From 9e942599033891f86b7e147dfe66be069fbe7f32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 15 Apr 2016 00:12:00 +0200 Subject: [PATCH] update chap 5 to cis 1.11 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/5_container_runtime.sh | 303 ++++++++++++++++++++++------------- 1 file changed, 192 insertions(+), 111 deletions(-) diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh index d9a3305..9d46c6a 100644 --- a/tests/5_container_runtime.sh +++ b/tests/5_container_runtime.sh @@ -57,42 +57,7 @@ else fi # 5.3 - check_5_3="5.3 - Verify that containers are running only a single main process" - - fail=0 - printcheck=0 - for c in $containers; do - processes=$(docker exec "$c" ps -el 2>/dev/null | tail -n +2 | grep -c -v 'ps') - if [ "$processes" -gt 1 ]; then - # If it's the first container, fail the test - if [ $fail -eq 0 ]; then - warn "$check_5_3" - warn " * Too many processes running: $c" - fail=1 - printcheck=1 - else - warn " * Too many processes running: $c" - fi - fi - - exec_check=$(docker exec "$c" ps -el 2>/dev/null) - if [ $? -eq 255 ]; then - if [ $printcheck -eq 0 ]; then - warn "$check_5_3" - printcheck=1 - fi - warn " * Docker exec fails: $c" - fail=1 - fi - - done - # We went through all the containers and found none with toom any processes - if [ $fail -eq 0 ]; then - pass "$check_5_3" - fi - - # 5.4 - check_5_4="5.4 - Restrict Linux Kernel Capabilities within containers" + check_5_3="5.3 - Restrict Linux Kernel Capabilities within containers" fail=0 for c in $containers; do @@ -101,7 +66,7 @@ else if [ "$caps" != 'CapAdd=' -a "$caps" != 'CapAdd=[]' -a "$caps" != 'CapAdd=' -a "$caps" != 'CapAdd=' ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_4" + warn "$check_5_3" warn " * Capabilities added: $caps to $c" fail=1 else @@ -111,11 +76,11 @@ else done # We went through all the containers and found none with extra capabilities if [ $fail -eq 0 ]; then - pass "$check_5_4" + pass "$check_5_3" fi - # 5.5 - check_5_5="5.5 - Do not use privileged containers" + # 5.4 + check_5_4="5.4 - Do not use privileged containers" fail=0 for c in $containers; do @@ -124,7 +89,7 @@ else if [ "$privileged" = "true" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_5" + warn "$check_5_4" warn " * Container running in Privileged mode: $c" fail=1 else @@ -134,11 +99,11 @@ else done # We went through all the containers and found no privileged containers if [ $fail -eq 0 ]; then - pass "$check_5_5" + pass "$check_5_4" fi - # 5.6 - check_5_6="5.6 - Do not mount sensitive host system directories on containers" + # 5.5 + check_5_5="5.5 - Do not mount sensitive host system directories on containers" # List of sensitive directories to test for. Script uses new-lines as a separator. # Note the lack of identation. It needs it for the substring comparison. @@ -165,7 +130,7 @@ else if [ $sensitive -eq 1 ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_6" + warn "$check_5_5" warn " * Sensitive directory $v mounted in: $c" fail=1 else @@ -176,11 +141,11 @@ else done # We went through all the containers and found none with sensitive mounts if [ $fail -eq 0 ]; then - pass "$check_5_6" + pass "$check_5_5" fi - # 5.7 - check_5_7="5.7 - Do not run ssh within containers" + # 5.6 + check_5_6="5.6 - Do not run ssh within containers" fail=0 printcheck=0 @@ -190,7 +155,7 @@ else if [ "$processes" -ge 1 ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_7" + warn "$check_5_6" warn " * Container running sshd: $c" fail=1 printcheck=1 @@ -202,7 +167,7 @@ else exec_check=$(docker exec "$c" ps -el 2>/dev/null) if [ $? -eq 255 ]; then if [ $printcheck -eq 0 ]; then - warn "$check_5_7" + warn "$check_5_6" printcheck=1 fi warn " * Docker exec fails: $c" @@ -212,11 +177,11 @@ else done # We went through all the containers and found none with sshd if [ $fail -eq 0 ]; then - pass "$check_5_7" + pass "$check_5_6" fi - # 5.8 - check_5_8="5.8 - Do not map privileged ports within containers" + # 5.7 + check_5_7="5.7 - Do not map privileged ports within containers" fail=0 for c in $containers; do @@ -228,7 +193,7 @@ else if [ ! -z "$port" ] && [ "0$port" -lt 1024 ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_8" + warn "$check_5_7" warn " * Privileged Port in use: $port in $c" fail=1 else @@ -239,11 +204,11 @@ else done # We went through all the containers and found no privileged ports if [ $fail -eq 0 ]; then - pass "$check_5_8" + pass "$check_5_7" fi - # 5.10 - check_5_10="5.10 - Do not use host network mode on container" + # 5.9 + check_5_9="5.9 - Do not share the host's network namespace" fail=0 for c in $containers; do @@ -252,7 +217,7 @@ else if [ "$mode" = "NetworkMode=host" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_10" + warn "$check_5_9" warn " * Container running with networking mode 'host': $c" fail=1 else @@ -262,11 +227,11 @@ else done # We went through all the containers and found no Network Mode host if [ $fail -eq 0 ]; then - pass "$check_5_10" + pass "$check_5_9" fi - # 5.11 - check_5_11="5.11 - Limit memory usage for container" + # 5.10 + check_5_10="5.10 - Limit memory usage for container" fail=0 for c in $containers; do @@ -281,7 +246,7 @@ else if [ "$memory" = "0" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_11" + warn "$check_5_10" warn " * Container running without memory restrictions: $c" fail=1 else @@ -291,11 +256,11 @@ else done # We went through all the containers and found no lack of Memory restrictions if [ $fail -eq 0 ]; then - pass "$check_5_11" + pass "$check_5_10" fi - # 5.12 - check_5_12="5.12 - Set container CPU priority appropriately" + # 5.11 + check_5_11="5.11 - Set container CPU priority appropriately" fail=0 for c in $containers; do @@ -310,7 +275,7 @@ else if [ "$shares" = "0" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_12" + warn "$check_5_11" warn " * Container running without CPU restrictions: $c" fail=1 else @@ -320,11 +285,11 @@ else done # We went through all the containers and found no lack of CPUShare restrictions if [ $fail -eq 0 ]; then - pass "$check_5_12" + pass "$check_5_11" fi - # 5.13 - check_5_13="5.13 - Mount container's root filesystem as read only" + # 5.12 + check_5_12="5.12 - Mount container's root filesystem as read only" fail=0 for c in $containers; do @@ -333,7 +298,7 @@ else if [ "$read_status" = "false" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_13" + warn "$check_5_12" warn " * Container running with root FS mounted R/W: $c" fail=1 else @@ -343,11 +308,11 @@ else done # We went through all the containers and found no R/W FS mounts if [ $fail -eq 0 ]; then - pass "$check_5_13" + pass "$check_5_12" fi - # 5.14 - check_5_14="5.14 - Bind incoming container traffic to a specific host interface" + # 5.13 + check_5_13="5.13 - Bind incoming container traffic to a specific host interface" fail=0 for c in $containers; do @@ -355,7 +320,7 @@ else if [ "$ip" = "0.0.0.0" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_14" + warn "$check_5_13" warn " * Port being bound to wildcard IP: $ip in $c" fail=1 else @@ -365,35 +330,35 @@ else done done # We went through all the containers and found no ports bound to 0.0.0.0 + if [ $fail -eq 0 ]; then + pass "$check_5_13" + fi + + # 5.14 + check_5_14="5.14 - Set the 'on-failure' container restart policy to 5" + + fail=0 + for c in $containers; do + policy=$(docker inspect --format MaximumRetryCount='{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c") + + if [ "$policy" != "MaximumRetryCount=5" ]; then + # If it's the first container, fail the test + if [ $fail -eq 0 ]; then + warn "$check_5_14" + warn " * MaximumRetryCount is not set to 5: $c" + fail=1 + else + warn " * MaximumRetryCount is not set to 5: $c" + fi + fi + done + # We went through all the containers and they all had MaximumRetryCount=5 if [ $fail -eq 0 ]; then pass "$check_5_14" fi # 5.15 - check_5_15="5.15 - Do not set the 'on-failure' container restart policy to always" - - fail=0 - for c in $containers; do - policy=$(docker inspect --format 'RestartPolicyName={{ .HostConfig.RestartPolicy.Name }}' "$c") - - if [ "$policy" = "RestartPolicyName=always" ]; then - # If it's the first container, fail the test - if [ $fail -eq 0 ]; then - warn "$check_5_15" - warn " * Restart Policy set to always: $c" - fail=1 - else - warn " * Restart Policy set to always: $c" - fi - fi - done - # We went through all the containers and found none with restart policy always - if [ $fail -eq 0 ]; then - pass "$check_5_15" - fi - - # 5.16 - check_5_16="5.16 - Do not share the host's process namespace" + check_5_15="5.15 - Do not share the host's process namespace" fail=0 for c in $containers; do @@ -402,7 +367,7 @@ else if [ "$mode" = "PidMode=host" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_16" + warn "$check_5_15" warn " * Host PID namespace being shared with: $c" fail=1 else @@ -412,11 +377,11 @@ else done # We went through all the containers and found none with PidMode as host if [ $fail -eq 0 ]; then - pass "$check_5_16" + pass "$check_5_15" fi - # 5.17 - check_5_17="5.17 - Do not share the host's IPC namespace" + # 5.16 + check_5_16="5.16 - Do not share the host's IPC namespace" fail=0 for c in $containers; do @@ -425,7 +390,7 @@ else if [ "$mode" = "IpcMode=host" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_17" + warn "$check_5_16" warn " * Host IPC namespace being shared with: $c" fail=1 else @@ -435,11 +400,11 @@ else done # We went through all the containers and found none with IPCMode as host if [ $fail -eq 0 ]; then - pass "$check_5_17" + pass "$check_5_16" fi - # 5.18 - check_5_18="5.18 - Do not directly expose host devices to containers" + # 5.17 + check_5_17="5.17 - Do not directly expose host devices to containers" fail=0 for c in $containers; do @@ -448,7 +413,7 @@ else if [ "$devices" != "Devices=" -a "$devices" != "Devices=[]" -a "$devices" != "Devices=" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - info "$check_5_18" + info "$check_5_17" info " * Container has devices exposed directly: $c" fail=1 else @@ -458,11 +423,11 @@ else done # We went through all the containers and found none with devices if [ $fail -eq 0 ]; then - pass "$check_5_18" + pass "$check_5_17" fi - # 5.19 - check_5_19="5.19 - Override default ulimit at runtime only if needed" + # 5.18 + check_5_18="5.18 - Override default ulimit at runtime only if needed" # List all the running containers, ouput their ID and host devices fail=0 @@ -472,7 +437,7 @@ else if [ "$ulimits" = "Ulimits=" -o "$ulimits" = "Ulimits=[]" -o "$ulimits" = "Ulimits=" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - info "$check_5_19" + info "$check_5_18" info " * Container no default ulimit override: $c" fail=1 else @@ -482,6 +447,122 @@ else done # We went through all the containers and found none without Ulimits if [ $fail -eq 0 ]; then + pass "$check_5_18" + fi + + # 5.19 + check_5_19="5.19 - Do not set mount propagation mode to shared" + + fail=0 + for c in $containers; do + mode=$(docker inspect --format 'Propagation={{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}' "$c") + + if [ "$mode" = "Propagation=shared" ]; then + # If it's the first container, fail the test + if [ $fail -eq 0 ]; then + warn "$check_5_19" + warn " * Mount propagation mode is shared: $c" + fail=1 + else + warn " * Mount propagation mode is shared: $c" + fi + fi + done + # We went through all the containers and found none with shared propagation mode + if [ $fail -eq 0 ]; then pass "$check_5_19" fi + + # 5.20 + check_5_20="5.20 - Do not share the host's UTS namespace" + + fail=0 + for c in $containers; do + mode=$(docker inspect --format 'UTSMode={{.HostConfig.UTSMode }}' "$c") + + if [ "$mode" = "UTSMode=host" ]; then + # If it's the first container, fail the test + if [ $fail -eq 0 ]; then + warn "$check_5_20" + warn " * Host UTS namespace being shared with: $c" + fail=1 + else + warn " * Host UTS namespace being shared with: $c" + fi + fi + done + # We went through all the containers and found none with UTSMode as host + if [ $fail -eq 0 ]; then + pass "$check_5_20" + fi + + # 5.21 + check_5_21="5.21 - Do not disable default seccomp profile" + + fail=0 + for c in $containers; do + docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'seccomp:unconfined' 2>/dev/null 1>&2 + + if [ $? -eq 0 ]; then + # If it's the first container, fail the test + if [ $fail -eq 0 ]; then + warn "$check_5_21" + warn " * Default seccomp profile disabled: $c" + fail=1 + else + warn " * Default seccomp profile disabled: $c" + fi + fi + done + # We went through all the containers and found none with UTSMode as host + if [ $fail -eq 0 ]; then + pass "$check_5_21" + fi + + + # 5.24 + check_5_24="5.24 - Confirm cgroup usage" + + fail=0 + for c in $containers; do + mode=$(docker inspect --format 'CgroupParent={{.HostConfig.CgroupParent }}x' "$c") + + if [ "$mode" != "CgroupParent=x" ]; then + # If it's the first container, fail the test + if [ $fail -eq 0 ]; then + info "$check_5_24" + info " * Confirm cgroup usage: $c" + fail=1 + else + info " * Confirm cgroup usage: $c" + fi + fi + done + # We went through all the containers and found none with UTSMode as host + if [ $fail -eq 0 ]; then + pass "$check_5_24" + fi + + # 5.25 + check_5_25="5.25 - Restrict container from acquiring additional privileges" + + fail=0 + for c in $containers; do + docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'no-new-privileges' 2>/dev/null 1>&2 + + if [ $? -ne 0 ]; then + # If it's the first container, fail the test + if [ $fail -eq 0 ]; then + warn "$check_5_25" + warn " * Privileges not restricted: $c" + fail=1 + else + warn " * Privileges not restricted: $c" + fi + fi + done + # We went through all the containers and found none with UTSMode as host + if [ $fail -eq 0 ]; then + pass "$check_5_25" + fi fi