mirror of
https://github.com/docker/docker-bench-security.git
synced 2025-01-19 00:32:34 +01:00
update info messages, not scored
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
This commit is contained in:
parent
ceb516fc29
commit
77617321df
5 changed files with 73 additions and 23 deletions
|
@ -22,16 +22,20 @@ else
|
||||||
pass "$check_1_2"
|
pass "$check_1_2"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# 1.3
|
||||||
|
check_1_3="1.3 - Harden the container host"
|
||||||
|
info "$check_1_3"
|
||||||
|
|
||||||
# 1.4
|
# 1.4
|
||||||
check_1_4="1.4 - Remove all non-essential services from the host - Network"
|
check_1_4="1.4 - Remove all non-essential services from the host - Network"
|
||||||
# Check for listening network services.
|
# Check for listening network services.
|
||||||
listening_services=$(netstat -na | grep -v tcp6 | grep -v unix | grep -c LISTEN)
|
listening_services=$(netstat -na | grep -v tcp6 | grep -v unix | grep -c LISTEN)
|
||||||
if [ "$listening_services" -eq 0 ]; then
|
if [ "$listening_services" -eq 0 ]; then
|
||||||
warn "1.4 - Failed to get listening services for check: $check_1_4"
|
info "1.4 - Failed to get listening services for check: $check_1_4"
|
||||||
else
|
else
|
||||||
if [ "$listening_services" -gt 5 ]; then
|
if [ "$listening_services" -gt 5 ]; then
|
||||||
warn "$check_1_4"
|
info "$check_1_4"
|
||||||
warn " * Host listening on: $listening_services ports"
|
info " * Host listening on: $listening_services ports"
|
||||||
else
|
else
|
||||||
pass "$check_1_4"
|
pass "$check_1_4"
|
||||||
fi
|
fi
|
||||||
|
@ -45,8 +49,8 @@ docker_current_version="1.13.0"
|
||||||
docker_current_date="2017-01-18"
|
docker_current_date="2017-01-18"
|
||||||
do_version_check "$docker_current_version" "$docker_version"
|
do_version_check "$docker_current_version" "$docker_version"
|
||||||
if [ $? -eq 11 ]; then
|
if [ $? -eq 11 ]; then
|
||||||
warn "$check_1_5"
|
info "$check_1_5"
|
||||||
warn " * Using $docker_version, when $docker_current_version is current as of $docker_current_date"
|
info " * Using $docker_version, when $docker_current_version is current as of $docker_current_date"
|
||||||
info " * Your operating system vendor may provide support and security maintenance for docker"
|
info " * Your operating system vendor may provide support and security maintenance for docker"
|
||||||
else
|
else
|
||||||
pass "$check_1_5"
|
pass "$check_1_5"
|
||||||
|
|
|
@ -40,6 +40,18 @@ set +f; unset IFS
|
||||||
|
|
||||||
images=$(docker images -q)
|
images=$(docker images -q)
|
||||||
|
|
||||||
|
# 4.2
|
||||||
|
check_4_2="4.2 - Use trusted base images for containers"
|
||||||
|
info "$check_4_2"
|
||||||
|
|
||||||
|
# 4.3
|
||||||
|
check_4_3="4.3 - Do not install unnecessary packages in the container"
|
||||||
|
info "$check_4_3"
|
||||||
|
|
||||||
|
# 4.4
|
||||||
|
check_4_4="4.4 - Scan and rebuild the images to include security patches"
|
||||||
|
info "$check_4_4"
|
||||||
|
|
||||||
# 4.5
|
# 4.5
|
||||||
check_4_5="4.5 - Enable Content trust for Docker"
|
check_4_5="4.5 - Enable Content trust for Docker"
|
||||||
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
|
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
|
||||||
|
@ -88,6 +100,10 @@ if [ $fail -eq 0 ]; then
|
||||||
pass "$check_4_7"
|
pass "$check_4_7"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# 4.8
|
||||||
|
check_4_8="4.8 - Remove setuid and setgid permissions in the images"
|
||||||
|
info "$check_4_8"
|
||||||
|
|
||||||
# 4.9
|
# 4.9
|
||||||
check_4_9="4.9 - Use COPY instead of ADD in Dockerfile"
|
check_4_9="4.9 - Use COPY instead of ADD in Dockerfile"
|
||||||
fail=0
|
fail=0
|
||||||
|
@ -107,3 +123,11 @@ done
|
||||||
if [ $fail -eq 0 ]; then
|
if [ $fail -eq 0 ]; then
|
||||||
pass "$check_4_9"
|
pass "$check_4_9"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# 4.10
|
||||||
|
check_4_10="4.10 - Do not store secrets in Dockerfiles"
|
||||||
|
info "$check_4_10"
|
||||||
|
|
||||||
|
# 4.11
|
||||||
|
check_4_11="4.11 - Install verified packages only"
|
||||||
|
info "$check_4_11"
|
||||||
|
|
|
@ -207,6 +207,10 @@ else
|
||||||
pass "$check_5_7"
|
pass "$check_5_7"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# 5.8
|
||||||
|
check_5_8="5.8 - Open only needed ports on container"
|
||||||
|
info "$check_5_8"
|
||||||
|
|
||||||
# 5.9
|
# 5.9
|
||||||
check_5_9="5.9 - Do not share the host's network namespace"
|
check_5_9="5.9 - Do not share the host's network namespace"
|
||||||
|
|
||||||
|
@ -519,6 +523,13 @@ else
|
||||||
pass "$check_5_21"
|
