +100,10 @@ if [ $fail -eq 0 ]; then
|
|||
pass "$check_4_7"
|
||||
fi
|
||||
|
||||
# 4.8
|
||||
check_4_8="4.8 - Remove setuid and setgid permissions in the images"
|
||||
info "$check_4_8"
|
||||
|
||||
# 4.9
|
||||
check_4_9="4.9 - Use COPY instead of ADD in Dockerfile"
|
||||
fail=0
|
||||
|
|
@ -107,3 +123,11 @@ done
|
|||
if [ $fail -eq 0 ]; then
|
||||
pass "$check_4_9"
|
||||
fi
|
||||
|
||||
# 4.10
|
||||
check_4_10="4.10 - Do not store secrets in Dockerfiles"
|
||||
info "$check_4_10"
|
||||
|
||||
# 4.11
|
||||
check_4_11="4.11 - Install verified packages only"
|
||||
info "$check_4_11"
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
#!/bin/sh
|
||||
|
||||
logit "\n"
|
||||
info "5 - Container Runtime"
|
||||
info "5 - Container Runtime"
|
||||
|
||||
# If containers is empty, there are no running containers
|
||||
if [ -z "$containers" ]; then
|
||||
|
|
@ -207,8 +207,12 @@ else
|
|||
pass "$check_5_7"
|
||||
fi
|
||||
|
||||
# 5.8
|
||||
check_5_8="5.8 - Open only needed ports on container"
|
||||
info "$check_5_8"
|
||||
|
||||
# 5.9
|
||||
check_5_9="5.9 - Do not share the host's network namespace"
|
||||
check_5_9="5.9 - Do not share the host's network namespace"
|
||||
|
||||
fail=0
|
||||
for c in $containers; do
|
||||
|
|
@ -519,6 +523,13 @@ else
|
|||
pass "$check_5_21"
|
||||
fi
|
||||
|
||||
# 5.22
|
||||
check_5_22="5.22 - Do not docker exec commands with privileged option"
|
||||
info "$check_5_22"
|
||||
|
||||
# 5.23
|
||||
check_5_23="5.23 - Do not docker exec commands with user option"
|
||||
info "$check_5_23"
|
||||
|
||||
# 5.24
|
||||
check_5_24="5.24 - Confirm cgroup usage"
|
||||
|
|
@ -586,6 +597,10 @@ else
|
|||
pass "$check_5_26"
|
||||
fi
|
||||
|
||||
# 5.27
|
||||
check_5_27="5.27 - Ensure docker commands always get the latest version of the image"
|
||||
info "$check_5_27"
|
||||
|
||||
# 5.28
|
||||
check_5_28="5.28 - Use PIDs cgroup limit"
|
||||
|
||||
|
|
@ -597,10 +612,10 @@ else
|
|||
# If it's the first container, fail the test
|
||||
if [ $fail -eq 0 ]; then
|
||||
warn "$check_5_28"
|
||||
warn " * PID limit not set: $c"
|
||||
warn " * PIDs limit not set: $c"
|
||||
fail=1
|
||||
else
|
||||
warn " * PID limit not set: $c"
|
||||
warn " * PIDs limit not set: $c"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
|
@ -621,11 +636,11 @@ else
|
|||
docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" 2>/dev/null)
|
||||
if [ -n "$docker0Containers" ]; then
|
||||
if [ $fail -eq 0 ]; then
|
||||
warn "$check_5_29"
|
||||
info "$check_5_29"
|
||||
fail=1
|
||||
fi
|
||||
for c in $docker0Containers; do
|
||||
warn " * Container in docker0 network: $c"
|
||||
info " * Container in docker0 network: $c"
|
||||
done
|
||||
fi
|
||||
fi
|
||||
|
|
|
|||
|
|
@ -1,10 +1,22 @@
|
|||
#!/bin/sh
|
||||
|
||||
logit "\n"
|
||||
info "6 - Docker Security Operations"
|
||||
info "6 - Docker Security Operations"
|
||||
|
||||
# 6.1
|
||||
check_6_1="6.1 - Perform regular security audits of your host system and containers"
|
||||
info "$check_6_1"
|
||||
|
||||
# 6.2
|
||||
check_6_2="6.2 - Monitor Docker containers usage, performance and metering"
|
||||
info "$check_6_2"
|
||||
|
||||
# 6.3
|
||||
check_6_3="6.3 - Backup container data"
|
||||
info "$check_6_3"
|
||||
|
||||
# 6.4
|
||||
check_6_4="6.4 - Avoid image sprawl"
|
||||
check_6_4="6.4 - Avoid image sprawl"
|
||||
images=$(docker images -q | sort -u | wc -l | awk '{print $1}')
|
||||
active_images=0
|
||||
|
||||
|
|
@ -14,26 +26,21 @@ for c in $(docker inspect -f "{{.Image}}" $(docker ps -qa)); do
|
|||
fi
|
||||
done
|
||||
|
||||
if [ "$images" -gt 100 ]; then
|
||||
warn "$check_6_4"
|
||||
warn " * There are currently: $images images"
|
||||
else
|
||||
info "$check_6_4"
|
||||
info " * There are currently: $images images"
|
||||
fi
|
||||
|
||||
if [ "$active_images" -lt "$((images / 2))" ]; then
|
||||
warn " * Only $active_images out of $images are in use"
|
||||
info " * Only $active_images out of $images are in use"
|
||||
fi
|
||||
|
||||
# 6.5
|
||||
check_6_5="6.5 - Avoid container sprawl"
|
||||
check_6_5="6.5 - Avoid container sprawl"
|
||||
total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}')
|
||||
running_containers=$(docker ps -q | wc -l | awk '{print $1}')
|
||||
diff="$((total_containers - running_containers))"
|
||||
if [ "$diff" -gt 25 ]; then
|
||||
warn "$check_6_5"
|
||||
warn " * There are currently a total of $total_containers containers, with only $running_containers of them currently running"
|
||||
info "$check_6_5"
|
||||
info " * There are currently a total of $total_containers containers, with only $running_containers of them currently running"
|
||||
else
|
||||
info "$check_6_5"
|
||||
info " * There are currently a total of $total_containers containers, with $running_containers of them currently running"
|
||||
|
|
|
|||
Loading…
Reference in a new issue