mirror of
https://github.com/docker/docker-bench-security.git
synced 2025-01-19 00:32:34 +01:00
Modify get_docker_configuration_file_args in order to handle daemon.json better,
and also address missing files issue. Closes #231 Closes #232 Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
This commit is contained in:
parent
d5894203c6
commit
91e625b8e4
3 changed files with 23 additions and 19 deletions
|
@ -92,6 +92,8 @@ get_docker_configuration_file_args() {
|
||||||
else
|
else
|
||||||
CONFIG_FILE='/dev/null'
|
CONFIG_FILE='/dev/null'
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
grep "$OPTION" "$CONFIG_FILE" | sed 's/.*: //g' | tr -d \",
|
||||||
}
|
}
|
||||||
|
|
||||||
get_systemd_service_file(){
|
get_systemd_service_file(){
|
||||||
|
|
|
@ -67,7 +67,8 @@ fi
|
||||||
|
|
||||||
# 2.6
|
# 2.6
|
||||||
check_2_6="2.6 - Configure TLS authentication for Docker daemon"
|
check_2_6="2.6 - Configure TLS authentication for Docker daemon"
|
||||||
if get_docker_configuration_file_args 'tls' | grep true >/dev/null 2>&1; then
|
if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then
|
||||||
|
if get_docker_configuration_file_args '"tls":' | grep 'true' 2>/dev/null 1>&2; then
|
||||||
if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then
|
if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then
|
||||||
if get_docker_configuration_file_args 'tlsverify' | grep 'true' >/dev/null 2>&1; then
|
if get_docker_configuration_file_args 'tlsverify' | grep 'true' >/dev/null 2>&1; then
|
||||||
pass "$check_2_6"
|
pass "$check_2_6"
|
||||||
|
@ -75,6 +76,7 @@ if get_docker_configuration_file_args 'tls' | grep true >/dev/null 2>&1; then
|
||||||
warn "$check_2_6"
|
warn "$check_2_6"
|
||||||
warn " * Docker daemon currently listening on TCP with TLS, but no verification"
|
warn " * Docker daemon currently listening on TCP with TLS, but no verification"
|
||||||
fi
|
fi
|
||||||
|
fi
|
||||||
else
|
else
|
||||||
warn "$check_2_6"
|
warn "$check_2_6"
|
||||||
warn " * Docker daemon currently listening on TCP without TLS"
|
warn " * Docker daemon currently listening on TCP without TLS"
|
||||||
|
|
|
@ -142,8 +142,8 @@ fi
|
||||||
|
|
||||||
# 3.9
|
# 3.9
|
||||||
check_3_9="3.9 - Verify that TLS CA certificate file ownership is set to root:root"
|
check_3_9="3.9 - Verify that TLS CA certificate file ownership is set to root:root"
|
||||||
if get_docker_configuration_file_args 'tlscacert' | grep -v ""; then
|
if get_docker_configuration_file_args 'tlscacert' 2>/dev/null 1>&2; then
|
||||||
tlscacert=$(get_docker_configuration_file_args 'tlscacert' | sed 's/.*://g' | tr -d "",)
|
tlscacert=$(get_docker_configuration_file_args 'tlscacert')
|
||||||
else
|
else
|
||||||
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
||||||
fi
|
fi
|
||||||
|
@ -161,8 +161,8 @@ fi
|
||||||
|
|
||||||
# 3.10
|
# 3.10
|
||||||
check_3_10="3.10 - Verify that TLS CA certificate file permissions are set to 444 or more restrictive"
|
check_3_10="3.10 - Verify that TLS CA certificate file permissions are set to 444 or more restrictive"
|
||||||
if get_docker_configuration_file_args 'tlscacert' | grep -v ""; then
|
if get_docker_configuration_file_args 'tlscacert' 2>/dev/null 1>&2; then
|
||||||
tlscacert=$(get_docker_configuration_file_args 'tlscacert' | sed 's/.*://g' | tr -d "",)
|
tlscacert=$(get_docker_configuration_file_args 'tlscacert')
|
||||||
else
|
else
|
||||||
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
||||||
fi
|
fi
|
||||||
|
@ -181,8 +181,8 @@ fi
|
||||||
|
|
||||||
# 3.11
|
# 3.11
|
||||||
check_3_11="3.11 - Verify that Docker server certificate file ownership is set to root:root"
|
check_3_11="3.11 - Verify that Docker server certificate file ownership is set to root:root"
|
||||||
if get_docker_configuration_file_args 'tlscert' | grep -v ""; then
|
if get_docker_configuration_file_args 'tlscert' 2>/dev/null 1>&2; then
|
||||||
tlscert=$(get_docker_configuration_file_args 'tlscert' | sed 's/.*://g' | tr -d "",)
|
tlscert=$(get_docker_configuration_file_args 'tlscert')
|
||||||
else
|
else
|
||||||
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
||||||
fi
|
fi
|
||||||
|
@ -200,8 +200,8 @@ fi
|
||||||
|
|
||||||
# 3.12
|
# 3.12
|
||||||
check_3_12="3.12 - Verify that Docker server certificate file permissions are set to 444 or more restrictive"
|
check_3_12="3.12 - Verify that Docker server certificate file permissions are set to 444 or more restrictive"
|
||||||
if get_docker_configuration_file_args 'tlscert' | grep -v ""; then
|
if get_docker_configuration_file_args 'tlscert' 2>/dev/null 1>&2; then
|
||||||
tlscert=$(get_docker_configuration_file_args 'tlscert' | sed 's/.*://g' | tr -d "",)
|
tlscert=$(get_docker_configuration_file_args 'tlscert')
|
||||||
else
|
else
|
||||||
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
||||||
fi
|
fi
|
||||||
|
@ -220,8 +220,8 @@ fi
|
||||||
|
|
||||||
# 3.13
|
# 3.13
|
||||||
check_3_13="3.13 - Verify that Docker server key file ownership is set to root:root"
|
check_3_13="3.13 - Verify that Docker server key file ownership is set to root:root"
|
||||||
if get_docker_configuration_file_args 'tlskey' | grep -v ""; then
|
if get_docker_configuration_file_args 'tlskey' 2>/dev/null 1>&2; then
|
||||||
tlskey=$(get_docker_configuration_file_args 'tlskey' | sed 's/.*://g' | tr -d "",)
|
tlskey=$(get_docker_configuration_file_args 'tlskey')
|
||||||
else
|
else
|
||||||
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
||||||
fi
|
fi
|
||||||
|
@ -239,8 +239,8 @@ fi
|
||||||
|
|
||||||
# 3.14
|
# 3.14
|
||||||
check_3_14="3.14 - Verify that Docker server key file permissions are set to 400 or more restrictive"
|
check_3_14="3.14 - Verify that Docker server key file permissions are set to 400 or more restrictive"
|
||||||
if get_docker_configuration_file_args 'tlskey' | grep -v ""; then
|
if get_docker_configuration_file_args 'tlskey' 2>/dev/null 1>&2; then
|
||||||
tlskey=$(get_docker_configuration_file_args 'tlskey' | sed 's/.*://g' | tr -d "",)
|
tlskey=$(get_docker_configuration_file_args 'tlskey')
|
||||||
else
|
else
|
||||||
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
|
||||||
fi
|
fi
|
||||||
|
|
Loading…
Reference in a new issue