diff --git a/.gitignore b/.gitignore index e5ebf25..621e40c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ *.log* +*.swp* diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index 3a2e843..55063f5 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -2,40 +2,40 @@ check_1() { logit "" - id_1="1" - desc_1="Host Configuration" - check_1="$id_1 - $desc_1" - info "$check_1" - startsectionjson "$id_1" "$desc_1" + local id="1" + local desc="Host Configuration" + local check="$id - $desc" + info "$check" + startsectionjson "$id" "$desc" } check_1_1() { logit "" - id_1_1="1.1" - desc_1_1="General Configuration" - check_1_1="$id_1_1 - $desc_1_1" - info "$check_1_1" + local id="1.1" + local desc="General Configuration" + local check="$id - $desc" + info "$check" } # 1.1.1 check_1_1_1() { - id_1_1_1="1.1.1" - desc_1_1_1="Ensure the container host has been Hardened (Not Scored)" - check_1_1_1="$id_1_1_1 - $desc_1_1_1" - starttestjson "$id_1_1_1" "$desc_1_1_1" + local id="1.1.1" + local desc="Ensure the container host has been Hardened (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) - note "$check_1_1_1" + note "$check" resulttestjson "INFO" currentScore=$((currentScore + 0)) } # 1.1.2 check_1_1_2() { - id_1_1_2="1.1.2" - desc_1_1_2="Ensure that the version of Docker is up to date (Not Scored)" - check_1_1_2="$id_1_1_2 - $desc_1_1_2" - starttestjson "$id_1_1_2" "$desc_1_1_2" + local id="1.1.2" + local desc="Ensure that the version of Docker is up to date (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \ @@ -43,13 +43,13 @@ check_1_1_2() { docker_current_version="$(date +%y.%m.0 -d @$(( $(date +%s) - 2592000)))" do_version_check "$docker_current_version" "$docker_version" if [ $? -eq 11 ]; then - info "$check_1_1_2" + info "$check" info " * Using $docker_version, verify is it up to date as deemed necessary" info " * Your operating system vendor may provide support and security maintenance for Docker" resulttestjson "INFO" "Using $docker_version" currentScore=$((currentScore + 0)) else - pass "$check_1_1_2" + pass "$check" info " * Using $docker_version which is current" info " * Check with your operating system vendor for support and security maintenance for Docker" resulttestjson "PASS" "Using $docker_version" @@ -59,18 +59,18 @@ check_1_1_2() { check_1_2() { logit "" - id_1_2="1.2" - desc_1_2="Linux Hosts Specific Configuration" - check_1_2="$id_1_2 - $desc_1_2" - info "$check_1_2" + local id="1.2" + local desc="Linux Hosts Specific Configuration" + local check="$id - $desc" + info "$check" } # 1.2.1 check_1_2_1() { - id_1_2_1="1.2.1" - desc_1_2_1="Ensure a separate partition for containers has been created (Scored)" - check_1_2_1="$id_1_2_1 - $desc_1_2_1" - starttestjson "$id_1_2_1" "$desc_1_2_1" + local id="1.2.1" + local desc="Ensure a separate partition for containers has been created (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) docker_root_dir=$(docker info -f '{{ .DockerRootDir }}') @@ -79,11 +79,11 @@ check_1_2_1() { fi if mountpoint -q -- "$docker_root_dir" >/dev/null 2>&1; then - pass "$check_1_2_1" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_1_2_1" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -91,10 +91,10 @@ check_1_2_1() { # 1.2.2 check_1_2_2() { - id_1_2_2="1.2.2" - desc_1_2_2="Ensure only trusted users are allowed to control Docker daemon (Scored)" - check_1_2_2="$id_1_2_2 - $desc_1_2_2" - starttestjson "$id_1_2_2" "$desc_1_2_2" + local id="1.2.2" + local desc="Ensure only trusted users are allowed to control Docker daemon (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if command -v getent >/dev/null 2>&1; then @@ -102,7 +102,7 @@ check_1_2_2() { else docker_users=$(grep 'docker' /etc/group) fi - info "$check_1_2_2" + info "$check" for u in $docker_users; do info " * $u" done @@ -112,29 +112,31 @@ check_1_2_2() { # 1.2.3 check_1_2_3() { - id_1_2_3="1.2.3" - desc_1_2_3="Ensure auditing is configured for the Docker daemon (Scored)" - check_1_2_3="$id_1_2_3 - $desc_1_2_3" - starttestjson "$id_1_2_3" "$desc_1_2_3" + local id="1.2.3" + local desc="Ensure auditing is configured for the Docker daemon (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) file="/usr/bin/dockerd" if command -v auditctl >/dev/null 2>&1; then if auditctl -l | grep "$file" >/dev/null 2>&1; then - pass "$check_1_2_3" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_1_2_3" + warn "$check" + warn " * Install auditd" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass "$check_1_2_3" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_1_2_3" + warn "$check" + warn " * Install auditd" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -142,35 +144,35 @@ check_1_2_3() { # 1.2.4 check_1_2_4() { - id_1_2_4="1.2.4" - desc_1_2_4="Ensure auditing is configured for Docker files and directories - /var/lib/docker (Scored)" - check_1_2_4="$id_1_2_4 - $desc_1_2_4" - starttestjson "$id_1_2_4" "$desc_1_2_4" + local id="1.2.4" + local desc="Ensure auditing is configured for Docker files and directories - /var/lib/docker (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) directory="/var/lib/docker" if [ -d "$directory" ]; then if command -v auditctl >/dev/null 2>&1; then if auditctl -l | grep $directory >/dev/null 2>&1; then - pass "$check_1_2_4" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_1_2_4" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass "$check_1_2_4" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_1_2_4" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi else - info "$check_1_2_4" + info "$check" info " * Directory not found" resulttestjson "INFO" "Directory not found" currentScore=$((currentScore + 0)) @@ -179,35 +181,35 @@ check_1_2_4() { # 1.2.5 check_1_2_5() { - id_1_2_5="1.2.5" - desc_1_2_5="Ensure auditing is configured for Docker files and directories - /etc/docker (Scored)" - check_1_2_5="$id_1_2_5 - $desc_1_2_5" - starttestjson "$id_1_2_5" "$desc_1_2_5" + local id="1.2.5" + local desc="Ensure auditing is configured for Docker files and directories - /etc/docker (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) directory="/etc/docker" if [ -d "$directory" ]; then if command -v auditctl >/dev/null 2>&1; then if auditctl -l | grep $directory >/dev/null 2>&1; then - pass "$check_1_2_5" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_1_2_5" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass "$check_1_2_5" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_1_2_5" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi else - info "$check_1_2_5" + info "$check" info " * Directory not found" resulttestjson "INFO" "Directory not found" currentScore=$((currentScore + 0)) @@ -216,35 +218,35 @@ fi # 1.2.6 check_1_2_6() { - id_1_2_6="1.2.6" - desc_1_2_6="Ensure auditing is configured for Docker files and directories - docker.service (Scored)" - check_1_2_6="$id_1_2_6 - $desc_1_2_6" - starttestjson "$id_1_2_6" "$desc_1_2_6" + local id="1.2.6" + local desc="Ensure auditing is configured for Docker files and directories - docker.service (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) file="$(get_service_file docker.service)" if [ -f "$file" ]; then if command -v auditctl >/dev/null 2>&1; then if auditctl -l | grep "$file" >/dev/null 2>&1; then - pass "$check_1_2_6" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_1_2_6" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass "$check_1_2_6" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_1_2_6" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi else - info "$check_1_2_6" + info "$check" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) @@ -253,35 +255,35 @@ check_1_2_6() { # 1.2.7 check_1_2_7() { - id_1_2_7="1.2.7" - desc_1_2_7="Ensure auditing is configured for Docker files and directories - docker.socket (Scored)" - check_1_2_7="$id_1_2_7 - $desc_1_2_7" - starttestjson "$id_1_2_7" "$desc_1_2_7" + local id="1.2.7" + local desc="Ensure auditing is configured for Docker files and directories - docker.socket (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) file="$(get_service_file docker.socket)" if [ -e "$file" ]; then if command -v auditctl >/dev/null 2>&1; then if auditctl -l | grep "$file" >/dev/null 2>&1; then - pass "$check_1_2_7" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_1_2_7" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass "$check_1_2_7" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_1_2_7" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi else - info "$check_1_2_7" + info "$check" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) @@ -290,35 +292,35 @@ check_1_2_7() { # 1.2.8 check_1_2_8() { - id_1_2_8="1.2.8" - desc_1_2_8="Ensure auditing is configured for Docker files and directories - /etc/default/docker (Scored)" - check_1_2_8="$id_1_2_8 - $desc_1_2_8" - starttestjson "$id_1_2_8" "$desc_1_2_8" + local id="1.2.8" + local desc="Ensure auditing is configured for Docker files and directories - /etc/default/docker (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) file="/etc/default/docker" if [ -f "$file" ]; then if command -v auditctl >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then - pass "$check_1_2_8" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_1_2_8" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass "$check_1_2_8" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_1_2_8" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi else - info "$check_1_2_8" + info "$check" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) @@ -327,35 +329,35 @@ check_1_2_8() { # 1.2.9 check_1_2_9() { - id_1_2_9="1.2.9" - desc_1_2_9="Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Scored)" - check_1_2_9="$id_1_2_9 - $desc_1_2_9" - starttestjson "$id_1_2_9" "$desc_1_2_9" + local id="1.2.9" + local desc="Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) file="/etc/sysconfig/docker" if [ -f "$file" ]; then if command -v auditctl >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then - pass "$check_1_2_9" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_1_2_9" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass "$check_1_2_9" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_1_2_9" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi else - info "$check_1_2_9" + info "$check" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) @@ -364,35 +366,35 @@ check_1_2_9() { # 1.2.10 check_1_2_10() { - id_1_2_10="1.2.10" - desc_1_2_10="Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json (Scored)" - check_1_2_10="$id_1_2_10 - $desc_1_2_10" - starttestjson "$id_1_2_10" "$desc_1_2_10" + local id="1.2.10" + local desc="Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) file="/etc/docker/daemon.json" if [ -f "$file" ]; then if command -v auditctl >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then - pass "$check_1_2_10" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_1_2_10" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass "$check_1_2_10" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_1_2_10" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi else - info "$check_1_2_10" + info "$check" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) @@ -401,35 +403,35 @@ check_1_2_10() { # 1.2.11 check_1_2_11() { - id_1_2_11="1.2.11" - desc_1_2_11="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Scored)" - check_1_2_11="$id_1_2_11 - $desc_1_2_11" - starttestjson "$id_1_2_11" "$desc_1_2_11" + local id="1.2.11" + local desc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) file="/usr/bin/containerd" if [ -f "$file" ]; then if command -v auditctl >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then - pass "$check_1_2_11" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_1_2_11" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass "$check_1_2_11" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_1_2_11" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi else - info "$check_1_2_11" + info "$check" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) @@ -438,35 +440,35 @@ check_1_2_11() { # 1.2.12 check_1_2_12() { - id_1_2_12="1.2.12" - desc_1_2_12="Ensure auditing is configured for Docker files and directories - /usr/sbin/runc (Scored)" - check_1_2_12="$id_1_2_12 - $desc_1_2_12" - starttestjson "$id_1_2_12" "$desc_1_2_12" + local id="1.2.12" + local desc="Ensure auditing is configured for Docker files and directories - /usr/sbin/runc (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) file="/usr/sbin/runc" if [ -f "$file" ]; then if command -v auditctl >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then - pass "$check_1_2_12" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_1_2_12" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass "$check_1_2_12" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_1_2_12" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi else - info "$check_1_2_12" + info "$check" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) diff --git a/tests/2_docker_daemon_configuration.sh b/tests/2_docker_daemon_configuration.sh index 83cc8eb..3f27d5d 100644 --- a/tests/2_docker_daemon_configuration.sh +++ b/tests/2_docker_daemon_configuration.sh @@ -2,31 +2,31 @@ check_2() { logit "\n" - id_2="2" - desc_2="Docker daemon configuration" - check_2="$id_2 - $desc_2" - info "$check_2" - startsectionjson "$id_2" "$desc_2" + local id="2" + local desc="Docker daemon configuration" + local check="$id - $desc" + info "$check" + startsectionjson "$id" "$desc" } # 2.1 check_2_1() { - id_2_1="2.1" - desc_2_1="Ensure network traffic is restricted between containers on the default bridge (Scored)" - check_2_1="$id_2_1 - $desc_2_1" - starttestjson "$id_2_1" "$desc_2_1" + local id="2.1" + local desc="Ensure network traffic is restricted between containers on the default bridge (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then - pass "$check_2_1" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then - pass "$check_2_1" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_2_1" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -34,38 +34,38 @@ check_2_1() { # 2.2 check_2_2() { - id_2_2="2.2" - desc_2_2="Ensure the logging level is set to 'info' (Scored)" - check_2_2="$id_2_2 - $desc_2_2" - starttestjson "$id_2_2" "$desc_2_2" + local id="2.2" + local desc="Ensure the logging level is set to 'info' (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then - pass "$check_2_2" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then - pass "$check_2_2" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_2_2" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi elif get_docker_effective_command_line_args '-l'; then if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then - pass "$check_2_2" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_2_2" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi else - pass "$check_2_2" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) fi @@ -73,22 +73,22 @@ check_2_2() { # 2.3 check_2_3() { - id_2_3="2.3" - desc_2_3="Ensure Docker is allowed to make changes to iptables (Scored)" - check_2_3="$id_2_3 - $desc_2_3" - starttestjson "$id_2_3" "$desc_2_3" + local id="2.3" + local desc="Ensure Docker is allowed to make changes to iptables (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then - warn "$check_2_3" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then - warn "$check_2_3" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) else - pass "$check_2_3" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) fi @@ -96,28 +96,28 @@ check_2_3() { # 2.4 check_2_4() { - id_2_4="2.4" - desc_2_4="Ensure insecure registries are not used (Scored)" - check_2_4="$id_2_4 - $desc_2_4" - starttestjson "$id_2_4" "$desc_2_4" + local id="2.4" + local desc="Ensure insecure registries are not used (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then - warn "$check_2_4" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then - pass "$check_2_4" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_2_4" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi else - pass "$check_2_4" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) fi @@ -125,18 +125,18 @@ check_2_4() { # 2.5 check_2_5() { - id_2_5="2.5" - desc_2_5="Ensure aufs storage driver is not used (Scored)" - check_2_5="$id_2_5 - $desc_2_5" - starttestjson "$id_2_5" "$desc_2_5" + local id="2.5" + local desc="Ensure aufs storage driver is not used (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if docker info 2>/dev/null | grep -e "^\sStorage Driver:\s*aufs\s*$" >/dev/null 2>&1; then - warn "$check_2_5" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) else - pass "$check_2_5" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) fi @@ -144,33 +144,33 @@ check_2_5() { # 2.6 check_2_6() { - id_2_6="2.6" - desc_2_6="Ensure TLS authentication for Docker daemon is configured (Scored)" - check_2_6="$id_2_6 - $desc_2_6" - starttestjson "$id_2_6" "$desc_2_6" + local id="2.6" + local desc="Ensure TLS authentication for Docker daemon is configured (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if [ $(get_docker_configuration_file_args 'tcp://') ] || \ [ $(get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://') >/dev/null 2>&1 ]; then if [ $(get_docker_configuration_file_args '"tlsverify":' | grep 'true') ] || \ [ $(get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify') >/dev/null 2>&1 ]; then - pass "$check_2_6" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) elif [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \ [ $(get_docker_cumulative_command_line_args '--tls' | grep 'tls$') >/dev/null 2>&1 ]; then - warn "$check_2_6" + warn "$check" warn " * Docker daemon currently listening on TCP with TLS, but no verification" resulttestjson "WARN" "Docker daemon currently listening on TCP with TLS, but no verification" currentScore=$((currentScore - 1)) else - warn "$check_2_6" + warn "$check" warn " * Docker daemon currently listening on TCP without TLS" resulttestjson "WARN" "Docker daemon currently listening on TCP without TLS" currentScore=$((currentScore - 1)) fi else - info "$check_2_6" + info "$check" info " * Docker daemon not listening on TCP" resulttestjson "INFO" "Docker daemon not listening on TCP" currentScore=$((currentScore + 0)) @@ -179,22 +179,22 @@ check_2_6() { # 2.7 check_2_7() { - id_2_7="2.7" - desc_2_7="Ensure the default ulimit is configured appropriately (Not Scored)" - check_2_7="$id_2_7 - $desc_2_7" - starttestjson "$id_2_7" "$desc_2_7" + local id="2.7" + local desc="Ensure the default ulimit is configured appropriately (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then - pass "$check_2_7" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then - pass "$check_2_7" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - info "$check_2_7" + info "$check" info " * Default ulimit doesn't appear to be set" resulttestjson "INFO" "Default ulimit doesn't appear to be set" currentScore=$((currentScore + 0)) @@ -203,22 +203,22 @@ check_2_7() { # 2.8 check_2_8() { - id_2_8="2.8" - desc_2_8="Enable user namespace support (Scored)" - check_2_8="$id_2_8 - $desc_2_8" - starttestjson "$id_2_8" "$desc_2_8" + local id="2.8" + local desc="Enable user namespace support (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then - pass "$check_2_8" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then - pass "$check_2_8" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_2_8" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -226,24 +226,24 @@ check_2_8() { # 2.9 check_2_9() { - id_2_9="2.9" - desc_2_9="Ensure the default cgroup usage has been confirmed (Scored)" - check_2_9="$id_2_9 - $desc_2_9" - starttestjson "$id_2_9" "$desc_2_9" + local id="2.9" + local desc="Ensure the default cgroup usage has been confirmed (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if get_docker_configuration_file_args 'cgroup-parent' | grep -v ''; then - warn "$check_2_9" + warn "$check" info " * Confirm cgroup usage" resulttestjson "WARN" "Confirm cgroup usage" currentScore=$((currentScore + 0)) elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then - warn "$check_2_9" + warn "$check" info " * Confirm cgroup usage" resulttestjson "WARN" "Confirm cgroup usage" currentScore=$((currentScore + 0)) else - pass "$check_2_9" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) fi @@ -251,22 +251,22 @@ check_2_9() { # 2.10 check_2_10() { - id_2_10="2.10" - desc_2_10="Ensure base device size is not changed until needed (Scored)" - check_2_10="$id_2_10 - $desc_2_10" - starttestjson "$id_2_10" "$desc_2_10" + local id="2.10" + local desc="Ensure base device size is not changed until needed (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then - warn "$check_2_10" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then - warn "$check_2_10" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) else - pass "$check_2_10" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) fi @@ -274,22 +274,22 @@ check_2_10() { # 2.11 check_2_11() { - id_2_11="2.11" - desc_2_11="Ensure that authorization for Docker client commands is enabled (Scored)" - check_2_11="$id_2_11 - $desc_2_11" - starttestjson "$id_2_11" "$desc_2_11" + local id="2.11" + local desc="Ensure that authorization for Docker client commands is enabled (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then - pass "$check_2_11" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then - pass "$check_2_11" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_2_11" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -297,18 +297,18 @@ check_2_11() { # 2.12 check_2_12() { - id_2_12="2.12" - desc_2_12="Ensure centralized and remote logging is configured (Scored)" - check_2_12="$id_2_12 - $desc_2_12" - starttestjson "$id_2_12" "$desc_2_12" + local id="2.12" + local desc="Ensure centralized and remote logging is configured (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then - warn "$check_2_12" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) else - pass "$check_2_12" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) fi @@ -316,27 +316,27 @@ check_2_12() { # 2.13 check_2_13() { - id_2_13="2.13" - desc_2_13="Ensure live restore is enabled (Scored)" - check_2_13="$id_2_13 - $desc_2_13" - starttestjson "$id_2_13" "$desc_2_13" + local id="2.13" + local desc="Ensure live restore is enabled (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then - pass "$check_2_13" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then - pass "$check_2_13 (Incompatible with swarm mode)" + pass "$check (Incompatible with swarm mode)" resulttestjson "PASS" currentScore=$((currentScore + 1)) elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then - pass "$check_2_13" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_2_13" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -345,22 +345,22 @@ check_2_13() { # 2.14 check_2_14() { - id_2_14="2.14" - desc_2_14="Ensure Userland Proxy is Disabled (Scored)" - check_2_14="$id_2_14 - $desc_2_14" - starttestjson "$id_2_14" "$desc_2_14" + local id="2.14" + local desc="Ensure Userland Proxy is Disabled (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then - pass "$check_2_14" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then - pass "$check_2_14" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_2_14" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -368,18 +368,18 @@ check_2_14() { # 2.15 check_2_15() { - id_2_15="2.15" - desc_2_15="Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Not Scored)" - check_2_15="$id_2_15 - $desc_2_15" - starttestjson "$id_2_15" "$desc_2_15" + local id="2.15" + local desc="Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then - pass "$check_2_15" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - info "$check_2_15" + info "$check" resulttestjson "INFO" currentScore=$((currentScore + 0)) fi @@ -390,48 +390,48 @@ check_2_16() { docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \ | awk '{print $NF; exit}' | tr -d '[:alpha:]-,.' | cut -c 1-4) - id_2_16="2.16" - desc_2_16="Ensure that experimental features are not implemented in production (Scored)" - check_2_16="$id_2_16 - $desc_2_16" - starttestjson "$id_2_16" "$desc_2_16" + local id="2.16" + local desc="Ensure that experimental features are not implemented in production (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if [ "$docker_version" -le 1903 ]; then if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then - pass "$check_2_16" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_2_16" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi else - desc_2_16="$desc_2_16 (Deprecated)" - check_2_16="$id_2_16 - $desc_2_16" - info "$desc_2_16" + local desc="$desc (Deprecated)" + local check="$id - $desc" + info "$desc" resulttestjson "INFO" fi } # 2.17 check_2_17() { - id_2_17="2.17" - desc_2_17="Ensure containers are restricted from acquiring new privileges (Scored)" - check_2_17="$id_2_17 - $desc_2_17" - starttestjson "$id_2_17" "$desc_2_17" + local id="2.17" + local desc="Ensure containers are restricted from acquiring new privileges (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if get_docker_effective_command_line_args '--no-new-privileges' | grep "no-new-privileges" >/dev/null 2>&1; then - pass "$check_2_17" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) elif get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then - pass "$check_2_17" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_2_17" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi diff --git a/tests/3_docker_daemon_configuration_files.sh b/tests/3_docker_daemon_configuration_files.sh index 7b77829..850948b 100644 --- a/tests/3_docker_daemon_configuration_files.sh +++ b/tests/3_docker_daemon_configuration_files.sh @@ -2,35 +2,35 @@ check_3() { logit "\n" - id_3="3" - desc_3="Docker daemon configuration files" - check_3="$id_3 - $desc_3" - info "$check_3" - startsectionjson "$id_3" "$desc_3" + local id="3" + local desc="Docker daemon configuration files" + local check="$id - $desc" + info "$check" + startsectionjson "$id" "$desc" } # 3.1 check_3_1() { - id_3_1="3.1" - desc_3_1="Ensure that the docker.service file ownership is set to root:root (Scored)" - check_3_1="$id_3_1 - $desc_3_1" - starttestjson "$id_3_1" "$desc_3_1" + local id="3.1" + local desc="Ensure that the docker.service file ownership is set to root:root (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) file="$(get_service_file docker.service)" if [ -f "$file" ]; then if [ "$(stat -c %u%g $file)" -eq 00 ]; then - pass "$check_3_1" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_3_1" + warn "$check" warn " * Wrong ownership for $file" resulttestjson "WARN" "Wrong ownership for $file" currentScore=$((currentScore - 1)) fi else - info "$check_3_1" + info "$check" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) @@ -39,26 +39,26 @@ check_3_1() { # 3.2 check_3_2() { - id_3_2="3.2" - desc_3_2="Ensure that docker.service file permissions are appropriately set (Scored)" - check_3_2="$id_3_2 - $desc_3_2" - starttestjson "$id_3_2" "$desc_3_2" + local id="3.2" + local desc="Ensure that docker.service file permissions are appropriately set (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) file="$(get_service_file docker.service)" if [ -f "$file" ]; then if [ "$(stat -c %a $file)" -le 644 ]; then - pass "$check_3_2" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_3_2" + warn "$check" warn " * Wrong permissions for $file" resulttestjson "WARN" "Wrong permissions for $file" currentScore=$((currentScore - 1)) fi else - info "$check_3_2" + info "$check" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) @@ -67,26 +67,26 @@ check_3_2() { # 3.3 check_3_3() { - id_3_3="3.3" - desc_3_3="Ensure that docker.socket file ownership is set to root:root (Scored)" - check_3_3="$id_3_3 - $desc_3_3" - starttestjson "$id_3_3" "$desc_3_3" + local id="3.3" + local desc="Ensure that docker.socket file ownership is set to root:root (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) file="$(get_service_file docker.socket)" if [ -f "$file" ]; then if [ "$(stat -c %u%g $file)" -eq 00 ]; then - pass "$check_3_3" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_3_3" + warn "$check" warn " * Wrong ownership for $file" resulttestjson "WARN" "Wrong ownership for $file" currentScore=$((currentScore - 1)) fi else - info "$check_3_3" + info "$check" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) @@ -95,26 +95,26 @@ check_3_3() { # 3.4 check_3_4() { - id_3_4="3.4" - desc_3_4="Ensure that docker.socket file permissions are set to 644 or more restrictive (Scored)" - check_3_4="$id_3_4 - $desc_3_4" - starttestjson "$id_3_4" "$desc_3_4" + local id="3.4" + local desc="Ensure that docker.socket file permissions are set to 644 or more restrictive (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) file="$(get_service_file docker.socket)" if [ -f "$file" ]; then if [ "$(stat -c %a $file)" -le 644 ]; then - pass "$check_3_4" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_3_4" + warn "$check" warn " * Wrong permissions for $file" resulttestjson "WARN" "Wrong permissions for $file" currentScore=$((currentScore - 1)) fi else - info "$check_3_4" + info "$check" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) @@ -123,26 +123,26 @@ check_3_4() { # 3.5 check_3_5() { - id_3_5="3.5" - desc_3_5="Ensure that the /etc/docker directory ownership is set to root:root (Scored)" - check_3_5="$id_3_5 - $desc_3_5" - starttestjson "$id_3_5" "$desc_3_5" + local id="3.5" + local desc="Ensure that the /etc/docker directory ownership is set to root:root (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) directory="/etc/docker" if [ -d "$directory" ]; then if [ "$(stat -c %u%g $directory)" -eq 00 ]; then - pass "$check_3_5" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_3_5" + warn "$check" warn " * Wrong ownership for $directory" resulttestjson "WARN" "Wrong ownership for $directory" currentScore=$((currentScore - 1)) fi else - info "$check_3_5" + info "$check" info " * Directory not found" resulttestjson "INFO" "Directory not found" currentScore=$((currentScore + 0)) @@ -151,26 +151,26 @@ check_3_5() { # 3.6 check_3_6() { - id_3_6="3.6" - desc_3_6="Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Scored)" - check_3_6="$id_3_6 - $desc_3_6" - starttestjson "$id_3_6" "$desc_3_6" + local id="3.6" + local desc="Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) directory="/etc/docker" if [ -d "$directory" ]; then if [ "$(stat -c %a $directory)" -le 755 ]; then - pass "$check_3_6" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_3_6" + warn "$check" warn " * Wrong permissions for $directory" resulttestjson "WARN" "Wrong permissions for $directory" currentScore=$((currentScore - 1)) fi else - info "$check_3_6" + info "$check" info " * Directory not found" resulttestjson "INFO" "Directory not found" currentScore=$((currentScore + 0)) @@ -179,10 +179,10 @@ check_3_6() { # 3.7 check_3_7() { - id_3_7="3.7" - desc_3_7="Ensure that registry certificate file ownership is set to root:root (Scored)" - check_3_7="$id_3_7 - $desc_3_7" - starttestjson "$id_3_7" "$desc_3_7" + local id="3.7" + local desc="Ensure that registry certificate file ownership is set to root:root (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) directory="/etc/docker/certs.d/" @@ -195,17 +195,17 @@ check_3_7() { fi done if [ $fail -eq 1 ]; then - warn "$check_3_7" + warn "$check" warn " * Wrong ownership for $directory" resulttestjson "WARN" "Wrong ownership for $directory" currentScore=$((currentScore - 1)) else - pass "$check_3_7" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) fi else - info "$check_3_7" + info "$check" info " * Directory not found" resulttestjson "INFO" "Directory not found" currentScore=$((currentScore + 0)) @@ -214,10 +214,10 @@ check_3_7() { # 3.8 check_3_8() { - id_3_8="3.8" - desc_3_8="Ensure that registry certificate file permissions are set to 444 or more restrictively (Scored)" - check_3_8="$id_3_8 - $desc_3_8" - starttestjson "$id_3_8" "$desc_3_8" + local id="3.8" + local desc="Ensure that registry certificate file permissions are set to 444 or more restrictively (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) directory="/etc/docker/certs.d/" @@ -230,17 +230,17 @@ check_3_8() { fi done if [ $fail -eq 1 ]; then - warn "$check_3_8" + warn "$check" warn " * Wrong permissions for $directory" resulttestjson "WARN" "Wrong permissions for $directory" currentScore=$((currentScore - 1)) else - pass "$check_3_8" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) fi else - info "$check_3_8" + info "$check" info " * Directory not found" resulttestjson "INFO" "Directory not found" currentScore=$((currentScore + 0)) @@ -249,10 +249,10 @@ check_3_8() { # 3.9 check_3_9() { - id_3_9="3.9" - desc_3_9="Ensure that TLS CA certificate file ownership is set to root:root (Scored)" - check_3_9="$id_3_9 - $desc_3_9" - starttestjson "$id_3_9" "$desc_3_9" + local id="3.9" + local desc="Ensure that TLS CA certificate file ownership is set to root:root (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then @@ -262,17 +262,17 @@ check_3_9() { fi if [ -f "$tlscacert" ]; then if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then - pass "$check_3_9" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_3_9" + warn "$check" warn " * Wrong ownership for $tlscacert" resulttestjson "WARN" "Wrong ownership for $tlscacert" currentScore=$((currentScore - 1)) fi else - info "$check_3_9" + info "$check" info " * No TLS CA certificate found" resulttestjson "INFO" "No TLS CA certificate found" currentScore=$((currentScore + 0)) @@ -281,10 +281,10 @@ check_3_9() { # 3.10 check_3_10() { - id_3_10="3.10" - desc_3_10="Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Scored)" - check_3_10="$id_3_10 - $desc_3_10" - starttestjson "$id_3_10" "$desc_3_10" + local id="3.10" + local desc="Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then @@ -294,17 +294,17 @@ check_3_10() { fi if [ -f "$tlscacert" ]; then if [ "$(stat -c %a $tlscacert)" -le 444 ]; then - pass "$check_3_10" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_3_10" + warn "$check" warn " * Wrong permissions for $tlscacert" resulttestjson "WARN" "Wrong permissions for $tlscacert" currentScore=$((currentScore - 1)) fi else - info "$check_3_10" + info "$check" info " * No TLS CA certificate found" resulttestjson "INFO" "No TLS CA certificate found" currentScore=$((currentScore + 0)) @@ -313,10 +313,10 @@ check_3_10() { # 3.11 check_3_11() { - id_3_11="3.11" - desc_3_11="Ensure that Docker server certificate file ownership is set to root:root (Scored)" - check_3_11="$id_3_11 - $desc_3_11" - starttestjson "$id_3_11" "$desc_3_11" + local id="3.11" + local desc="Ensure that Docker server certificate file ownership is set to root:root (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then @@ -326,17 +326,17 @@ check_3_11() { fi if [ -f "$tlscert" ]; then if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then - pass "$check_3_11" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_3_11" + warn "$check" warn " * Wrong ownership for $tlscert" resulttestjson "WARN" "Wrong ownership for $tlscert" currentScore=$((currentScore - 1)) fi else - info "$check_3_11" + info "$check" info " * No TLS Server certificate found" resulttestjson "INFO" "No TLS Server certificate found" currentScore=$((currentScore + 0)) @@ -345,10 +345,10 @@ check_3_11() { # 3.12 check_3_12() { - id_3_12="3.12" - desc_3_12="Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Scored)" - check_3_12="$id_3_12 - $desc_3_12" - starttestjson "$id_3_12" "$desc_3_12" + local id="3.12" + local desc="Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then @@ -358,17 +358,17 @@ check_3_12() { fi if [ -f "$tlscert" ]; then if [ "$(stat -c %a $tlscert)" -le 444 ]; then - pass "$check_3_12" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_3_12" + warn "$check" warn " * Wrong permissions for $tlscert" resulttestjson "WARN" "Wrong permissions for $tlscert" currentScore=$((currentScore - 1)) fi else - info "$check_3_12" + info "$check" info " * No TLS Server certificate found" resulttestjson "INFO" "No TLS Server certificate found" currentScore=$((currentScore + 0)) @@ -377,10 +377,10 @@ check_3_12() { # 3.13 check_3_13() { - id_3_13="3.13" - desc_3_13="Ensure that the Docker server certificate key file ownership is set to root:root (Scored)" - check_3_13="$id_3_13 - $desc_3_13" - starttestjson "$id_3_13" "$desc_3_13" + local id="3.13" + local desc="Ensure that the Docker server certificate key file ownership is set to root:root (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then @@ -390,17 +390,17 @@ check_3_13() { fi if [ -f "$tlskey" ]; then if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then - pass "$check_3_13" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_3_13" + warn "$check" warn " * Wrong ownership for $tlskey" resulttestjson "WARN" "Wrong ownership for $tlskey" currentScore=$((currentScore - 1)) fi else - info "$check_3_13" + info "$check" info " * No TLS Key found" resulttestjson "INFO" "No TLS Key found" currentScore=$((currentScore + 0)) @@ -409,10 +409,10 @@ check_3_13() { # 3.14 check_3_14() { - id_3_14="3.14" - desc_3_14="Ensure that the Docker server certificate key file permissions are set to 400 (Scored)" - check_3_14="$id_3_14 - $desc_3_14" - starttestjson "$id_3_14" "$desc_3_14" + local id="3.14" + local desc="Ensure that the Docker server certificate key file permissions are set to 400 (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then @@ -422,17 +422,17 @@ check_3_14() { fi if [ -f "$tlskey" ]; then if [ "$(stat -c %a $tlskey)" -eq 400 ]; then - pass "$check_3_14" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_3_14" + warn "$check" warn " * Wrong permissions for $tlskey" resulttestjson "WARN" "Wrong permissions for $tlskey" currentScore=$((currentScore - 1)) fi else - info "$check_3_14" + info "$check" info " * No TLS Key found" resulttestjson "INFO" "No TLS Key found" currentScore=$((currentScore + 0)) @@ -441,26 +441,26 @@ check_3_14() { # 3.15 check_3_15() { - id_3_15="3.15" - desc_3_15="Ensure that the Docker socket file ownership is set to root:docker (Scored)" - check_3_15="$id_3_15 - $desc_3_15" - starttestjson "$id_3_15" "$desc_3_15" + local id="3.15" + local desc="Ensure that the Docker socket file ownership is set to root:docker (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) file="/var/run/docker.sock" if [ -S "$file" ]; then if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then - pass "$check_3_15" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_3_15" + warn "$check" warn " * Wrong ownership for $file" resulttestjson "WARN" "Wrong ownership for $file" currentScore=$((currentScore - 1)) fi else - info "$check_3_15" + info "$check" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) @@ -469,26 +469,26 @@ check_3_15() { # 3.16 check_3_16() { - id_3_16="3.16" - desc_3_16="Ensure that the Docker socket file permissions are set to 660 or more restrictively (Scored)" - check_3_16="$id_3_16 - $desc_3_16" - starttestjson "$id_3_16" "$desc_3_16" + local id="3.16" + local desc="Ensure that the Docker socket file permissions are set to 660 or more restrictively (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) file="/var/run/docker.sock" if [ -S "$file" ]; then if [ "$(stat -c %a $file)" -le 660 ]; then - pass "$check_3_16" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_3_16" + warn "$check" warn " * Wrong permissions for $file" resulttestjson "WARN" "Wrong permissions for $file" currentScore=$((currentScore - 1)) fi else - info "$check_3_16" + info "$check" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) @@ -497,26 +497,26 @@ check_3_16() { # 3.17 check_3_17() { - id_3_17="3.17" - desc_3_17="Ensure that the daemon.json file ownership is set to root:root (Scored)" - check_3_17="$id_3_17 - $desc_3_17" - starttestjson "$id_3_17" "$desc_3_17" + local id="3.17" + local desc="Ensure that the daemon.json file ownership is set to root:root (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) file="/etc/docker/daemon.json" if [ -f "$file" ]; then if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then - pass "$check_3_17" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_3_17" + warn "$check" warn " * Wrong ownership for $file" resulttestjson "WARN" "Wrong ownership for $file" currentScore=$((currentScore - 1)) fi else - info "$check_3_17" + info "$check" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) @@ -525,26 +525,26 @@ check_3_17() { # 3.18 check_3_18() { - id_3_18="3.18" - desc_3_18="Ensure that daemon.json file permissions are set to 644 or more restrictive (Scored)" - check_3_18="$id_3_18 - $desc_3_18" - starttestjson "$id_3_18" "$desc_3_18" + local id="3.18" + local desc="Ensure that daemon.json file permissions are set to 644 or more restrictive (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) file="/etc/docker/daemon.json" if [ -f "$file" ]; then if [ "$(stat -c %a $file)" -le 644 ]; then - pass "$check_3_18" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_3_18" + warn "$check" warn " * Wrong permissions for $file" resulttestjson "WARN" "Wrong permissions for $file" currentScore=$((currentScore - 1)) fi else - info "$check_3_18" + info "$check" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) @@ -553,26 +553,26 @@ check_3_18() { # 3.19 check_3_19() { - id_3_19="3.19" - desc_3_19="Ensure that the /etc/default/docker file ownership is set to root:root (Scored)" - check_3_19="$id_3_19 - $desc_3_19" - starttestjson "$id_3_19" "$desc_3_19" + local id="3.19" + local desc="Ensure that the /etc/default/docker file ownership is set to root:root (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) file="/etc/default/docker" if [ -f "$file" ]; then if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then - pass "$check_3_19" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_3_19" + warn "$check" warn " * Wrong ownership for $file" resulttestjson "WARN" "Wrong ownership for $file" currentScore=$((currentScore - 1)) fi else - info "$check_3_19" + info "$check" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) @@ -581,26 +581,26 @@ check_3_19() { # 3.20 check_3_20() { - id_3_20="3.20" - desc_3_20="Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Scored)" - check_3_20="$id_3_20 - $desc_3_20" - starttestjson "$id_3_20" "$desc_3_20" + local id="3.20" + local desc="Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) file="/etc/sysconfig/docker" if [ -f "$file" ]; then if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then - pass "$check_3_20" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_3_20" + warn "$check" warn " * Wrong ownership for $file" resulttestjson "WARN" "Wrong ownership for $file" currentScore=$((currentScore - 1)) fi else - info "$check_3_20" + info "$check" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) @@ -609,26 +609,26 @@ check_3_20() { # 3.21 check_3_21() { - id_3_21="3.21" - desc_3_21="Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Scored)" - check_3_21="$id_3_21 - $desc_3_21" - starttestjson "$id_3_21" "$desc_3_21" + local id="3.21" + local desc="Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) file="/etc/sysconfig/docker" if [ -f "$file" ]; then if [ "$(stat -c %a $file)" -le 644 ]; then - pass "$check_3_21" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_3_21" + warn "$check" warn " * Wrong permissions for $file" resulttestjson "WARN" "Wrong permissions for $file" currentScore=$((currentScore - 1)) fi else - info "$check_3_21" + info "$check" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) @@ -637,26 +637,26 @@ check_3_21() { # 3.22 check_3_22() { - id_3_22="3.22" - desc_3_22="Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Scored)" - check_3_22="$id_3_22 - $desc_3_22" - starttestjson "$id_3_22" "$desc_3_22" + local id="3.22" + local desc="Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) file="/etc/default/docker" if [ -f "$file" ]; then if [ "$(stat -c %a $file)" -le 644 ]; then - pass "$check_3_22" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_3_22" + warn "$check" warn " * Wrong permissions for $file" resulttestjson "WARN" "Wrong permissions for $file" currentScore=$((currentScore - 1)) fi else - info "$check_3_22" + info "$check" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) diff --git a/tests/4_container_images.sh b/tests/4_container_images.sh index 4e63507..32deeca 100644 --- a/tests/4_container_images.sh +++ b/tests/4_container_images.sh @@ -2,25 +2,25 @@ check_4() { logit "\n" - id_4="4" - desc_4="Container Images and Build File" - check_4="$id_4 - $desc_4" - info "$check_4" - startsectionjson "$id_4" "$desc_4" + local id="4" + local desc="Container Images and Build File" + local check="$id - $desc" + info "$check" + startsectionjson "$id" "$desc" } # 4.1 check_4_1() { - id_4_1="4.1" - desc_4_1="Ensure that a user for the container has been created (Scored)" - check_4_1="$id_4_1 - $desc_4_1" - starttestjson "$id_4_1" "$desc_4_1" + local id="4.1" + local desc="Ensure that a user for the container has been created (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) # If container_users is empty, there are no running containers if [ -z "$containers" ]; then - info "$check_4_1" + info "$check" info " * No containers running" resulttestjson "INFO" "No containers running" currentScore=$((currentScore + 0)) @@ -37,7 +37,7 @@ check_4_1() { if [ "$user" = "User=0" ] || [ "$user" = "User=root" ] || [ "$user" = "User=" ] || [ "$user" = "User=[]" ] || [ "$user" = "User=" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_4_1" + warn "$check" warn " * Running as root: $c" root_containers="$root_containers $c" fail=1 @@ -49,7 +49,7 @@ check_4_1() { done # We went through all the containers and found none running as root if [ $fail -eq 0 ]; then - pass "$check_4_1" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -63,57 +63,57 @@ check_4_1() { # 4.2 check_4_2() { - id_4_2="4.2" - desc_4_2="Ensure that containers use only trusted base images (Not Scored)" - check_4_2="$id_4_2 - $desc_4_2" - starttestjson "$id_4_2" "$desc_4_2" + local id="4.2" + local desc="Ensure that containers use only trusted base images (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) - note "$check_4_2" + note "$check" resulttestjson "NOTE" currentScore=$((currentScore + 0)) } # 4.3 check_4_3() { - id_4_3="4.3" - desc_4_3="Ensure that unnecessary packages are not installed in the container (Not Scored)" - check_4_3="$id_4_3 - $desc_4_3" - starttestjson "$id_4_3" "$desc_4_3" + local id="4.3" + local desc="Ensure that unnecessary packages are not installed in the container (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) - note "$check_4_3" + note "$check" resulttestjson "NOTE" currentScore=$((currentScore + 0)) } # 4.4 check_4_4() { - id_4_4="4.4" - desc_4_4="Ensure images are scanned and rebuilt to include security patches (Not Scored)" - check_4_4="$id_4_4 - $desc_4_4" - starttestjson "$id_4_4" "$desc_4_4" + local id="4.4" + local desc="Ensure images are scanned and rebuilt to include security patches (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) - note "$check_4_4" + note "$check" resulttestjson "NOTE" currentScore=$((currentScore + 0)) } # 4.5 check_4_5() { - id_4_5="4.5" - desc_4_5="Ensure Content trust for Docker is Enabled (Scored)" - check_4_5="$id_4_5 - $desc_4_5" - starttestjson "$id_4_5" "$desc_4_5" + local id="4.5" + local desc="Ensure Content trust for Docker is Enabled (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then - pass "$check_4_5" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_4_5" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -121,10 +121,10 @@ check_4_5() { # 4.6 check_4_6() { - id_4_6="4.6" - desc_4_6="Ensure that HEALTHCHECK instructions have been added to container images (Scored)" - check_4_6="$id_4_6 - $desc_4_6" - starttestjson "$id_4_6" "$desc_4_6" + local id="4.6" + local desc="Ensure that HEALTHCHECK instructions have been added to container images (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) fail=0 @@ -133,7 +133,7 @@ check_4_6() { if docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "" >/dev/null 2>&1; then if [ $fail -eq 0 ]; then fail=1 - warn "$check_4_6" + warn "$check" fi imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) if ! [ "$imgName" = '[]' ]; then @@ -146,7 +146,7 @@ check_4_6() { fi done if [ $fail -eq 0 ]; then - pass "$check_4_6" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -157,10 +157,10 @@ check_4_6() { # 4.7 check_4_7() { - id_4_7="4.7" - desc_4_7="Ensure update instructions are not used alone in the Dockerfile (Not Scored)" - check_4_7="$id_4_7 - $desc_4_7" - starttestjson "$id_4_7" "$desc_4_7" + local id="4.7" + local desc="Ensure update instructions are not used alone in the Dockerfile (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) fail=0 @@ -169,7 +169,7 @@ check_4_7() { if docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1; then if [ $fail -eq 0 ]; then fail=1 - info "$check_4_7" + info "$check" fi imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) if ! [ "$imgName" = '[]' ]; then @@ -179,7 +179,7 @@ check_4_7() { fi done if [ $fail -eq 0 ]; then - pass "$check_4_7" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 0)) else @@ -190,23 +190,23 @@ check_4_7() { # 4.8 check_4_8() { - id_4_8="4.8" - desc_4_8="Ensure setuid and setgid permissions are removed (Not Scored)" - check_4_8="$id_4_8 - $desc_4_8" - starttestjson "$id_4_8" "$desc_4_8" + local id="4.8" + local desc="Ensure setuid and setgid permissions are removed (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) - note "$check_4_8" + note "$check" resulttestjson "NOTE" currentScore=$((currentScore + 0)) } # 4.9 check_4_9() { - id_4_9="4.9" - desc_4_9="Ensure that COPY is used instead of ADD in Dockerfiles (Not Scored)" - check_4_9="$id_4_9 - $desc_4_9" - starttestjson "$id_4_9" "$desc_4_9" + local id="4.9" + local desc="Ensure that COPY is used instead of ADD in Dockerfiles (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) fail=0 @@ -216,7 +216,7 @@ check_4_9() { sed '$d' | grep -q 'ADD'; then if [ $fail -eq 0 ]; then fail=1 - info "$check_4_9" + info "$check" fi imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) if ! [ "$imgName" = '[]' ]; then @@ -227,7 +227,7 @@ check_4_9() { fi done if [ $fail -eq 0 ]; then - pass "$check_4_9" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 0)) else @@ -237,26 +237,26 @@ check_4_9() { # 4.10 check_4_10() { - id_4_10="4.10" - desc_4_10="Ensure secrets are not stored in Dockerfiles (Not Scored)" - check_4_10="$id_4_10 - $desc_4_10" - starttestjson "$id_4_10" "$desc_4_10" + local id="4.10" + local desc="Ensure secrets are not stored in Dockerfiles (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) - note "$check_4_10" + note "$check" resulttestjson "NOTE" currentScore=$((currentScore + 0)) } # 4.11 check_4_11() { - id_4_11="4.11" - desc_4_11="Ensure only verified packages are are installed (Not Scored)" - check_4_11="$id_4_11 - $desc_4_11" - starttestjson "$id_4_11" "$desc_4_11" + local id="4.11" + local desc="Ensure only verified packages are are installed (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) - note "$check_4_11" + note "$check" resulttestjson "NOTE" currentScore=$((currentScore + 0)) } diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh index a42be93..b8b92e5 100644 --- a/tests/5_container_runtime.sh +++ b/tests/5_container_runtime.sh @@ -2,11 +2,11 @@ check_5() { logit "\n" - id_5="5" - desc_5="Container Runtime" - check_5="$id_5 - $desc_5" - info "$check_5" - startsectionjson "$id_5" "$desc_5" + local id="5" + local desc="Container Runtime" + local check="$id - $desc" + info "$check" + startsectionjson "$id" "$desc" } check_running_containers() { @@ -28,10 +28,10 @@ check_5_1() { return fi - id_5_1="5.1" - desc_5_1="Ensure that, if applicable, an AppArmor Profile is enabled (Scored)" - check_5_1="$id_5_1 - $desc_5_1" - starttestjson "$id_5_1" "$desc_5_1" + local id="5.1" + local desc="Ensure that, if applicable, an AppArmor Profile is enabled (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -43,7 +43,7 @@ check_5_1() { if [ "$policy" = "AppArmorProfile=" ] || [ "$policy" = "AppArmorProfile=[]" ] || [ "$policy" = "AppArmorProfile=" ] || [ "$policy" = "AppArmorProfile=unconfined" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_1" + warn "$check" warn " * No AppArmorProfile Found: $c" no_apparmor_containers="$no_apparmor_containers $c" fail=1 @@ -55,7 +55,7 @@ check_5_1() { done # We went through all the containers and found none without AppArmor if [ $fail -eq 0 ]; then - pass "$check_5_1" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -70,10 +70,10 @@ check_5_2() { return fi - id_5_2="5.2" - desc_5_2="Ensure that, if applicable, SELinux security options are set (Scored)" - check_5_2="$id_5_2 - $desc_5_2" - starttestjson "$id_5_2" "$desc_5_2" + local id="5.2" + local desc="Ensure that, if applicable, SELinux security options are set (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -85,7 +85,7 @@ check_5_2() { if [ "$policy" = "SecurityOpt=" ] || [ "$policy" = "SecurityOpt=[]" ] || [ "$policy" = "SecurityOpt=" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_2" + warn "$check" warn " * No SecurityOptions Found: $c" no_securityoptions_containers="$no_securityoptions_containers $c" fail=1 @@ -97,7 +97,7 @@ check_5_2() { done # We went through all the containers and found none without SELinux if [ $fail -eq 0 ]; then - pass "$check_5_2" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -112,10 +112,10 @@ check_5_3() { return fi - id_5_3="5.3" - desc_5_3="Ensure that Linux kernel capabilities are restricted within containers (Scored)" - check_5_3="$id_5_3 - $desc_5_3" - starttestjson "$id_5_3" "$desc_5_3" + local id="5.3" + local desc="Ensure that Linux kernel capabilities are restricted within containers (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -130,7 +130,7 @@ check_5_3() { if [ "$caps" != 'CapAdd=' ] && [ "$caps" != 'CapAdd=[]' ] && [ "$caps" != 'CapAdd=' ] && [ "$caps" != 'CapAdd=' ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_3" + warn "$check" warn " * Capabilities added: $caps to $c" caps_containers="$caps_containers $c" fail=1 @@ -142,7 +142,7 @@ check_5_3() { done # We went through all the containers and found none with extra capabilities if [ $fail -eq 0 ]; then - pass "$check_5_3" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -157,10 +157,10 @@ check_5_4() { return fi - id_5_4="5.4" - desc_5_4="Ensure that privileged containers are not used (Scored)" - check_5_4="$id_5_4 - $desc_5_4" - starttestjson "$id_5_4" "$desc_5_4" + local id="5.4" + local desc="Ensure that privileged containers are not used (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -172,7 +172,7 @@ check_5_4() { if [ "$privileged" = "true" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_4" + warn "$check" warn " * Container running in Privileged mode: $c" privileged_containers="$privileged_containers $c" fail=1 @@ -184,7 +184,7 @@ check_5_4() { done # We went through all the containers and found no privileged containers if [ $fail -eq 0 ]; then - pass "$check_5_4" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -199,10 +199,10 @@ check_5_5() { return fi - id_5_5="5.5" - desc_5_5="Ensure sensitive host system directories are not mounted on containers (Scored)" - check_5_5="$id_5_5 - $desc_5_5" - starttestjson "$id_5_5" "$desc_5_5" + local id="5.5" + local desc="Ensure sensitive host system directories are not mounted on containers (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -233,7 +233,7 @@ check_5_5() { if [ $sensitive -eq 1 ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_5" + warn "$check" warn " * Sensitive directory $v mounted in: $c" sensitive_mount_containers="$sensitive_mount_containers $c:$v" fail=1 @@ -246,7 +246,7 @@ check_5_5() { done # We went through all the containers and found none with sensitive mounts if [ $fail -eq 0 ]; then - pass "$check_5_5" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -261,10 +261,10 @@ check_5_6() { return fi - id_5_6="5.6" - desc_5_6="Ensure sshd is not run within containers (Scored)" - check_5_6="$id_5_6 - $desc_5_6" - starttestjson "$id_5_6" "$desc_5_6" + local id="5.6" + local desc="Ensure sshd is not run within containers (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -277,7 +277,7 @@ check_5_6() { if [ "$processes" -ge 1 ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_6" + warn "$check" warn " * Container running sshd: $c" ssh_exec_containers="$ssh_exec_containers $c" fail=1 @@ -291,7 +291,7 @@ check_5_6() { exec_check=$(docker exec "$c" ps -el 2>/dev/null) if [ $? -eq 255 ]; then if [ $printcheck -eq 0 ]; then - warn "$check_5_6" + warn "$check" printcheck=1 fi warn " * Docker exec fails: $c" @@ -302,7 +302,7 @@ check_5_6() { done # We went through all the containers and found none with sshd if [ $fail -eq 0 ]; then - pass "$check_5_6" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -317,10 +317,10 @@ check_5_7() { return fi - id_5_7="5.7" - desc_5_7="Ensure privileged ports are not mapped within containers (Scored)" - check_5_7="$id_5_7 - $desc_5_7" - starttestjson "$id_5_7" "$desc_5_7" + local id="5.7" + local desc="Ensure privileged ports are not mapped within containers (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -335,7 +335,7 @@ check_5_7() { if [ -n "$port" ] && [ "$port" -lt 1024 ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_7" + warn "$check" warn " * Privileged Port in use: $port in $c" privileged_port_containers="$privileged_port_containers $c:$port" fail=1 @@ -348,7 +348,7 @@ check_5_7() { done # We went through all the containers and found no privileged ports if [ $fail -eq 0 ]; then - pass "$check_5_7" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -363,13 +363,13 @@ check_5_8() { return fi - id_5_8="5.8" - desc_5_8="Ensure that only needed ports are open on the container (Not Scored)" - check_5_8="$id_5_8 - $desc_5_8" - starttestjson "$id_5_8" "$desc_5_8" + local id="5.8" + local desc="Ensure that only needed ports are open on the container (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) - note "$check_5_8" + note "$check" resulttestjson "NOTE" currentScore=$((currentScore + 0)) } @@ -380,10 +380,10 @@ check_5_9() { return fi - id_5_9="5.9" - desc_5_9="Ensure that the host's network namespace is not shared (Scored)" - check_5_9="$id_5_9 - $desc_5_9" - starttestjson "$id_5_9" "$desc_5_9" + local id="5.9" + local desc="Ensure that the host's network namespace is not shared (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -395,7 +395,7 @@ check_5_9() { if [ "$mode" = "NetworkMode=host" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_9" + warn "$check" warn " * Container running with networking mode 'host': $c" net_host_containers="$net_host_containers $c" fail=1 @@ -407,7 +407,7 @@ check_5_9() { done # We went through all the containers and found no Network Mode host if [ $fail -eq 0 ]; then - pass "$check_5_9" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 0)) else @@ -422,10 +422,10 @@ check_5_10() { return fi - id_5_10="5.10" - desc_5_10="Ensure that the memory usage for containers is limited (Scored)" - check_5_10="$id_5_10 - $desc_5_10" - starttestjson "$id_5_10" "$desc_5_10" + local id="5.10" + local desc="Ensure that the memory usage for containers is limited (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -441,7 +441,7 @@ check_5_10() { if [ "$memory" = "0" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_10" + warn "$check" warn " * Container running without memory restrictions: $c" mem_unlimited_containers="$mem_unlimited_containers $c" fail=1 @@ -453,7 +453,7 @@ check_5_10() { done # We went through all the containers and found no lack of Memory restrictions if [ $fail -eq 0 ]; then - pass "$check_5_10" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -468,10 +468,10 @@ check_5_11() { return fi - id_5_11="5.11" - desc_5_11="Ensure that CPU priority is set appropriately on containers (Scored)" - check_5_11="$id_5_11 - $desc_5_11" - starttestjson "$id_5_11" "$desc_5_11" + local id="5.11" + local desc="Ensure that CPU priority is set appropriately on containers (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -487,7 +487,7 @@ check_5_11() { if [ "$shares" = "0" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_11" + warn "$check" warn " * Container running without CPU restrictions: $c" cpu_unlimited_containers="$cpu_unlimited_containers $c" fail=1 @@ -499,7 +499,7 @@ check_5_11() { done # We went through all the containers and found no lack of CPUShare restrictions if [ $fail -eq 0 ]; then - pass "$check_5_11" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -514,10 +514,10 @@ check_5_12() { return fi - id_5_12="5.12" - desc_5_12="Ensure that the container's root filesystem is mounted as read only (Scored)" - check_5_12="$id_5_12 - $desc_5_12" - starttestjson "$id_5_12" "$desc_5_12" + local id="5.12" + local desc="Ensure that the container's root filesystem is mounted as read only (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -529,7 +529,7 @@ check_5_12() { if [ "$read_status" = "false" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_12" + warn "$check" warn " * Container running with root FS mounted R/W: $c" fsroot_mount_containers="$fsroot_mount_containers $c" fail=1 @@ -541,7 +541,7 @@ check_5_12() { done # We went through all the containers and found no R/W FS mounts if [ $fail -eq 0 ]; then - pass "$check_5_12" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -556,10 +556,10 @@ check_5_13() { return fi - id_5_13="5.13" - desc_5_13="Ensure that incoming container traffic is bound to a specific host interface (Scored)" - check_5_13="$id_5_13 - $desc_5_13" - starttestjson "$id_5_13" "$desc_5_13" + local id="5.13" + local desc="Ensure that incoming container traffic is bound to a specific host interface (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -570,7 +570,7 @@ check_5_13() { if [ "$ip" = "0.0.0.0" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_13" + warn "$check" warn " * Port being bound to wildcard IP: $ip in $c" incoming_unbound_containers="$incoming_unbound_containers $c:$ip" fail=1 @@ -583,7 +583,7 @@ check_5_13() { done # We went through all the containers and found no ports bound to 0.0.0.0 if [ $fail -eq 0 ]; then - pass "$check_5_13" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -598,10 +598,10 @@ check_5_14() { return fi - id_5_14="5.14" - desc_5_14="Ensure that the 'on-failure' container restart policy is set to '5' (Scored)" - check_5_14="$id_5_14 - $desc_5_14" - starttestjson "$id_5_14" "$desc_5_14" + local id="5.14" + local desc="Ensure that the 'on-failure' container restart policy is set to '5' (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -613,7 +613,7 @@ check_5_14() { if [ "$policy" != "MaximumRetryCount=5" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_14" + warn "$check" warn " * MaximumRetryCount is not set to 5: $c" maxretry_unset_containers="$maxretry_unset_containers $c" fail=1 @@ -625,7 +625,7 @@ check_5_14() { done # We went through all the containers and they all had MaximumRetryCount=5 if [ $fail -eq 0 ]; then - pass "$check_5_14" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -640,10 +640,10 @@ check_5_15() { return fi - id_5_15="5.15" - desc_5_15="Ensure that the host's process namespace is not shared (Scored)" - check_5_15="$id_5_15 - $desc_5_15" - starttestjson "$id_5_15" "$desc_5_15" + local id="5.15" + local desc="Ensure that the host's process namespace is not shared (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -655,7 +655,7 @@ check_5_15() { if [ "$mode" = "PidMode=host" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_15" + warn "$check" warn " * Host PID namespace being shared with: $c" pidns_shared_containers="$pidns_shared_containers $c" fail=1 @@ -667,7 +667,7 @@ check_5_15() { done # We went through all the containers and found none with PidMode as host if [ $fail -eq 0 ]; then - pass "$check_5_15" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -682,10 +682,10 @@ check_5_16() { return fi - id_5_16="5.16" - desc_5_16="Ensure that the host's IPC namespace is not shared (Scored)" - check_5_16="$id_5_16 - $desc_5_16" - starttestjson "$id_5_16" "$desc_5_16" + local id="5.16" + local desc="Ensure that the host's IPC namespace is not shared (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -697,7 +697,7 @@ check_5_16() { if [ "$mode" = "IpcMode=host" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_16" + warn "$check" warn " * Host IPC namespace being shared with: $c" ipcns_shared_containers="$ipcns_shared_containers $c" fail=1 @@ -709,7 +709,7 @@ check_5_16() { done # We went through all the containers and found none with IPCMode as host if [ $fail -eq 0 ]; then - pass "$check_5_16" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -724,10 +724,10 @@ check_5_17() { return fi - id_5_17="5.17" - desc_5_17="Ensure that host devices are not directly exposed to containers (Not Scored)" - check_5_17="$id_5_17 - $desc_5_17" - starttestjson "$id_5_17" "$desc_5_17" + local id="5.17" + local desc="Ensure that host devices are not directly exposed to containers (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -739,7 +739,7 @@ check_5_17() { if [ "$devices" != "Devices=" ] && [ "$devices" != "Devices=[]" ] && [ "$devices" != "Devices=" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - info "$check_5_17" + info "$check" info " * Container has devices exposed directly: $c" hostdev_exposed_containers="$hostdev_exposed_containers $c" fail=1 @@ -751,7 +751,7 @@ check_5_17() { done # We went through all the containers and found none with devices if [ $fail -eq 0 ]; then - pass "$check_5_17" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -766,10 +766,10 @@ check_5_18() { return fi - id_5_18="5.18" - desc_5_18="Ensure that the default ulimit is overwritten at runtime if needed (Not Scored)" - check_5_18="$id_5_18 - $desc_5_18" - starttestjson "$id_5_18" "$desc_5_18" + local id="5.18" + local desc="Ensure that the default ulimit is overwritten at runtime if needed (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -781,7 +781,7 @@ check_5_18() { if [ "$ulimits" = "Ulimits=" ] || [ "$ulimits" = "Ulimits=[]" ] || [ "$ulimits" = "Ulimits=" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - info "$check_5_18" + info "$check" info " * Container no default ulimit override: $c" no_ulimit_containers="$no_ulimit_containers $c" fail=1 @@ -793,7 +793,7 @@ check_5_18() { done # We went through all the containers and found none without Ulimits if [ $fail -eq 0 ]; then - pass "$check_5_18" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -808,10 +808,10 @@ check_5_19() { return fi - id_5_19="5.19" - desc_5_19="Ensure mount propagation mode is not set to shared (Scored)" - check_5_19="$id_5_19 - $desc_5_19" - starttestjson "$id_5_19" "$desc_5_19" + local id="5.19" + local desc="Ensure mount propagation mode is not set to shared (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -822,7 +822,7 @@ check_5_19() { grep shared 2>/dev/null 1>&2; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_19" + warn "$check" warn " * Mount propagation mode is shared: $c" mountprop_shared_containers="$mountprop_shared_containers $c" fail=1 @@ -834,7 +834,7 @@ check_5_19() { done # We went through all the containers and found none with shared propagation mode if [ $fail -eq 0 ]; then - pass "$check_5_19" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -849,10 +849,10 @@ check_5_20() { return fi - id_5_20="5.20" - desc_5_20="Ensure that the host's UTS namespace is not shared (Scored)" - check_5_20="$id_5_20 - $desc_5_20" - starttestjson "$id_5_20" "$desc_5_20" + local id="5.20" + local desc="Ensure that the host's UTS namespace is not shared (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -864,7 +864,7 @@ check_5_20() { if [ "$mode" = "UTSMode=host" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_20" + warn "$check" warn " * Host UTS namespace being shared with: $c" utcns_shared_containers="$utcns_shared_containers $c" fail=1 @@ -876,7 +876,7 @@ check_5_20() { done # We went through all the containers and found none with UTSMode as host if [ $fail -eq 0 ]; then - pass "$check_5_20" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -891,10 +891,10 @@ check_5_21() { return fi - id_5_21="5.21" - desc_5_21="Ensurethe default seccomp profile is not Disabled (Scored)" - check_5_21="$id_5_21 - $desc_5_21" - starttestjson "$id_5_21" "$desc_5_21" + local id="5.21" + local desc="Ensurethe default seccomp profile is not Disabled (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -905,7 +905,7 @@ check_5_21() { grep -E 'seccomp:unconfined|seccomp=unconfined' 2>/dev/null 1>&2; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_21" + warn "$check" warn " * Default seccomp profile disabled: $c" seccomp_disabled_containers="$seccomp_disabled_containers $c" fail=1 @@ -917,7 +917,7 @@ check_5_21() { done # We went through all the containers and found none with default secomp profile disabled if [ $fail -eq 0 ]; then - pass "$check_5_21" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -932,13 +932,13 @@ check_5_22() { return fi - id_5_22="5.22" - desc_5_22="Ensure that docker exec commands are not used with the privileged option (Scored)" - check_5_22="$id_5_22 - $desc_5_22" - starttestjson "$id_5_22" "$desc_5_22" + local id="5.22" + local desc="Ensure that docker exec commands are not used with the privileged option (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) - note "$check_5_22" + note "$check" resulttestjson "NOTE" currentScore=$((currentScore + 0)) } @@ -949,13 +949,13 @@ check_5_23() { return fi - id_5_23="5.23" - desc_5_23="Ensure that docker exec commands are not used with the user=root option (Not Scored)" - check_5_23="$id_5_23 - $desc_5_23" - starttestjson "$id_5_23" "$desc_5_23" + local id="5.23" + local desc="Ensure that docker exec commands are not used with the user=root option (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) - note "$check_5_23" + note "$check" resulttestjson "NOTE" currentScore=$((currentScore + 0)) } @@ -966,10 +966,10 @@ check_5_24() { return fi - id_5_24="5.24" - desc_5_24="Ensure that cgroup usage is confirmed (Scored)" - check_5_24="$id_5_24 - $desc_5_24" - starttestjson "$id_5_24" "$desc_5_24" + local id="5.24" + local desc="Ensure that cgroup usage is confirmed (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -981,7 +981,7 @@ check_5_24() { if [ "$mode" != "CgroupParent=x" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_24" + warn "$check" warn " * Confirm cgroup usage: $c" unexpected_cgroup_containers="$unexpected_cgroup_containers $c" fail=1 @@ -993,7 +993,7 @@ check_5_24() { done # We went through all the containers and found none with UTSMode as host if [ $fail -eq 0 ]; then - pass "$check_5_24" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -1007,10 +1007,10 @@ check_5_25() { if [ "$running_containers" -ne 1 ]; then return fi - id_5_25="5.25" - desc_5_25="Ensure that the container is restricted from acquiring additional privileges (Scored)" - check_5_25="$id_5_25 - $desc_5_25" - starttestjson "$id_5_25" "$desc_5_25" + local id="5.25" + local desc="Ensure that the container is restricted from acquiring additional privileges (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -1020,7 +1020,7 @@ check_5_25() { if ! docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'no-new-privileges' 2>/dev/null 1>&2; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_25" + warn "$check" warn " * Privileges not restricted: $c" addprivs_containers="$addprivs_containers $c" fail=1 @@ -1032,7 +1032,7 @@ check_5_25() { done # We went through all the containers and found none with capability to acquire additional privileges if [ $fail -eq 0 ]; then - pass "$check_5_25" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -1047,30 +1047,30 @@ check_5_26() { return fi - id_5_26="5.26" - desc_5_26="Ensure that container health is checked at runtime (Scored)" - check_5_26="$id_5_26 - $desc_5_26" - starttestjson "$id_5_26" "$desc_5_26" + local id="5.26" + local desc="Ensure that container health is checked at runtime (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) fail=0 - nohealthcheck_containers="" + nohealthlocal check="" for c in $containers; do if ! docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}' "$c" 2>/dev/null 1>&2; then if [ $fail -eq 0 ]; then - warn "$check_5_26" + warn "$check" warn " * Health check not set: $c" - nohealthcheck_containers="$nohealthcheck_containers $c" + nohealthlocal check="$nohealthcheck_containers $c" fail=1 else warn " * Health check not set: $c" - nohealthcheck_containers="$nohealthcheck_containers $c" + nohealthlocal check="$nohealthcheck_containers $c" fi fi done if [ $fail -eq 0 ]; then - pass "$check_5_26" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -1085,13 +1085,13 @@ check_5_27() { return fi - id_5_27="5.27" - desc_5_27="Ensure that Docker commands always make use of the latest version of their image (Not Scored)" - check_5_27="$id_5_27 - $desc_5_27" - starttestjson "$id_5_27" "$desc_5_27" + local id="5.27" + local desc="Ensure that Docker commands always make use of the latest version of their image (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) - info "$check_5_27" + info "$check" resulttestjson "INFO" currentScore=$((currentScore + 0)) } @@ -1102,10 +1102,10 @@ check_5_28() { return fi - id_5_28="5.28" - desc_5_28="Ensure that the PIDs cgroup limit is used (Scored)" - check_5_28="$id_5_28 - $desc_5_28" - starttestjson "$id_5_28" "$desc_5_28" + local id="5.28" + local desc="Ensure that the PIDs cgroup limit is used (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -1117,7 +1117,7 @@ check_5_28() { if [ "$pidslimit" = "0" ] || [ "$pidslimit" = "" ] || [ "$pidslimit" = "-1" ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_28" + warn "$check" warn " * PIDs limit not set: $c" nopids_limit_containers="$nopids_limit_containers $c" fail=1 @@ -1129,7 +1129,7 @@ check_5_28() { done # We went through all the containers and found all with PIDs limit if [ $fail -eq 0 ]; then - pass "$check_5_28" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -1144,10 +1144,10 @@ check_5_29() { return fi - id_5_29="5.29" - desc_5_29="Ensure that Docker's default bridge "docker0" is not used (Not Scored)" - check_5_29="$id_5_29 - $desc_5_29" - starttestjson "$id_5_29" "$desc_5_29" + local id="5.29" + local desc="Ensure that Docker's default bridge "docker0" is not used (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -1161,7 +1161,7 @@ check_5_29() { if [ -n "$docker0Containers" ]; then if [ $fail -eq 0 ]; then - info "$check_5_29" + info "$check" fail=1 fi for c in $docker0Containers; do @@ -1182,7 +1182,7 @@ check_5_29() { done # We went through all the containers and found none in docker0 network if [ $fail -eq 0 ]; then - pass "$check_5_29" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -1197,10 +1197,10 @@ check_5_30() { return fi - id_5_30="5.30" - desc_5_30="Ensure that the host's user namespaces are not shared (Scored)" - check_5_30="$id_5_30 - $desc_5_30" - starttestjson "$id_5_30" "$desc_5_30" + local id="5.30" + local desc="Ensure that the host's user namespaces are not shared (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -1210,7 +1210,7 @@ check_5_30() { if docker inspect --format '{{ .HostConfig.UsernsMode }}' "$c" 2>/dev/null | grep -i 'host' >/dev/null 2>&1; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_30" + warn "$check" warn " * Namespace shared: $c" hostns_shared_containers="$hostns_shared_containers $c" fail=1 @@ -1222,7 +1222,7 @@ check_5_30() { done # We went through all the containers and found none with host's user namespace shared if [ $fail -eq 0 ]; then - pass "$check_5_30" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -1237,10 +1237,10 @@ check_5_31() { return fi - id_5_31="5.31" - desc_5_31="Ensure that the Docker socket is not mounted inside any containers (Scored)" - check_5_31="$id_5_31 - $desc_5_31" - starttestjson "$id_5_31" "$desc_5_31" + local id="5.31" + local desc="Ensure that the Docker socket is not mounted inside any containers (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) @@ -1250,7 +1250,7 @@ check_5_31() { if docker inspect --format '{{ .Mounts }}' "$c" 2>/dev/null | grep 'docker.sock' >/dev/null 2>&1; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_5_31" + warn "$check" warn " * Docker socket shared: $c" docker_sock_containers="$docker_sock_containers $c" fail=1 @@ -1262,7 +1262,7 @@ check_5_31() { done # We went through all the containers and found none with docker.sock shared if [ $fail -eq 0 ]; then - pass "$check_5_31" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else diff --git a/tests/6_docker_security_operations.sh b/tests/6_docker_security_operations.sh index ce9b257..5dbfd20 100644 --- a/tests/6_docker_security_operations.sh +++ b/tests/6_docker_security_operations.sh @@ -2,19 +2,19 @@ check_6() { logit "\n" - id_6="6" - desc_6="Docker Security Operations" - check_6="$id_6 - $desc_6" - info "$check_6" - startsectionjson "$id_6" "$desc_6" + local id="6" + local desc="Docker Security Operations" + local check="$id - $desc" + info "$check" + startsectionjson "$id" "$desc" } # 6.1 check_6_1() { - id_6_1="6.1" - desc_6_1="Ensure that image sprawl is avoided (Not Scored)" - check_6_1="$id_6_1 - $desc_6_1" - starttestjson "$id_6_1" "$desc_6_1" + local id="6.1" + local desc="Ensure that image sprawl is avoided (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) images=$(docker images -q | sort -u | wc -l | awk '{print $1}') @@ -26,7 +26,7 @@ check_6_1() { fi done - info "$check_6_1" + info "$check" info " * There are currently: $images images" if [ "$active_images" -lt "$((images / 2))" ]; then @@ -38,21 +38,21 @@ check_6_1() { # 6.2 check_6_2() { - id_6_2="6.2" - desc_6_2="Ensure that container sprawl is avoided (Not Scored)" - check_6_2="$id_6_2 - $desc_6_2" - starttestjson "$id_6_2" "$desc_6_2" + local id="6.2" + local desc="Ensure that container sprawl is avoided (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}') running_containers=$(docker ps -q | wc -l | awk '{print $1}') diff="$((total_containers - running_containers))" if [ "$diff" -gt 25 ]; then - info "$check_6_2" + info "$check" info " * There are currently a total of $total_containers containers, with only $running_containers of them currently running" resulttestjson "INFO" "$total_containers total/$running_containers running" else - info "$check_6_2" + info "$check" info " * There are currently a total of $total_containers containers, with $running_containers of them currently running" resulttestjson "INFO" "$total_containers total/$running_containers running" fi diff --git a/tests/7_docker_swarm_configuration.sh b/tests/7_docker_swarm_configuration.sh index c3b9187..fcc987f 100644 --- a/tests/7_docker_swarm_configuration.sh +++ b/tests/7_docker_swarm_configuration.sh @@ -2,27 +2,27 @@ check_7() { logit "\n" - id_7="7" - desc_7="Docker Swarm Configuration" - check_7="$id_7 - $desc_7" - info "$check_7" - startsectionjson "$id_7" "$desc_7" + local id="7" + local desc="Docker Swarm Configuration" + local check="$id - $desc" + info "$check" + startsectionjson "$id" "$desc" } # 7.1 check_7_1() { - id_7_1="7.1" - desc_7_1="Ensure swarm mode is not Enabled, if not needed (Scored)" - check_7_1="$id_7_1 - $desc_7_1" - starttestjson "$id_7_1" "$desc_7_1" + local id="7.1" + local desc="Ensure swarm mode is not Enabled, if not needed (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then - pass "$check_7_1" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_7_1" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi @@ -30,25 +30,25 @@ check_7_1() { # 7.2 check_7_2() { - id_7_2="7.2" - desc_7_2="Ensure that the minimum number of manager nodes have been created in a swarm (Scored)" - check_7_2="$id_7_2 - $desc_7_2" - starttestjson "$id_7_2" "$desc_7_2" + local id="7.2" + local desc="Ensure that the minimum number of manager nodes have been created in a swarm (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then managernodes=$(docker node ls | grep -c "Leader") if [ "$managernodes" -eq 1 ]; then - pass "$check_7_2" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_7_2" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi else - pass "$check_7_2 (Swarm mode not enabled)" + pass "$check (Swarm mode not enabled)" resulttestjson "PASS" currentScore=$((currentScore + 1)) fi @@ -56,25 +56,25 @@ check_7_2() { # 7.3 check_7_3() { - id_7_3="7.3" - desc_7_3="Ensure that swarm services are bound to a specific host interface (Scored)" - check_7_3="$id_7_3 - $desc_7_3" - starttestjson "$id_7_3" "$desc_7_3" + local id="7.3" + local desc="Ensure that swarm services are bound to a specific host interface (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then $netbin -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1 if [ $? -eq 1 ]; then - pass "$check_7_3" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_7_3" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi else - pass "$check_7_3 (Swarm mode not enabled)" + pass "$check (Swarm