update info messages, not scored

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
This commit is contained in:
Thomas Sjögren 2017-01-23 17:06:10 +01:00
parent ceb516fc29
commit 77617321df
5 changed files with 73 additions and 23 deletions

View file

@ -22,16 +22,20 @@ else
pass "$check_1_2" pass "$check_1_2"
fi fi
# 1.3
check_1_3="1.3 - Harden the container host"
info "$check_1_3"
# 1.4 # 1.4
check_1_4="1.4 - Remove all non-essential services from the host - Network" check_1_4="1.4 - Remove all non-essential services from the host - Network"
# Check for listening network services. # Check for listening network services.
listening_services=$(netstat -na | grep -v tcp6 | grep -v unix | grep -c LISTEN) listening_services=$(netstat -na | grep -v tcp6 | grep -v unix | grep -c LISTEN)
if [ "$listening_services" -eq 0 ]; then if [ "$listening_services" -eq 0 ]; then
warn "1.4 - Failed to get listening services for check: $check_1_4" info "1.4 - Failed to get listening services for check: $check_1_4"
else else
if [ "$listening_services" -gt 5 ]; then if [ "$listening_services" -gt 5 ]; then
warn "$check_1_4" info "$check_1_4"
warn " * Host listening on: $listening_services ports" info " * Host listening on: $listening_services ports"
else else
pass "$check_1_4" pass "$check_1_4"
fi fi
@ -45,8 +49,8 @@ docker_current_version="1.13.0"
docker_current_date="2017-01-18" docker_current_date="2017-01-18"
do_version_check "$docker_current_version" "$docker_version" do_version_check "$docker_current_version" "$docker_version"
if [ $? -eq 11 ]; then if [ $? -eq 11 ]; then
warn "$check_1_5" info "$check_1_5"
warn " * Using $docker_version, when $docker_current_version is current as of $docker_current_date" info " * Using $docker_version, when $docker_current_version is current as of $docker_current_date"
info " * Your operating system vendor may provide support and security maintenance for docker" info " * Your operating system vendor may provide support and security maintenance for docker"
else else
pass "$check_1_5" pass "$check_1_5"

View file

@ -40,6 +40,18 @@ set +f; unset IFS
images=$(docker images -q) images=$(docker images -q)
# 4.2
check_4_2="4.2 - Use trusted base images for containers"
info "$check_4_2"
# 4.3
check_4_3="4.3 - Do not install unnecessary packages in the container"
info "$check_4_3"
# 4.4
check_4_4="4.4 - Scan and rebuild the images to include security patches"
info "$check_4_4"
# 4.5 # 4.5
check_4_5="4.5 - Enable Content trust for Docker" check_4_5="4.5 - Enable Content trust for Docker"
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
@ -88,6 +100,10 @@ if [ $fail -eq 0 ]; then
pass "$check_4_7" pass "$check_4_7"
fi fi
# 4.8
check_4_8="4.8 - Remove setuid and setgid permissions in the images"
info "$check_4_8"
# 4.9 # 4.9
check_4_9="4.9 - Use COPY instead of ADD in Dockerfile" check_4_9="4.9 - Use COPY instead of ADD in Dockerfile"
fail=0 fail=0
@ -107,3 +123,11 @@ done
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_4_9" pass "$check_4_9"
fi fi
# 4.10
check_4_10="4.10 - Do not store secrets in Dockerfiles"
info "$check_4_10"
# 4.11
check_4_11="4.11 - Install verified packages only"
info "$check_4_11"

View file

@ -207,6 +207,10 @@ else
pass "$check_5_7" pass "$check_5_7"
fi fi
# 5.8
check_5_8="5.8 - Open only needed ports on container"
info "$check_5_8"
# 5.9 # 5.9
check_5_9="5.9 - Do not share the host's network namespace" check_5_9="5.9 - Do not share the host's network namespace"
@ -519,6 +523,13 @@ else
pass "$check_5_21" pass "$check_5_21"
fi fi
# 5.22
check_5_22="5.22 - Do not docker exec commands with privileged option"
info "$check_5_22"
# 5.23
check_5_23="5.23 - Do not docker exec commands with user option"
info "$check_5_23"
# 5.24 # 5.24
check_5_24="5.24 - Confirm cgroup usage" check_5_24="5.24 - Confirm cgroup usage"
@ -586,6 +597,10 @@ else
pass "$check_5_26" pass "$check_5_26"
fi fi
# 5.27
check_5_27="5.27 - Ensure docker commands always get the latest version of the image"
info "$check_5_27"
# 5.28 # 5.28
check_5_28="5.28 - Use PIDs cgroup limit" check_5_28="5.28 - Use PIDs cgroup limit"
@ -597,10 +612,10 @@ else
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_28" warn "$check_5_28"
warn " * PID limit not set: $c" warn " * PIDs limit not set: $c"
fail=1 fail=1
else else
warn " * PID limit not set: $c" warn " * PIDs limit not set: $c"
fi fi
fi fi
done done
@ -621,11 +636,11 @@ else
docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" 2>/dev/null) docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" 2>/dev/null)
if [ -n "$docker0Containers" ]; then if [ -n "$docker0Containers" ]; then
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_29" info "$check_5_29"
fail=1 fail=1
fi fi
for c in $docker0Containers; do for c in $docker0Containers; do
warn " * Container in docker0 network: $c" info " * Container in docker0 network: $c"
done done
fi fi
fi fi

View file

@ -3,6 +3,18 @@
logit "\n" logit "\n"
info "6 - Docker Security Operations" info "6 - Docker Security Operations"
# 6.1
check_6_1="6.1 - Perform regular security audits of your host system and containers"
info "$check_6_1"
# 6.2
check_6_2="6.2 - Monitor Docker containers usage, performance and metering"
info "$check_6_2"
# 6.3
check_6_3="6.3 - Backup container data"
info "$check_6_3"
# 6.4 # 6.4
check_6_4="6.4 - Avoid image sprawl" check_6_4="6.4 - Avoid image sprawl"
images=$(docker images -q | sort -u | wc -l | awk '{print $1}') images=$(docker images -q | sort -u | wc -l | awk '{print $1}')
@ -14,16 +26,11 @@ for c in $(docker inspect -f "{{.Image}}" $(docker ps -qa)); do
fi fi
done done
if [ "$images" -gt 100 ]; then
warn "$check_6_4"
warn " * There are currently: $images images"
else
info "$check_6_4" info "$check_6_4"
info " * There are currently: $images images" info " * There are currently: $images images"
fi
if [ "$active_images" -lt "$((images / 2))" ]; then if [ "$active_images" -lt "$((images / 2))" ]; then
warn " * Only $active_images out of $images are in use" info " * Only $active_images out of $images are in use"
fi fi
# 6.5 # 6.5
@ -32,8 +39,8 @@ total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}
running_containers=$(docker ps -q | wc -l | awk '{print $1}') running_containers=$(docker ps -q | wc -l | awk '{print $1}')
diff="$((total_containers - running_containers))" diff="$((total_containers - running_containers))"
if [ "$diff" -gt 25 ]; then if [ "$diff" -gt 25 ]; then
warn "$check_6_5" info "$check_6_5"
warn " * There are currently a total of $total_containers containers, with only $running_containers of them currently running" info " * There are currently a total of $total_containers containers, with only $running_containers of them currently running"
else else
info "$check_6_5" info "$check_6_5"
info " * There are currently a total of $total_containers containers, with $running_containers of them currently running" info " * There are currently a total of $total_containers containers, with $running_containers of them currently running"