mirror of
https://github.com/docker/docker-bench-security.git
synced 2025-01-18 16:22:33 +01:00
remove code, if CMD instead of exit code
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
This commit is contained in:
Thomas Sjögren
parent
2de8e71d01
commit
7d992029e6
4 changed files with 25 additions and 56 deletions
|
|
@ -25,8 +25,7 @@ for p in $req_progs; do
|
|||
done
|
||||
|
||||
# Ensure we can connect to docker daemon
|
||||
docker ps -q >/dev/null 2>&1
|
||||
if [ $? -ne 0 ]; then
|
||||
if ! docker ps -q >/dev/null 2>&1; then
|
||||
printf "Error connecting to docker daemon (does docker ps work?)\n"
|
||||
exit 1
|
||||
fi
|
||||
|
|
@ -81,8 +80,10 @@ main () {
|
|||
# If there is a container with label docker_bench_security, memorize it:
|
||||
benchcont="nil"
|
||||
for c in $containers; do
|
||||
labels=$(docker inspect --format '{{ .Config.Labels }}' "$c")
|
||||
contains "$labels" "docker_bench_security" && benchcont="$c"
|
||||
if docker inspect --format '{{ .Config.Labels }}' "$c" | \
|
||||
grep -e 'docker.bench.security' >/dev/null 2>&1; then
|
||||
benchcont="$c"
|
||||
fi
|
||||
done
|
||||
# List all running containers except docker-bench (use names to improve readability in logs)
|
||||
containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont")
|
||||
|
|
|
|||
|
|
@ -25,18 +25,6 @@ do_version_check() {
|
|||
fi
|
||||
}
|
||||
|
||||
# Compares two strings and returns 0 if the second is a substring of the first
|
||||
contains() {
|
||||
string="$1"
|
||||
substring="$2"
|
||||
if [ "${string#*$substring}" != "$string" ]
|
||||
then
|
||||
return 0 # $substring is in $string
|
||||
else
|
||||
return 1 # $substring is not in $string
|
||||
fi
|
||||
}
|
||||
|
||||
# Extracts commandline args from the newest running processes named like the first parameter
|
||||
get_command_line_args() {
|
||||
PROC="$1"
|
||||
|
|
|
|||
|
|
@ -5,8 +5,7 @@ info "2 - Docker Daemon Configuration"
|
|||
|
||||
# 2.1
|
||||
check_2_1="2.1 - Restrict network traffic between containers"
|
||||
get_docker_effective_command_line_args '--icc' | grep "false" >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
if get_docker_effective_command_line_args '--icc' | grep "false" >/dev/null 2>&1; then
|
||||
pass "$check_2_1"
|
||||
else
|
||||
warn "$check_2_1"
|
||||
|
|
@ -14,10 +13,8 @@ fi
|
|||
|
||||
# 2.2
|
||||
check_2_2="2.2 - Set the logging level"
|
||||
get_docker_effective_command_line_args '-l' >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
if get_docker_effective_command_line_args '-l' >/dev/null 2>&1; then
|
||||
if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then
|
||||
pass "$check_2_2"
|
||||
else
|
||||
warn "$check_2_2"
|
||||
|
|
@ -28,8 +25,7 @@ fi
|
|||
|
||||
# 2.3
|
||||
check_2_3="2.3 - Allow Docker to make changes to iptables"
|
||||
get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then
|
||||
warn "$check_2_3"
|
||||
else
|
||||
pass "$check_2_3"
|
||||
|
|
@ -37,8 +33,7 @@ fi
|
|||
|
||||
# 2.4
|
||||
check_2_4="2.4 - Do not use insecure registries"
|
||||
get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then
|
||||
warn "$check_2_4"
|
||||
else
|
||||
pass "$check_2_4"
|
||||
|
|
@ -46,8 +41,7 @@ fi
|
|||
|
||||
# 2.5
|
||||
check_2_5="2.5 - Do not use the aufs storage driver"
|
||||
docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
if docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1; then
|
||||
warn "$check_2_5"
|
||||
else
|
||||
pass "$check_2_5"
|
||||
|
|
@ -55,12 +49,9 @@ fi
|
|||
|
||||
# 2.6
|
||||
check_2_6="2.6 - Configure TLS authentication for Docker daemon"
|
||||
get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
get_docker_cumulative_command_line_args '--tlskey' | grep 'tlskey=' >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify' >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
if get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1; then