mode not enabled)" resulttestjson "PASS" currentScore=$((currentScore + 1)) fi @@ -82,10 +82,10 @@ check_7_3() { # 7.4 check_7_4() { - id_7_4="7.4" - desc_7_4="Ensure that all Docker swarm overlay networks are encrypted (Scored)" - check_7_4="$id_7_4 - $desc_7_4" - starttestjson "$id_7_4" "$desc_7_4" + local id="7.4" + local desc="Ensure that all Docker swarm overlay networks are encrypted (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) fail=0 @@ -95,7 +95,7 @@ check_7_4() { grep -v 'encrypted:' 2>/dev/null 1>&2; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then - warn "$check_7_4" + warn "$check" fail=1 fi warn " * Unencrypted overlay network: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")" @@ -104,7 +104,7 @@ check_7_4() { done # We went through all the networks and found none that are unencrypted if [ $fail -eq 0 ]; then - pass "$check_7_4" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else @@ -115,24 +115,24 @@ check_7_4() { # 7.5 check_7_5() { - id_7_5="7.5" - desc_7_5="Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Not Scored)" - check_7_5="$id_7_5 - $desc_7_5" - starttestjson "$id_7_5" "$desc_7_5" + local id="7.5" + local desc="Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then - pass "$check_7_5" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - info "$check_7_5" + info "$check" resulttestjson "INFO" currentScore=$((currentScore + 0)) fi else - pass "$check_7_5 (Swarm mode not enabled)" + pass "$check (Swarm mode not enabled)" resulttestjson "PASS" currentScore=$((currentScore + 1)) fi @@ -140,24 +140,24 @@ check_7_5() { # 7.6 check_7_6() { - id_7_6="7.6" - desc_7_6="Ensure that swarm manager is run in auto-lock mode (Scored)" - check_7_6="$id_7_6 - $desc_7_6" - starttestjson "$id_7_6" "$desc_7_6" + local id="7.6" + local desc="Ensure that swarm manager is run in auto-lock mode (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then - warn "$check_7_6" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) else - pass "$check_7_6" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) fi else - pass "$check_7_6 (Swarm mode not enabled)" + pass "$check (Swarm mode not enabled)" resulttestjson "PASS" currentScore=$((currentScore + 1)) fi @@ -165,18 +165,18 @@ check_7_6() { # 7.7 check_7_7() { - id_7_7="7.7" - desc_7_7="Ensure that the swarm manager auto-lock key is rotated periodically (Not Scored)" - check_7_7="$id_7_7 - $desc_7_7" - starttestjson "$id_7_7" "$desc_7_7" + local id="7.7" + local desc="Ensure that the swarm manager auto-lock key is rotated periodically (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then - note "$check_7_7" + note "$check" resulttestjson "NOTE" currentScore=$((currentScore + 0)) else - pass "$check_7_7 (Swarm mode not enabled)" + pass "$check (Swarm mode not enabled)" resulttestjson "PASS" currentScore=$((currentScore + 1)) fi @@ -184,24 +184,24 @@ check_7_7() { # 7.8 check_7_8() { - id_7_8="7.8" - desc_7_8="Ensure that node certificates are rotated as appropriate (Not Scored)" - check_7_8="$id_7_8 - $desc_7_8" - starttestjson "$id_7_8" "$desc_7_8" + local id="7.8" + local desc="Ensure that node certificates are rotated as appropriate (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then - pass "$check_7_8" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - info "$check_7_8" + info "$check" resulttestjson "INFO" currentScore=$((currentScore + 0)) fi else - pass "$check_7_8 (Swarm mode not enabled)" + pass "$check (Swarm mode not enabled)" resulttestjson "PASS" currentScore=$((currentScore + 1)) fi @@ -209,18 +209,18 @@ check_7_8() { # 7.9 check_7_9() { - id_7_9="7.9" - desc_7_9="Ensure that CA certificates are rotated as appropriate (Not Scored)" - check_7_9="$id_7_9 - $desc_7_9" - starttestjson "$id_7_9" "$desc_7_9" + local id="7.9" + local desc="Ensure that CA certificates are rotated as appropriate (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then - info "$check_7_9" + info "$check" resulttestjson "INFO" currentScore=$((currentScore + 0)) else - pass "$check_7_9 (Swarm mode not enabled)" + pass "$check (Swarm mode not enabled)" resulttestjson "PASS" currentScore=$((currentScore + 1)) fi @@ -228,18 +228,18 @@ check_7_9() { # 7.10 check_7_10() { - id_7_10="7.10" - desc_7_10="Ensure that management plane traffic is separated from data plane traffic (Not Scored)" - check_7_10="$id_7_10 - $desc_7_10" - starttestjson "$id_7_10" "$desc_7_10" + local id="7.10" + local desc="Ensure that management plane traffic is separated from data plane traffic (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then - info "$check_7_10" + info "$check" resulttestjson "INFO" currentScore=$((currentScore + 0)) else - pass "$check_7_10 (Swarm mode not enabled)" + pass "$check (Swarm mode not enabled)" resulttestjson "PASS" currentScore=$((currentScore + 1)) fi diff --git a/tests/8_docker_enterprise_configuration.sh b/tests/8_docker_enterprise_configuration.sh index 9fce978..bb95a7d 100644 --- a/tests/8_docker_enterprise_configuration.sh +++ b/tests/8_docker_enterprise_configuration.sh @@ -2,11 +2,11 @@ check_8() { logit "\n" - id_8="8" - desc_8="Docker Enterprise Configuration" - check_8="$id_8 - $desc_8" - info "$check_8" - startsectionjson "$id_8" "$desc_8" + local id="8" + local desc="Docker Enterprise Configuration" + local check="$id - $desc" + info "$check" + startsectionjson "$id" "$desc" } check_product_license() { @@ -23,10 +23,10 @@ check_8_1() { return fi - id_8_1="8.1" - desc_8_1="Universal Control Plane Configuration" - check_8_1="$id_8_1 - $desc_8_1" - info "$check_8_1" + local id="8.1" + local desc="Universal Control Plane Configuration" + local check="$id - $desc" + info "$check" } # 8.1.1 @@ -35,13 +35,13 @@ check_8_1_1() { return fi - id_8_1_1="8.1.1" - desc_8_1_1="Configure the LDAP authentication service (Scored)" - check_8_1_1="$id_8_1_1 - $desc_8_1_1" - starttestjson "$id_8_1_1" "$desc_8_1_1" + local id="8.1.1" + local desc="Configure the LDAP authentication service (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) - note "$check_8_1_1" + note "$check" resulttestjson "INFO" currentScore=$((currentScore + 0)) } @@ -52,13 +52,13 @@ check_8_1_2() { return fi - id_8_1_2="8.1.2" - desc_8_1_2="Use external certificates (Scored)" - check_8_1_2="$id_8_1_2 - $desc_8_1_2" - starttestjson "$id_8_1_2" "$desc_8_1_2" + local id="8.1.2" + local desc="Use external certificates (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) - note "$check_8_1_2" + note "$check" resulttestjson "INFO" currentScore=$((currentScore + 0)) } @@ -69,13 +69,13 @@ check_8_1_3() { return fi - id_8_1_3="8.1.3" - desc_8_1_3="Enforce the use of client certificate bundles for unprivileged users (Not Scored)" - check_8_1_3="$id_8_1_3 - $desc_8_1_3" - starttestjson "$id_8_1_3" "$desc_8_1_3" + local id="8.1.3" + local desc="Enforce the use of client certificate bundles for unprivileged users (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) - note "$check_8_1_3" + note "$check" resulttestjson "INFO" currentScore=$((currentScore + 0)) } @@ -86,13 +86,13 @@ check_8_1_4() { return fi - id_8_1_4="8.1.4" - desc_8_1_4="Configure applicable cluster role-based access control policies (Not Scored)" - check_8_1_4="$id_8_1_4 - $desc_8_1_4" - starttestjson "$id_8_1_4" "$desc_8_1_4" + local id="8.1.4" + local desc="Configure applicable cluster role-based access control policies (Not Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) - note "$check_8_1_4" + note "$check" resulttestjson "INFO" currentScore=$((currentScore + 0)) } @@ -103,13 +103,13 @@ check_8_1_5() { return fi - id_8_1_5="8.1.5" - desc_8_1_5="Enable signed image enforcement (Scored)" - check_8_1_5="$id_8_1_5 - $desc_8_1_5" - starttestjson "$id_8_1_5" "$desc_8_1_5" + local id="8.1.5" + local desc="Enable signed image enforcement (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) - note "$check_8_1_5" + note "$check" resulttestjson "INFO" currentScore=$((currentScore + 0)) } @@ -120,13 +120,13 @@ check_8_1_6() { return fi - id_8_1_6="8.1.6" - desc_8_1_6="Set the Per-User Session Limit to a value of '3' or lower (Scored)" - check_8_1_6="$id_8_1_6 - $desc_8_1_6" - starttestjson "$id_8_1_6" "$desc_8_1_6" + local id="8.1.6" + local desc="Set the Per-User Session Limit to a value of '3' or lower (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) - note "$check_8_1_6" + note "$check" resulttestjson "INFO" currentScore=$((currentScore + 0)) } @@ -137,13 +137,13 @@ check_8_1_7() { return fi - id_8_1_7="8.1.7" - desc_8_1_7="Set the 'Lifetime Minutes' and 'Renewal Threshold Minutes' values to '15' or lower and '0' respectively (Scored)" - check_8_1_7="$id_8_1_7 - $desc_8_1_7" - starttestjson "$id_8_1_7" "$desc_8_1_7" + local id="8.1.7" + local desc="Set the 'Lifetime Minutes' and 'Renewal Threshold Minutes' values to '15' or lower and '0' respectively (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) - note "$check_8_1_7" + note "$check" resulttestjson "INFO" currentScore=$((currentScore + 0)) } @@ -154,10 +154,10 @@ check_8_2() { fi logit "\n" - id_8_2="8.2" - desc_8_2="Docker Trusted Registry Configuration" - check_8_2="$id_8_2 - $desc_8_2" - info "$check_8_2" + local id="8.2" + local desc="Docker Trusted Registry Configuration" + local check="$id - $desc" + info "$check" } check_8_2_1() { @@ -165,13 +165,13 @@ check_8_2_1() { return fi - id_8_2_1="8.2.1" - desc_8_2_1="Enable image vulnerability scanning (Scored)" - check_8_2_1="$id_8_2_1 - $desc_8_2_1" - starttestjson "$id_8_2_1" "$desc_8_2_1" + local id="8.2.1" + local desc="Enable image vulnerability scanning (Scored)" + local check="$id - $desc" + starttestjson "$id" "$desc" totalChecks=$((totalChecks + 1)) - note "$check_8_2_1" + note "$check" resulttestjson "INFO" currentScore=$((currentScore + 0)) } diff --git a/tests/99_community_checks.sh b/tests/99_community_checks.sh index 9ad1774..e0da5e0 100644 --- a/tests/99_community_checks.sh +++ b/tests/99_community_checks.sh @@ -1,22 +1,22 @@ #!/bin/sh check_c() { logit "\n" - id_99="99" - desc_99="Community contributed checks" - check_99="$id_99 - $desc_99" - info "$check_99" - startsectionjson "$id_99" "$desc_99" + local id="99" + local desc="Community contributed checks" + local check="$id - $desc" + info "$check" + startsectionjson "$id" "$desc" } # check_c_1 check_c_1() { - check_c_1="C.1 - This is a example check" + local check="C.1 - This is a example check" totalChecks=$((totalChecks + 1)) if docker info --format='{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>&2; then - pass "$check_c_1" + pass "$check" resulttestjson "PASS" else - warn "$check_c_1" + warn "$check" resulttestjson "WARN" fi } @@ -27,29 +27,29 @@ check_c_2() { | awk '{print $NF; exit}' | tr -d '[:alpha:]-,.' | cut -c 1-4) totalChecks=$((totalChecks + 1)) - id_c_2="C.2" - desc_c_2="Ensure operations on legacy registry (v1) are Disabled" - check_c_2="$id_c_2 - $desc_c_2" - starttestjson "$id_c_2" "$desc_c_2" + local id="C.2" + local desc="Ensure operations on legacy registry (v1) are Disabled" + local check="$id - $desc" + starttestjson "$id" "$desc" if [ "$docker_version" -lt 1712 ]; then if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then - pass "$check_c_2" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then - pass "$check_c_2" + pass "$check" resulttestjson "PASS" currentScore=$((currentScore + 1)) else - warn "$check_c_2" + warn "$check" resulttestjson "WARN" currentScore=$((currentScore - 1)) fi else - desc_c_2="$desc_c_2 (Deprecated)" - check_c_2="$id_c_2 - $desc_c_2" - info "$check_c_2" + local desc="$desc (Deprecated)" + local check="$id - $desc" + info "$check" resulttestjson "INFO" fi }