GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-18 16:22:33 +01:00
Code Issues Projects Releases Packages Wiki Activity

Remove temporary files

Browse source
This commit is contained in:
Razvan Stoica 2021-03-29 15:32:34 +03:00
parent d0443cc817
commit 81ac358e82
2 changed files with 0 additions and 801 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

194
functions/output_lib.sh.save
View file

@ -1,194 +0,0 @@
#!/bin/sh
bldred='\033[1;31m' # Bold Red
bldgrn='\033[1;32m' # Bold Green
bldblu='\033[1;34m' # Bold Blue
bldylw='\033[1;33m' # Bold Yellow
txtrst='\033[0m'
if [ -n "$nocolor"
] && [ "$nocolor" = "nocolor" ]; then
bldred=''
bldgrn=''
bldblu=''
bldylw=''
txtrst=''
fi
logit () {
printf "%b\n" "$1" | tee -a "$logger"
}
info () {
local infoCountCheck
while getopts c args
do
case $args in
c) infoCountCheck="true" ;;
*) exit 1 ;;
esac
done
if [ "$infoCountCheck" = "true" ]; then
printf "%b\n" "${bldblu}[INFO]${txtrst} $2" | tee -a "$logger"
totalChecks=$((totalChecks + 1))
return
fi
printf "%b\n" "${bldblu}[INFO]${txtrst} $1" | tee -a "$logger"
}
pass () {
local passScored
while getopts sc args
do
case $args in
s) passScored="true" ;;
c) passCountCheck="true" ;;
*) exit 1 ;;
esac
done
if [ "$passScored" = "true" ] || [ "$passCountCheck" = "true" ]; then
printf "%b\n" "${bldgrn}[PASS]${txtrst} $2" | tee -a "$logger"
totalChecks=$((totalChecks + 1))
fi
if [ "$passScored" = "true" ]; then
currentScore=$((currentScore + 1))
fi
if [ "$passScored" != "true" ] && [ "$passCountCheck" != "true" ]; then
printf "%b\n" "${bldgrn}[PASS]${txtrst} $1" | tee -a "$logger"
fi
}
warn () {
local warnScored
while getopts s args
do
case $args in
s) warnScored="true" ;;
*) exit 1 ;;
esac
done
if [ "$warnScored" = "true" ]; then
printf "%b\n" "${bldred}[WARN]${txtrst} $2" | tee -a "$logger"
totalChecks=$((totalChecks + 1))
currentScore=$((currentScore - 1))
return
fi
printf "%b\n" "${bldred}[WARN]${txtrst} $1" | tee -a "$logger"
}
note () {
local noteCountCheck
while getopts c args
do
case $args in
c) noteCountCheck="true" ;;
*) exit 1 ;;
esac
done
if [ "$noteCountCheck" = "true" ]; then
printf "%b\n" "${bldylw}[NOTE]${txtrst} $2" | tee -a "$logger"
totalChecks=$((totalChecks + 1))
return
fi
printf "%b\n" "${bldylw}[NOTE]${txtrst} $1" | tee -a "$logger"
}
yell () {
printf "%b\n" "${bldylw}$1${txtrst}\n"
}
appendjson () {
if [ -s "$logger.json" ]; then
tail -n 1 "$logger.json" | wc -c | xargs -I {} truncate "$logger.json" -s -{}
printf "},\n" | tee -a "$logger.json" 2>/dev/null 1>&2
return
fi
printf "[" | tee -a "$logger.json" 2>/dev/null 1>&2
}
beginjson () {
printf "{\n \"dockerbenchsecurity\": \"%s\",\n \"start\": %s,\n \"tests\": [" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
}
endjson (){
printf "\n ], \"checks\": %s, \"score\": %s, \"end\": %s\n}]" "$1" "$2" "$3" | tee -a "$logger.json" 2>/dev/null 1>&2
}
logjson (){
printf "\n \"%s\": \"%s\"," "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