pass "$check_5_21"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# 5.22
|
||||||
|
check_5_22="5.22 - Do not docker exec commands with privileged option"
|
||||||
|
info "$check_5_22"
|
||||||
|
|
||||||
|
# 5.23
|
||||||
|
check_5_23="5.23 - Do not docker exec commands with user option"
|
||||||
|
info "$check_5_23"
|
||||||
|
|
||||||
# 5.24
|
# 5.24
|
||||||
check_5_24="5.24 - Confirm cgroup usage"
|
check_5_24="5.24 - Confirm cgroup usage"
|
||||||
|
@ -586,6 +597,10 @@ else
|
||||||
pass "$check_5_26"
|
pass "$check_5_26"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# 5.27
|
||||||
|
check_5_27="5.27 - Ensure docker commands always get the latest version of the image"
|
||||||
|
info "$check_5_27"
|
||||||
|
|
||||||
# 5.28
|
# 5.28
|
||||||
check_5_28="5.28 - Use PIDs cgroup limit"
|
check_5_28="5.28 - Use PIDs cgroup limit"
|
||||||
|
|
||||||
|
@ -597,10 +612,10 @@ else
|
||||||
# If it's the first container, fail the test
|
# If it's the first container, fail the test
|
||||||
if [ $fail -eq 0 ]; then
|
if [ $fail -eq 0 ]; then
|
||||||
warn "$check_5_28"
|
warn "$check_5_28"
|
||||||
warn " * PID limit not set: $c"
|
warn " * PIDs limit not set: $c"
|
||||||
fail=1
|
fail=1
|
||||||
else
|
else
|
||||||
warn " * PID limit not set: $c"
|
warn " * PIDs limit not set: $c"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
@ -621,11 +636,11 @@ else
|
||||||
docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" 2>/dev/null)
|
docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" 2>/dev/null)
|
||||||
if [ -n "$docker0Containers" ]; then
|
if [ -n "$docker0Containers" ]; then
|
||||||
if [ $fail -eq 0 ]; then
|
if [ $fail -eq 0 ]; then
|
||||||
warn "$check_5_29"
|
info "$check_5_29"
|
||||||
fail=1
|
fail=1
|
||||||
fi
|
fi
|
||||||
for c in $docker0Containers; do
|
for c in $docker0Containers; do
|
||||||
warn " * Container in docker0 network: $c"
|
info " * Container in docker0 network: $c"
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -3,6 +3,18 @@
|
||||||
logit "\n"
|
logit "\n"
|
||||||
info "6 - Docker Security Operations"
|
info "6 - Docker Security Operations"
|
||||||
|
|
||||||
|
# 6.1
|
||||||
|
check_6_1="6.1 - Perform regular security audits of your host system and containers"
|
||||||
|
info "$check_6_1"
|
||||||
|
|
||||||
|
# 6.2
|
||||||
|
check_6_2="6.2 - Monitor Docker containers usage, performance and metering"
|
||||||
|
info "$check_6_2"
|
||||||
|
|
||||||
|
# 6.3
|
||||||
|
check_6_3="6.3 - Backup container data"
|
||||||
|
info "$check_6_3"
|
||||||
|
|
||||||
# 6.4
|
# 6.4
|
||||||
check_6_4="6.4 - Avoid image sprawl"
|
check_6_4="6.4 - Avoid image sprawl"
|
||||||
images=$(docker images -q | sort -u | wc -l | awk '{print $1}')
|
images=$(docker images -q | sort -u | wc -l | awk '{print $1}')
|
||||||
|
@ -14,16 +26,11 @@ for c in $(docker inspect -f "{{.Image}}" $(docker ps -qa)); do
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
if [ "$images" -gt 100 ]; then
|
|
||||||
warn "$check_6_4"
|
|
||||||
warn " * There are currently: $images images"
|
|
||||||
else
|
|
||||||
info "$check_6_4"
|
info "$check_6_4"
|
||||||
info " * There are currently: $images images"
|
info " * There are currently: $images images"
|
||||||
fi
|
|
||||||
|
|
||||||
if [ "$active_images" -lt "$((images / 2))" ]; then
|
if [ "$active_images" -lt "$((images / 2))" ]; then
|
||||||
warn " * Only $active_images out of $images are in use"
|
info " * Only $active_images out of $images are in use"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# 6.5
|
# 6.5
|
||||||
|
@ -32,8 +39,8 @@ total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}
|
||||||
running_containers=$(docker ps -q | wc -l | awk '{print $1}')
|
running_containers=$(docker ps -q | wc -l | awk '{print $1}')
|
||||||
diff="$((total_containers - running_containers))"
|
diff="$((total_containers - running_containers))"
|
||||||
if [ "$diff" -gt 25 ]; then
|
if [ "$diff" -gt 25 ]; then
|
||||||
warn "$check_6_5"
|
info "$check_6_5"
|
||||||
warn " * There are currently a total of $total_containers containers, with only $running_containers of them currently running"
|
info " * There are currently a total of $total_containers containers, with only $running_containers of them currently running"
|
||||||
else
|
else
|
||||||
info "$check_6_5"
|
info "$check_6_5"
|
||||||
info " * There are currently a total of $total_containers containers, with $running_containers of them currently running"
|
info " * There are currently a total of $total_containers containers, with $running_containers of them currently running"
|
||||||
|
|
Loading…
Reference in a new issue