|
||||
if get_docker_cumulative_command_line_args '--tlskey' | grep 'tlskey=' >/dev/null 2>&1; then
|
||||
if get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify' >/dev/null 2>&1; then
|
||||
pass "$check_2_6"
|
||||
else
|
||||
warn "$check_2_6"
|
||||
|
|
@ -78,8 +69,7 @@ fi
|
|||
|
||||
# 2.7
|
||||
check_2_7="2.7 - Set default ulimit as appropriate"
|
||||
get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
if get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
|
||||
pass "$check_2_7"
|
||||
else
|
||||
info "$check_2_7"
|
||||
|
|
@ -88,8 +78,7 @@ fi
|
|||
|
||||
# 2.8
|
||||
check_2_8="2.8 - Enable user namespace support"
|
||||
get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
if get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
|
||||
pass "$check_2_8"
|
||||
else
|
||||
warn "$check_2_8"
|
||||
|
|
@ -97,8 +86,7 @@ fi
|
|||
|
||||
# 2.9
|
||||
check_2_9="2.9 - Confirm default cgroup usage"
|
||||
get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
if get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
|
||||
warn "$check_2_9"
|
||||
info " * Confirm cgroup usage"
|
||||
else
|
||||
|
|
@ -107,8 +95,7 @@ fi
|
|||
|
||||
# 2.10
|
||||
check_2_10="2.10 - Do not change base device size until needed"
|
||||
get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
if get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
|
||||
warn "$check_2_10"
|
||||
else
|
||||
pass "$check_2_10"
|
||||
|
|
@ -116,8 +103,7 @@ fi
|
|||
|
||||
# 2.11
|
||||
check_2_11="2.11 - Use authorization plugin"
|
||||
get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
if get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
|
||||
pass "$check_2_11"
|
||||
else
|
||||
warn "$check_2_11"
|
||||
|
|
@ -125,8 +111,7 @@ fi
|
|||
|
||||
# 2.12
|
||||
check_2_12="2.12 - Configure centralized and remote logging"
|
||||
get_docker_effective_command_line_args '--log-driver' | grep "log-driver" >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
if get_docker_effective_command_line_args '--log-driver' | grep "log-driver" >/dev/null 2>&1; then
|
||||
pass "$check_2_12"
|
||||
else
|
||||
warn "$check_2_12"
|
||||
|
|
@ -134,8 +119,7 @@ fi
|
|||
|
||||
# 2.13
|
||||
check_2_13="2.13 - Disable operations on legacy registry (v1)"
|
||||
get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
if get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then
|
||||
pass "$check_2_13"
|
||||
else
|
||||
warn "$check_2_13"
|
||||
|
|
@ -155,8 +139,7 @@ fi
|
|||
|
||||
# 2.15
|
||||
check_2_15="2.15 - Do not enable swarm mode, if not needed"
|
||||
docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1
|
||||
if [ $? -eq 1 ]; then
|
||||
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
||||
pass "$check_2_15"
|
||||
else
|
||||
warn "$check_2_15"
|
||||
|
|
@ -186,8 +169,7 @@ fi
|
|||
|
||||
# 2.18
|
||||
check_2_18="2.18 - Disable Userland Proxy"
|
||||
get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
if get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
|
||||
pass "$check_2_18"
|
||||
else
|
||||
warn "$check_2_18"
|
||||
|
|
|
|||
|
|
@ -64,8 +64,7 @@ fi
|
|||
check_4_6="4.6 - Add HEALTHCHECK instruction to the container image"
|
||||
fail=0
|
||||
for img in $images; do
|
||||
docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
if docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1; then
|
||||
if [ $fail -eq 0 ]; then
|
||||
fail=1
|
||||
warn "$check_4_6"
|
||||
|
|
@ -84,8 +83,7 @@ fi
|
|||
check_4_7="4.7 - Do not use update instructions alone in the Dockerfile"
|
||||
fail=0
|
||||
for img in $images; do
|
||||
docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
if docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1; then
|
||||
if [ $fail -eq 0 ]; then
|
||||
fail=1
|
||||
info "$check_4_7"
|
||||
|
|
|
|||
Loading…
Reference in a new issue