}
SSEP=
SEP=
startsectionjson() {
printf "%s\n {\"id\": \"%s\", \"desc\": \"%s\", \"results\": [" "$SSEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
SEP=
SSEP=","
}
endsectionjson() {
printf "\n ]}" | tee -a "$logger.json" 2>/dev/null 1>&2
}
starttestjson() {
printf "%s\n {\"id\": \"%s\", \"desc\": \"%s\", " "$SEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
SEP=","
}
logcheckresult() {
# Log to JSON
if [ $# -eq 1 ]; then
printf "\"result\": \"%s\"" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
if [ $# -eq 2 ] && [ $# -ne 1 ]; then
# Result also contains details
printf "\"result\": \"%s\", \"details\": \"%s\"" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
if [ $# -ne 2 ] && [ $# -ne 1 ]; then
# Result also includes details and a list of items. Add that directly to details and to an array property "items"
# Also limit the number of items to $limit, if $limit is non-zero
if [ $limit != 0 ]; then
truncItems=""
ITEM_COUNT=0
for item in $3; do
truncItems="$truncItems $item"
ITEM_COUNT=$((ITEM_COUNT + 1));
if [ "$ITEM_COUNT" == "$limit" ]; then
truncItems="$truncItems (truncated)"
break;
fi
done
else
truncItems=$3
fi
itemsJson=$(printf "["; ISEP=""; ITEMCOUNT=0; for item in $truncItems; do printf "%s\"%s\"" "$ISEP" "$item"; ISEP=","; done; printf "]")
printf "\"result\": \"%s\", \"details\": \"%s: %s\", \"items\": %s" "$1" "$2" "$truncItems" "$itemsJson" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
# Log remediation measure to JSON
if [ -n "$remediation" ] && [ "$1" != "PASS" ] && [ "$printremediation" = "1" ]; then
printf ", \"remediation\": \"%s\"" "$remediation" | tee -a "$logger.json" 2>/dev/null 1>&2
if [ -n "$remediationImpact" ]; then
printf ", \"remediation-impact\": \"%s\"" "$remediationImpact" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
fi
printf "}" | tee -a "$logger.json" 2>/dev/null 1>&2
# Save remediation measure for print log to stdout
if [ -n "$remediation" ] && [ "$1" != "PASS" ]; then
if [ -n "${checkHeader}" ]; then
if [ -n "${addSpaceHeader}" ]; then
globalRemediation="${globalRemediation}\n"
fi
globalRemediation="${globalRemediation}\n${bldblu}[INFO]${txtrst} ${checkHeader}"
checkHeader=""
addSpaceHeader="1"
fi
globalRemediation="${globalRemediation}\n${bldblu}[INFO]${txtrst} ${id} - ${remediation}"
if [ -n "${remediationImpact}" ]; then
globalRemediation="${globalRemediation} Impact: ${remediationImpact}"
fi
fi
}

607
tests/3_docker_daemon_configuration_files.sh.save
View file

@ -1,607 +0,0 @@
#!/bin/sh
check_3() {
logit ""
local id="3"
local desc="Docker daemon configuration files"
checkHeader="$id - $desc"
info "$checkHeader"
startsectionjson "$id" "$desc"
}
check_3_1() {
local id="3.1"
local desc="Ensure that the docker.service file ownership is set to root:root (Scored)"
local remediation="Find out the file location: systemctl show -p FragmentPath docker.service.
IFind out the file location:
systemctl show -p FragmentPath docker.service
"
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="$(get_service_file docker.service)"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
fi
}
check_3_2() {
local id="3.2"
local desc="Ensure that docker.service file permissions are appropriately set (Scored)"
local remediation=""
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="$(get_service_file docker.service)"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -le 644 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
fi
}
check_3_3() {
local id="3.3"
local desc="Ensure that docker.socket file ownership is set to root:root (Scored)"
local remediation=""
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="$(get_service_file docker.socket)"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
fi
}
check_3_4() {
local id="3.4"
local desc="Ensure that docker.socket file permissions are set to 644 or more restrictive (Scored)"
local remediation=""
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="$(get_service_file docker.socket)"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -le 644 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
fi
}
check_3_5() {
local id="3.5"
local desc="Ensure that the /etc/docker directory ownership is set to root:root (Scored)"
local remediation="You should run the following command: chown root:root /etc/docker. This sets the ownership and group ownership for the directory to root."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
directory="/etc/docker"
if [ -d "$directory" ]; then
if [ "$(stat -c %u%g $directory)" -eq 00 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong ownership for $directory"
logcheckresult "WARN" "Wrong ownership for $directory"
fi
else
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
fi
}
check_3_6() {
local id="3.6"
local desc="Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Scored)"
local remediation="You should run the following command: chmod 755 /etc/docker. This sets the permissions for the directory to 755."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
directory="/etc/docker"
if [ -d "$directory" ]; then
if [ "$(stat -c %a $directory)" -le 755 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong permissions for $directory"
logcheckresult "WARN" "Wrong permissions for $directory"
fi
else
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
fi
}
check_3_7() {
local id="3.7"
local desc="Ensure that registry certificate file ownership is set to root:root (Scored)"
local remediation="You should run the following command: chown root:root /etc/docker/certs.d/<registry-name>/*. This would set the individual ownership and group ownership for the registry certificate files to root."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then
fail=0
owners=$(find "$directory" -type f -name '*.crt')
for p in $owners; do
if [ "$(stat -c %u $p)" -ne 0 ]; then
fail=1
fi
done
if [ $fail -eq 1 ]; then
warn -s "$check"
warn " * Wrong ownership for $directory"
logcheckresult "WARN" "Wrong ownership for $directory"
else
pass -s "$check"
logcheckresult "PASS"
fi
else
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
fi
}
check_3_8() {
local id="3.8"
local desc="Ensure that registry certificate file permissions are set to 444 or more restrictively (Scored)"
local remediation="You should run the following command: chmod 444 /etc/docker/certs.d/<registry-name>/*. This would set the permissions for the registry certificate files to 444."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then
fail=0
perms=$(find "$directory" -type f -name '*.crt')
for p in $perms; do
if [ "$(stat -c %a $p)" -gt 444 ]; then
fail=1
fi
done
if [ $fail -eq 1 ]; then
warn -s "$check"
warn " * Wrong permissions for $directory"
logcheckresult "WARN" "Wrong permissions for $directory"
else
pass -s "$check"
logcheckresult "PASS"
fi
else
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
fi
}
check_3_9() {
local id="3.9"
local desc="Ensure that TLS CA certificate file ownership is set to root:root (Scored)"
local remediation="You should run the following command: chown root:root <path to TLS CA certificate file>. This sets the individual ownership and group ownership for the TLS CA certificate file to root."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then
tlscacert=$(get_docker_configuration_file_args 'tlscacert')
else
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi
if [ -f "$tlscacert" ]; then
if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong ownership for $tlscacert"
logcheckresult "WARN" "Wrong ownership for $tlscacert"
fi
else
info -c "$check"
info " * No TLS CA certificate found"
logcheckresult "INFO" "No TLS CA certificate found"
fi
}
check_3_10() {
local id="3.10"
local desc="Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Scored)"
local remediation="You should run the following command: chmod 444 <path to TLS CA certificate file>. This sets the file permissions on the TLS CA file to 444."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then
tlscacert=$(get_docker_configuration_file_args 'tlscacert')
else
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi
if [ -f "$tlscacert" ]; then
if [ "$(stat -c %a $tlscacert)" -le 444 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong permissions for $tlscacert"
logcheckresult "WARN" "Wrong permissions for $tlscacert"
fi
else
info -c "$check"
info " * No TLS CA certificate found"
logcheckresult "INFO" "No TLS CA certificate found"
fi
}
check_3_11() {
local id="3.11"
local desc="Ensure that Docker server certificate file ownership is set to root:root (Scored)"
local remediation="You should run the following command: chown root:root <path to Docker server certificate file>. This sets the individual ownership and the group ownership for the Docker server certificate file to root."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then
tlscert=$(get_docker_configuration_file_args 'tlscert')
else
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi
if [ -f "$tlscert" ]; then
if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong ownership for $tlscert"
logcheckresult "WARN" "Wrong ownership for $tlscert"
fi
else
info -c "$check"
info " * No TLS Server certificate found"
logcheckresult "INFO" "No TLS Server certificate found"
fi
}
check_3_12() {
local id="3.12"
local desc="Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Scored)"
local remediation="You should run the following command: chmod 444 <path to Docker server certificate file>. This sets the file permissions of the Docker server certificate file to 444."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then
tlscert=$(get_docker_configuration_file_args 'tlscert')
else
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi
if [ -f "$tlscert" ]; then
if [ "$(stat -c %a $tlscert)" -le 444 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong permissions for $tlscert"
logcheckresult "WARN" "Wrong permissions for $tlscert"
fi
else
info -c "$check"
info " * No TLS Server certificate found"
logcheckresult "INFO" "No TLS Server certificate found"
fi
}
check_3_13() {
local id="3.13"
local desc="Ensure that the Docker server certificate key file ownership is set to root:root (Scored)"
local remediation="You should run the following command: chown root:root <path to Docker server certificate key file>. This sets the individual ownership and group ownership for the Docker server certificate key file to root."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then
tlskey=$(get_docker_configuration_file_args 'tlskey')
else
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi
if [ -f "$tlskey" ]; then
if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong ownership for $tlskey"
logcheckresult "WARN" "Wrong ownership for $tlskey"
fi
else
info -c "$check"
info " * No TLS Key found"
logcheckresult "INFO" "No TLS Key found"
fi
}
check_3_14() {
local id="3.14"
local desc="Ensure that the Docker server certificate key file permissions are set to 400 (Scored)"
local remediation="You should run the following command: chmod 400 <path to Docker server certificate key file>. This sets the Docker server certificate key file permissions to 400."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then
tlskey=$(get_docker_configuration_file_args 'tlskey')
else
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi
if [ -f "$tlskey" ]; then
if [ "$(stat -c %a $tlskey)" -eq 400 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong permissions for $tlskey"
logcheckresult "WARN" "Wrong permissions for $tlskey"
fi
else
info -c "$check"
info " * No TLS Key found"
logcheckresult "INFO" "No TLS Key found"
fi
}
check_3_15() {
local id="3.15"
local desc="Ensure that the Docker socket file ownership is set to root:docker (Scored)"
local remediation="You should run the following command: chown root:docker /var/run/docker.sock. This sets the ownership to root and group ownership to docker for the default Docker socket file."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/var/run/docker.sock"
if [ -S "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
fi
}
check_3_16() {
local id="3.16"
local desc="Ensure that the Docker socket file permissions are set to 660 or more restrictively (Scored)"
local remediation="You should run the following command: chmod 660 /var/run/docker.sock. This sets the file permissions of the Docker socket file to 660."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/var/run/docker.sock"
if [ -S "$file" ]; then
if [ "$(stat -c %a $file)" -le 660 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
fi
}
check_3_17() {
local id="3.17"
local desc="Ensure that the daemon.json file ownership is set to root:root (Scored)"
local remediation="You should run the following command: chown root:root /etc/docker/daemon.json. This sets the ownership and group ownership for the file to root."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
fi
}
check_3_18() {
local id="3.18"
local desc="Ensure that daemon.json file permissions are set to 644 or more restrictive (Scored)"
local remediation="You should run the following command: chmod 644 /etc/docker/daemon.json. This sets the file permissions for this file to 644."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -le 644 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
fi
}
check_3_19() {
local id="3.19"
local desc="Ensure that the /etc/default/docker file ownership is set to root:root (Scored)"
local remediation="You should run the following command: chown root:root /etc/default/docker. This sets the ownership and group ownership of the file to root."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/default/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
fi
}
check_3_20() {
local id="3.20"
local desc="Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Scored)"
local remediation="You should run the following command: chown root:root /etc/sysconfig/docker. This sets the ownership and group ownership for the file to root."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/sysconfig/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
fi
}
check_3_21() {
local id="3.21"
local desc="Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Scored)"
local remediation="You should run the following command: chmod 644 /etc/sysconfig/docker. This sets the file permissions for this file to 644."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/sysconfig/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -le 644 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
fi
}
check_3_22() {
local id="3.22"
local desc="Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Scored)"
local remediation="You should run the following command: chmod 644 /etc/default/docker. This sets the file permissions for this file to 644."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/default/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -le 644 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
fi
}
check_3_end() {
endsectionjson
}