From 91e625b8e49f4294cde8daaece9cc47caf0906e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 21 Mar 2017 14:49:42 +0100 Subject: [PATCH] Modify get_docker_configuration_file_args in order to handle daemon.json better, and also address missing files issue. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes #231 Closes #232 Signed-off-by: Thomas Sjögren --- helper_lib.sh | 2 ++ tests/2_docker_daemon_configuration.sh | 16 +++++++------ tests/3_docker_daemon_configuration_files.sh | 24 ++++++++++---------- 3 files changed, 23 insertions(+), 19 deletions(-) diff --git a/helper_lib.sh b/helper_lib.sh index d7a4618..6dea993 100644 --- a/helper_lib.sh +++ b/helper_lib.sh @@ -92,6 +92,8 @@ get_docker_configuration_file_args() { else CONFIG_FILE='/dev/null' fi + + grep "$OPTION" "$CONFIG_FILE" | sed 's/.*: //g' | tr -d \", } get_systemd_service_file(){ diff --git a/tests/2_docker_daemon_configuration.sh b/tests/2_docker_daemon_configuration.sh index 23f23d0..bda5ebe 100644 --- a/tests/2_docker_daemon_configuration.sh +++ b/tests/2_docker_daemon_configuration.sh @@ -67,13 +67,15 @@ fi # 2.6 check_2_6="2.6 - Configure TLS authentication for Docker daemon" -if get_docker_configuration_file_args 'tls' | grep true >/dev/null 2>&1; then - if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then - if get_docker_configuration_file_args 'tlsverify' | grep 'true' >/dev/null 2>&1; then - pass "$check_2_6" - else - warn "$check_2_6" - warn " * Docker daemon currently listening on TCP with TLS, but no verification" +if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then + if get_docker_configuration_file_args '"tls":' | grep 'true' 2>/dev/null 1>&2; then + if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then + if get_docker_configuration_file_args 'tlsverify' | grep 'true' >/dev/null 2>&1; then + pass "$check_2_6" + else + warn "$check_2_6" + warn " * Docker daemon currently listening on TCP with TLS, but no verification" + fi fi else warn "$check_2_6" diff --git a/tests/3_docker_daemon_configuration_files.sh b/tests/3_docker_daemon_configuration_files.sh index 60fd01a..bd823b6 100644 --- a/tests/3_docker_daemon_configuration_files.sh +++ b/tests/3_docker_daemon_configuration_files.sh @@ -142,8 +142,8 @@ fi # 3.9 check_3_9="3.9 - Verify that TLS CA certificate file ownership is set to root:root" -if get_docker_configuration_file_args 'tlscacert' | grep -v ""; then - tlscacert=$(get_docker_configuration_file_args 'tlscacert' | sed 's/.*://g' | tr -d "",) +if get_docker_configuration_file_args 'tlscacert' 2>/dev/null 1>&2; then + tlscacert=$(get_docker_configuration_file_args 'tlscacert') else tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi @@ -161,8 +161,8 @@ fi # 3.10 check_3_10="3.10 - Verify that TLS CA certificate file permissions are set to 444 or more restrictive" -if get_docker_configuration_file_args 'tlscacert' | grep -v ""; then - tlscacert=$(get_docker_configuration_file_args 'tlscacert' | sed 's/.*://g' | tr -d "",) +if get_docker_configuration_file_args 'tlscacert' 2>/dev/null 1>&2; then + tlscacert=$(get_docker_configuration_file_args 'tlscacert') else tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi @@ -181,8 +181,8 @@ fi # 3.11 check_3_11="3.11 - Verify that Docker server certificate file ownership is set to root:root" -if get_docker_configuration_file_args 'tlscert' | grep -v ""; then - tlscert=$(get_docker_configuration_file_args 'tlscert' | sed 's/.*://g' | tr -d "",) +if get_docker_configuration_file_args 'tlscert' 2>/dev/null 1>&2; then + tlscert=$(get_docker_configuration_file_args 'tlscert') else tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi @@ -200,8 +200,8 @@ fi # 3.12 check_3_12="3.12 - Verify that Docker server certificate file permissions are set to 444 or more restrictive" -if get_docker_configuration_file_args 'tlscert' | grep -v ""; then - tlscert=$(get_docker_configuration_file_args 'tlscert' | sed 's/.*://g' | tr -d "",) +if get_docker_configuration_file_args 'tlscert' 2>/dev/null 1>&2; then + tlscert=$(get_docker_configuration_file_args 'tlscert') else tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi @@ -220,8 +220,8 @@ fi # 3.13 check_3_13="3.13 - Verify that Docker server key file ownership is set to root:root" -if get_docker_configuration_file_args 'tlskey' | grep -v ""; then - tlskey=$(get_docker_configuration_file_args 'tlskey' | sed 's/.*://g' | tr -d "",) +if get_docker_configuration_file_args 'tlskey' 2>/dev/null 1>&2; then + tlskey=$(get_docker_configuration_file_args 'tlskey') else tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi @@ -239,8 +239,8 @@ fi # 3.14 check_3_14="3.14 - Verify that Docker server key file permissions are set to 400 or more restrictive" -if get_docker_configuration_file_args 'tlskey' | grep -v ""; then - tlskey=$(get_docker_configuration_file_args 'tlskey' | sed 's/.*://g' | tr -d "",) +if get_docker_configuration_file_args 'tlskey' 2>/dev/null 1>&2; then + tlskey=$(get_docker_configuration_file_args 'tlskey') else tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi