GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-18 16:22:33 +01:00
Code Issues Projects Releases Packages Wiki Activity

Change global variable used only locally to local variable for simplification

Browse source
This commit is contained in:
Razvan Stoica 2021-03-09 12:42:48 +02:00
parent 4b4fdd9f77
commit 94900eedb9
10 changed files with 829 additions and 826 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -1 +1,2 @@
*.log*
*.swp*

250
tests/1_host_configuration.sh
View file

@ -2,40 +2,40 @@
check_1() {
logit ""
id_1="1"
desc_1="Host Configuration"
check_1="$id_1 - $desc_1"
info "$check_1"
startsectionjson "$id_1" "$desc_1"
local id="1"
local desc="Host Configuration"
local check="$id - $desc"
info "$check"
startsectionjson "$id" "$desc"
}
check_1_1() {
logit ""
id_1_1="1.1"
desc_1_1="General Configuration"
check_1_1="$id_1_1 - $desc_1_1"
info "$check_1_1"
local id="1.1"
local desc="General Configuration"
local check="$id - $desc"
info "$check"
}
# 1.1.1
check_1_1_1() {
id_1_1_1="1.1.1"
desc_1_1_1="Ensure the container host has been Hardened (Not Scored)"
check_1_1_1="$id_1_1_1 - $desc_1_1_1"
starttestjson "$id_1_1_1" "$desc_1_1_1"
local id="1.1.1"
local desc="Ensure the container host has been Hardened (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
note "$check_1_1_1"
note "$check"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
}
# 1.1.2
check_1_1_2() {
id_1_1_2="1.1.2"
desc_1_1_2="Ensure that the version of Docker is up to date (Not Scored)"
check_1_1_2="$id_1_1_2 - $desc_1_1_2"
starttestjson "$id_1_1_2" "$desc_1_1_2"
local id="1.1.2"
local desc="Ensure that the version of Docker is up to date (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
@ -43,13 +43,13 @@ check_1_1_2() {
docker_current_version="$(date +%y.%m.0 -d @$(( $(date +%s) - 2592000)))"
do_version_check "$docker_current_version" "$docker_version"
if [ $? -eq 11 ]; then
info "$check_1_1_2"
info "$check"
info " * Using $docker_version, verify is it up to date as deemed necessary"
info " * Your operating system vendor may provide support and security maintenance for Docker"
resulttestjson "INFO" "Using $docker_version"
currentScore=$((currentScore + 0))
else
pass "$check_1_1_2"
pass "$check"
info " * Using $docker_version which is current"
info " * Check with your operating system vendor for support and security maintenance for Docker"
resulttestjson "PASS" "Using $docker_version"
@ -59,18 +59,18 @@ check_1_1_2() {
check_1_2() {
logit ""
id_1_2="1.2"
desc_1_2="Linux Hosts Specific Configuration"
check_1_2="$id_1_2 - $desc_1_2"
info "$check_1_2"
local id="1.2"
local desc="Linux Hosts Specific Configuration"
local check="$id - $desc"
info "$check"
}
# 1.2.1
check_1_2_1() {
id_1_2_1="1.2.1"
desc_1_2_1="Ensure a separate partition for containers has been created (Scored)"
check_1_2_1="$id_1_2_1 - $desc_1_2_1"
starttestjson "$id_1_2_1" "$desc_1_2_1"
local id="1.2.1"
local desc="Ensure a separate partition for containers has been created (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
docker_root_dir=$(docker info -f '{{ .DockerRootDir }}')
@ -79,11 +79,11 @@ check_1_2_1() {
fi
if mountpoint -q -- "$docker_root_dir" >/dev/null 2>&1; then
pass "$check_1_2_1"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_1"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -91,10 +91,10 @@ check_1_2_1() {
# 1.2.2
check_1_2_2() {
id_1_2_2="1.2.2"
desc_1_2_2="Ensure only trusted users are allowed to control Docker daemon (Scored)"
check_1_2_2="$id_1_2_2 - $desc_1_2_2"
starttestjson "$id_1_2_2" "$desc_1_2_2"
local id="1.2.2"
local desc="Ensure only trusted users are allowed to control Docker daemon (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if command -v getent >/dev/null 2>&1; then
@ -102,7 +102,7 @@ check_1_2_2() {
else
docker_users=$(grep 'docker' /etc/group)
fi
info "$check_1_2_2"
info "$check"
for u in $docker_users; do
info " * $u"
done
@ -112,29 +112,31 @@ check_1_2_2() {
# 1.2.3
check_1_2_3() {
id_1_2_3="1.2.3"
desc_1_2_3="Ensure auditing is configured for the Docker daemon (Scored)"
check_1_2_3="$id_1_2_3 - $desc_1_2_3"
starttestjson "$id_1_2_3" "$desc_1_2_3"
local id="1.2.3"
local desc="Ensure auditing is configured for the Docker daemon (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
file="/usr/bin/dockerd"
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_2_3"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_3"
warn "$check"
warn " * Install auditd"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_2_3"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_3"
warn "$check"
warn " * Install auditd"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -142,35 +144,35 @@ check_1_2_3() {
# 1.2.4
check_1_2_4() {
id_1_2_4="1.2.4"
desc_1_2_4="Ensure auditing is configured for Docker files and directories - /var/lib/docker (Scored)"
check_1_2_4="$id_1_2_4 - $desc_1_2_4"
starttestjson "$id_1_2_4" "$desc_1_2_4"
local id="1.2.4"
local desc="Ensure auditing is configured for Docker files and directories - /var/lib/docker (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
directory="/var/lib/docker"
if [ -d "$directory" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $directory >/dev/null 2>&1; then
pass "$check_1_2_4"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_4"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_2_4"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_4"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_2_4"
info "$check"
info " * Directory not found"
resulttestjson "INFO" "Directory not found"
currentScore=$((currentScore + 0))
@ -179,35 +181,35 @@ check_1_2_4() {
# 1.2.5
check_1_2_5() {
id_1_2_5="1.2.5"
desc_1_2_5="Ensure auditing is configured for Docker files and directories - /etc/docker (Scored)"
check_1_2_5="$id_1_2_5 - $desc_1_2_5"
starttestjson "$id_1_2_5" "$desc_1_2_5"
local id="1.2.5"
local desc="Ensure auditing is configured for Docker files and directories - /etc/docker (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
directory="/etc/docker"
if [ -d "$directory" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $directory >/dev/null 2>&1; then
pass "$check_1_2_5"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_5"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_2_5"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_5"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_2_5"
info "$check"
info " * Directory not found"
resulttestjson "INFO" "Directory not found"
currentScore=$((currentScore + 0))
@ -216,35 +218,35 @@ fi
# 1.2.6
check_1_2_6() {
id_1_2_6="1.2.6"
desc_1_2_6="Ensure auditing is configured for Docker files and directories - docker.service (Scored)"
check_1_2_6="$id_1_2_6 - $desc_1_2_6"
starttestjson "$id_1_2_6" "$desc_1_2_6"
local id="1.2.6"
local desc="Ensure auditing is configured for Docker files and directories - docker.service (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
file="$(get_service_file docker.service)"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_2_6"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_6"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_2_6"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_6"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_2_6"
info "$check"
info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
@ -253,35 +255,35 @@ check_1_2_6() {
# 1.2.7
check_1_2_7() {
id_1_2_7="1.2.7"
desc_1_2_7="Ensure auditing is configured for Docker files and directories - docker.socket (Scored)"
check_1_2_7="$id_1_2_7 - $desc_1_2_7"
starttestjson "$id_1_2_7" "$desc_1_2_7"
local id="1.2.7"
local desc="Ensure auditing is configured for Docker files and directories - docker.socket (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
file="$(get_service_file docker.socket)"
if [ -e "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_2_7"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_7"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_2_7"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_7"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_2_7"
info "$check"
info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
@ -290,35 +292,35 @@ check_1_2_7() {
# 1.2.8
check_1_2_8() {
id_1_2_8="1.2.8"
desc_1_2_8="Ensure auditing is configured for Docker files and directories - /etc/default/docker (Scored)"
check_1_2_8="$id_1_2_8 - $desc_1_2_8"
starttestjson "$id_1_2_8" "$desc_1_2_8"
local id="1.2.8"
local desc="Ensure auditing is configured for Docker files and directories - /etc/default/docker (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
file="/etc/default/docker"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_2_8"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_8"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_2_8"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_8"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_2_8"
info "$check"
info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
@ -327,35 +329,35 @@ check_1_2_8() {
# 1.2.9
check_1_2_9() {
id_1_2_9="1.2.9"
desc_1_2_9="Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Scored)"
check_1_2_9="$id_1_2_9 - $desc_1_2_9"
starttestjson "$id_1_2_9" "$desc_1_2_9"
local id="1.2.9"
local desc="Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
file="/etc/sysconfig/docker"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_2_9"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_9"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_2_9"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_9"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_2_9"
info "$check"
info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
@ -364,35 +366,35 @@ check_1_2_9() {
# 1.2.10
check_1_2_10() {
id_1_2_10="1.2.10"
desc_1_2_10="Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json (Scored)"
check_1_2_10="$id_1_2_10 - $desc_1_2_10"
starttestjson "$id_1_2_10" "$desc_1_2_10"
local id="1.2.10"
local desc="Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_2_10"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_10"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_2_10"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_10"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_2_10"
info "$check"
info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
@ -401,35 +403,35 @@ check_1_2_10() {
# 1.2.11
check_1_2_11() {
id_1_2_11="1.2.11"
desc_1_2_11="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Scored)"
check_1_2_11="$id_1_2_11 - $desc_1_2_11"
starttestjson "$id_1_2_11" "$desc_1_2_11"
local id="1.2.11"
local desc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
file="/usr/bin/containerd"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_2_11"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_11"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_2_11"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_11"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_2_11"
info "$check"
info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
@ -438,35 +440,35 @@ check_1_2_11() {
# 1.2.12
check_1_2_12() {
id_1_2_12="1.2.12"
desc_1_2_12="Ensure auditing is configured for Docker files and directories - /usr/sbin/runc (Scored)"
check_1_2_12="$id_1_2_12 - $desc_1_2_12"
starttestjson "$id_1_2_12" "$desc_1_2_12"
local id="1.2.12"
local desc="Ensure auditing is configured for Docker files and directories - /usr/sbin/runc (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
file="/usr/sbin/runc"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_2_12"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_12"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_2_12"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_2_12"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_2_12"
info "$check"
info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))

258
tests/2_docker_daemon_configuration.sh
View file

@ -2,31 +2,31 @@
check_2() {
logit "\n"
id_2="2"
desc_2="Docker daemon configuration"
check_2="$id_2 - $desc_2"
info "$check_2"
startsectionjson "$id_2" "$desc_2"
local id="2"
local desc="Docker daemon configuration"
local check="$id - $desc"
info "$check"
startsectionjson "$id" "$desc"
}
# 2.1
check_2_1() {
id_2_1="2.1"
desc_2_1="Ensure network traffic is restricted between containers on the default bridge (Scored)"
check_2_1="$id_2_1 - $desc_2_1"
starttestjson "$id_2_1" "$desc_2_1"
local id="2.1"
local desc="Ensure network traffic is restricted between containers on the default bridge (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then
pass "$check_2_1"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then
pass "$check_2_1"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_1"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -34,38 +34,38 @@ check_2_1() {
# 2.2
check_2_2() {
id_2_2="2.2"
desc_2_2="Ensure the logging level is set to 'info' (Scored)"
check_2_2="$id_2_2 - $desc_2_2"
starttestjson "$id_2_2" "$desc_2_2"
local id="2.2"
local desc="Ensure the logging level is set to 'info' (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then
if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then
pass "$check_2_2"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then
pass "$check_2_2"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_2"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif get_docker_effective_command_line_args '-l'; then
if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then
pass "$check_2_2"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_2"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
pass "$check_2_2"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
@ -73,22 +73,22 @@ check_2_2() {
# 2.3
check_2_3() {
id_2_3="2.3"
desc_2_3="Ensure Docker is allowed to make changes to iptables (Scored)"
check_2_3="$id_2_3 - $desc_2_3"
starttestjson "$id_2_3" "$desc_2_3"
local id="2.3"
local desc="Ensure Docker is allowed to make changes to iptables (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then
warn "$check_2_3"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then
warn "$check_2_3"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
else
pass "$check_2_3"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
@ -96,28 +96,28 @@ check_2_3() {
# 2.4
check_2_4() {
id_2_4="2.4"
desc_2_4="Ensure insecure registries are not used (Scored)"
check_2_4="$id_2_4 - $desc_2_4"
starttestjson "$id_2_4" "$desc_2_4"
local id="2.4"
local desc="Ensure insecure registries are not used (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then
warn "$check_2_4"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then
pass "$check_2_4"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_4"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
pass "$check_2_4"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
@ -125,18 +125,18 @@ check_2_4() {
# 2.5
check_2_5() {
id_2_5="2.5"
desc_2_5="Ensure aufs storage driver is not used (Scored)"
check_2_5="$id_2_5 - $desc_2_5"
starttestjson "$id_2_5" "$desc_2_5"
local id="2.5"
local desc="Ensure aufs storage driver is not used (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "^\sStorage Driver:\s*aufs\s*$" >/dev/null 2>&1; then
warn "$check_2_5"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
else
pass "$check_2_5"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
@ -144,33 +144,33 @@ check_2_5() {
# 2.6
check_2_6() {
id_2_6="2.6"
desc_2_6="Ensure TLS authentication for Docker daemon is configured (Scored)"
check_2_6="$id_2_6 - $desc_2_6"
starttestjson "$id_2_6" "$desc_2_6"
local id="2.6"
local desc="Ensure TLS authentication for Docker daemon is configured (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if [ $(get_docker_configuration_file_args 'tcp://') ] || \
[ $(get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://') >/dev/null 2>&1 ]; then
if [ $(get_docker_configuration_file_args '"tlsverify":' | grep 'true') ] || \
[ $(get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify') >/dev/null 2>&1 ]; then
pass "$check_2_6"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \
[ $(get_docker_cumulative_command_line_args '--tls' | grep 'tls$') >/dev/null 2>&1 ]; then
warn "$check_2_6"
warn "$check"
warn " * Docker daemon currently listening on TCP with TLS, but no verification"
resulttestjson "WARN" "Docker daemon currently listening on TCP with TLS, but no verification"
currentScore=$((currentScore - 1))
else
warn "$check_2_6"
warn "$check"
warn " * Docker daemon currently listening on TCP without TLS"
resulttestjson "WARN" "Docker daemon currently listening on TCP without TLS"
currentScore=$((currentScore - 1))
fi
else
info "$check_2_6"
info "$check"
info " * Docker daemon not listening on TCP"
resulttestjson "INFO" "Docker daemon not listening on TCP"
currentScore=$((currentScore + 0))
@ -179,22 +179,22 @@ check_2_6() {
# 2.7
check_2_7() {
id_2_7="2.7"
desc_2_7="Ensure the default ulimit is configured appropriately (Not Scored)"
check_2_7="$id_2_7 - $desc_2_7"
starttestjson "$id_2_7" "$desc_2_7"
local id="2.7"
local desc="Ensure the default ulimit is configured appropriately (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then
pass "$check_2_7"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
pass "$check_2_7"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
info "$check_2_7"
info "$check"
info " * Default ulimit doesn't appear to be set"
resulttestjson "INFO" "Default ulimit doesn't appear to be set"
currentScore=$((currentScore + 0))
@ -203,22 +203,22 @@ check_2_7() {
# 2.8
check_2_8() {
id_2_8="2.8"
desc_2_8="Enable user namespace support (Scored)"
check_2_8="$id_2_8 - $desc_2_8"
starttestjson "$id_2_8" "$desc_2_8"
local id="2.8"
local desc="Enable user namespace support (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then
pass "$check_2_8"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
pass "$check_2_8"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_8"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -226,24 +226,24 @@ check_2_8() {
# 2.9
check_2_9() {
id_2_9="2.9"
desc_2_9="Ensure the default cgroup usage has been confirmed (Scored)"
check_2_9="$id_2_9 - $desc_2_9"
starttestjson "$id_2_9" "$desc_2_9"
local id="2.9"
local desc="Ensure the default cgroup usage has been confirmed (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'cgroup-parent' | grep -v ''; then
warn "$check_2_9"
warn "$check"
info " * Confirm cgroup usage"
resulttestjson "WARN" "Confirm cgroup usage"
currentScore=$((currentScore + 0))
elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
warn "$check_2_9"
warn "$check"
info " * Confirm cgroup usage"
resulttestjson "WARN" "Confirm cgroup usage"
currentScore=$((currentScore + 0))
else
pass "$check_2_9"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
@ -251,22 +251,22 @@ check_2_9() {
# 2.10
check_2_10() {
id_2_10="2.10"
desc_2_10="Ensure base device size is not changed until needed (Scored)"
check_2_10="$id_2_10 - $desc_2_10"
starttestjson "$id_2_10" "$desc_2_10"
local id="2.10"
local desc="Ensure base device size is not changed until needed (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then
warn "$check_2_10"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
warn "$check_2_10"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
else
pass "$check_2_10"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
@ -274,22 +274,22 @@ check_2_10() {
# 2.11
check_2_11() {
id_2_11="2.11"
desc_2_11="Ensure that authorization for Docker client commands is enabled (Scored)"
check_2_11="$id_2_11 - $desc_2_11"
starttestjson "$id_2_11" "$desc_2_11"
local id="2.11"
local desc="Ensure that authorization for Docker client commands is enabled (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then
pass "$check_2_11"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
pass "$check_2_11"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_11"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -297,18 +297,18 @@ check_2_11() {
# 2.12
check_2_12() {
id_2_12="2.12"
desc_2_12="Ensure centralized and remote logging is configured (Scored)"
check_2_12="$id_2_12 - $desc_2_12"
starttestjson "$id_2_12" "$desc_2_12"
local id="2.12"
local desc="Ensure centralized and remote logging is configured (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then
warn "$check_2_12"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
else
pass "$check_2_12"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
@ -316,27 +316,27 @@ check_2_12() {
# 2.13
check_2_13() {
id_2_13="2.13"
desc_2_13="Ensure live restore is enabled (Scored)"
check_2_13="$id_2_13 - $desc_2_13"
starttestjson "$id_2_13" "$desc_2_13"
local id="2.13"
local desc="Ensure live restore is enabled (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then
pass "$check_2_13"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
pass "$check_2_13 (Incompatible with swarm mode)"
pass "$check (Incompatible with swarm mode)"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then
pass "$check_2_13"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_13"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -345,22 +345,22 @@ check_2_13() {
# 2.14
check_2_14() {
id_2_14="2.14"
desc_2_14="Ensure Userland Proxy is Disabled (Scored)"
check_2_14="$id_2_14 - $desc_2_14"
starttestjson "$id_2_14" "$desc_2_14"
local id="2.14"
local desc="Ensure Userland Proxy is Disabled (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then
pass "$check_2_14"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
pass "$check_2_14"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_14"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -368,18 +368,18 @@ check_2_14() {
# 2.15
check_2_15() {
id_2_15="2.15"
desc_2_15="Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Not Scored)"
check_2_15="$id_2_15 - $desc_2_15"
starttestjson "$id_2_15" "$desc_2_15"
local id="2.15"
local desc="Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then
pass "$check_2_15"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
info "$check_2_15"
info "$check"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
fi
@ -390,48 +390,48 @@ check_2_16() {
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,.' | cut -c 1-4)
id_2_16="2.16"
desc_2_16="Ensure that experimental features are not implemented in production (Scored)"
check_2_16="$id_2_16 - $desc_2_16"
starttestjson "$id_2_16" "$desc_2_16"
local id="2.16"
local desc="Ensure that experimental features are not implemented in production (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if [ "$docker_version" -le 1903 ]; then
if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then
pass "$check_2_16"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_16"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
desc_2_16="$desc_2_16 (Deprecated)"
check_2_16="$id_2_16 - $desc_2_16"
info "$desc_2_16"
local desc="$desc (Deprecated)"
local check="$id - $desc"
info "$desc"
resulttestjson "INFO"
fi
}
# 2.17
check_2_17() {
id_2_17="2.17"
desc_2_17="Ensure containers are restricted from acquiring new privileges (Scored)"
check_2_17="$id_2_17 - $desc_2_17"
starttestjson "$id_2_17" "$desc_2_17"
local id="2.17"
local desc="Ensure containers are restricted from acquiring new privileges (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if get_docker_effective_command_line_args '--no-new-privileges' | grep "no-new-privileges" >/dev/null 2>&1; then
pass "$check_2_17"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then
pass "$check_2_17"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_17"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi

318
tests/3_docker_daemon_configuration_files.sh
View file

@ -2,35 +2,35 @@
check_3() {
logit "\n"
id_3="3"
desc_3="Docker daemon configuration files"
check_3="$id_3 - $desc_3"
info "$check_3"
startsectionjson "$id_3" "$desc_3"
local id="3"
local desc="Docker daemon configuration files"
local check="$id - $desc"
info "$check"
startsectionjson "$id" "$desc"
}
# 3.1
check_3_1() {
id_3_1="3.1"
desc_3_1="Ensure that the docker.service file ownership is set to root:root (Scored)"
check_3_1="$id_3_1 - $desc_3_1"
starttestjson "$id_3_1" "$desc_3_1"
local id="3.1"
local desc="Ensure that the docker.service file ownership is set to root:root (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
file="$(get_service_file docker.service)"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_1"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_1"
warn "$check"
warn " * Wrong ownership for $file"
resulttestjson "WARN" "Wrong ownership for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_1"
info "$check"
info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
@ -39,26 +39,26 @@ check_3_1() {
# 3.2
check_3_2() {
id_3_2="3.2"
desc_3_2="Ensure that docker.service file permissions are appropriately set (Scored)"
check_3_2="$id_3_2 - $desc_3_2"
starttestjson "$id_3_2" "$desc_3_2"
local id="3.2"
local desc="Ensure that docker.service file permissions are appropriately set (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
file="$(get_service_file docker.service)"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -le 644 ]; then
pass "$check_3_2"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_2"
warn "$check"
warn " * Wrong permissions for $file"
resulttestjson "WARN" "Wrong permissions for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_2"
info "$check"
info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
@ -67,26 +67,26 @@ check_3_2() {
# 3.3
check_3_3() {
id_3_3="3.3"
desc_3_3="Ensure that docker.socket file ownership is set to root:root (Scored)"
check_3_3="$id_3_3 - $desc_3_3"
starttestjson "$id_3_3" "$desc_3_3"
local id="3.3"
local desc="Ensure that docker.socket file ownership is set to root:root (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
file="$(get_service_file docker.socket)"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_3"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_3"
warn "$check"
warn " * Wrong ownership for $file"
resulttestjson "WARN" "Wrong ownership for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_3"
info "$check"
info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
@ -95,26 +95,26 @@ check_3_3() {
# 3.4
check_3_4() {
id_3_4="3.4"
desc_3_4="Ensure that docker.socket file permissions are set to 644 or more restrictive (Scored)"
check_3_4="$id_3_4 - $desc_3_4"
starttestjson "$id_3_4" "$desc_3_4"
local id="3.4"
local desc="Ensure that docker.socket file permissions are set to 644 or more restrictive (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
file="$(get_service_file docker.socket)"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -le 644 ]; then
pass "$check_3_4"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_4"
warn "$check"
warn " * Wrong permissions for $file"
resulttestjson "WARN" "Wrong permissions for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_4"
info "$check"
info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
@ -123,26 +123,26 @@ check_3_4() {
# 3.5
check_3_5() {
id_3_5="3.5"
desc_3_5="Ensure that the /etc/docker directory ownership is set to root:root (Scored)"
check_3_5="$id_3_5 - $desc_3_5"
starttestjson "$id_3_5" "$desc_3_5"
local id="3.5"
local desc="Ensure that the /etc/docker directory ownership is set to root:root (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
directory="/etc/docker"
if [ -d "$directory" ]; then
if [ "$(stat -c %u%g $directory)" -eq 00 ]; then
pass "$check_3_5"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_5"
warn "$check"
warn " * Wrong ownership for $directory"
resulttestjson "WARN" "Wrong ownership for $directory"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_5"
info "$check"
info " * Directory not found"
resulttestjson "INFO" "Directory not found"
currentScore=$((currentScore + 0))
@ -151,26 +151,26 @@ check_3_5() {
# 3.6
check_3_6() {
id_3_6="3.6"
desc_3_6="Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Scored)"
check_3_6="$id_3_6 - $desc_3_6"
starttestjson "$id_3_6" "$desc_3_6"
local id="3.6"
local desc="Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
directory="/etc/docker"
if [ -d "$directory" ]; then
if [ "$(stat -c %a $directory)" -le 755 ]; then
pass "$check_3_6"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_6"
warn "$check"
warn " * Wrong permissions for $directory"
resulttestjson "WARN" "Wrong permissions for $directory"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_6"
info "$check"
info " * Directory not found"
resulttestjson "INFO" "Directory not found"
currentScore=$((currentScore + 0))
@ -179,10 +179,10 @@ check_3_6() {
# 3.7
check_3_7() {
id_3_7="3.7"
desc_3_7="Ensure that registry certificate file ownership is set to root:root (Scored)"
check_3_7="$id_3_7 - $desc_3_7"
starttestjson "$id_3_7" "$desc_3_7"
local id="3.7"
local desc="Ensure that registry certificate file ownership is set to root:root (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
directory="/etc/docker/certs.d/"
@ -195,17 +195,17 @@ check_3_7() {
fi
done
if [ $fail -eq 1 ]; then
warn "$check_3_7"
warn "$check"
warn " * Wrong ownership for $directory"
resulttestjson "WARN" "Wrong ownership for $directory"
currentScore=$((currentScore - 1))
else
pass "$check_3_7"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
else
info "$check_3_7"
info "$check"
info " * Directory not found"
resulttestjson "INFO" "Directory not found"
currentScore=$((currentScore + 0))
@ -214,10 +214,10 @@ check_3_7() {
# 3.8
check_3_8() {
id_3_8="3.8"
desc_3_8="Ensure that registry certificate file permissions are set to 444 or more restrictively (Scored)"
check_3_8="$id_3_8 - $desc_3_8"
starttestjson "$id_3_8" "$desc_3_8"
local id="3.8"
local desc="Ensure that registry certificate file permissions are set to 444 or more restrictively (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
directory="/etc/docker/certs.d/"
@ -230,17 +230,17 @@ check_3_8() {
fi
done
if [ $fail -eq 1 ]; then
warn "$check_3_8"
warn "$check"
warn " * Wrong permissions for $directory"
resulttestjson "WARN" "Wrong permissions for $directory"
currentScore=$((currentScore - 1))
else
pass "$check_3_8"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
else
info "$check_3_8"
info "$check"
info " * Directory not found"
resulttestjson "INFO" "Directory not found"
currentScore=$((currentScore + 0))
@ -249,10 +249,10 @@ check_3_8() {
# 3.9
check_3_9() {
id_3_9="3.9"
desc_3_9="Ensure that TLS CA certificate file ownership is set to root:root (Scored)"
check_3_9="$id_3_9 - $desc_3_9"
starttestjson "$id_3_9" "$desc_3_9"
local id="3.9"
local desc="Ensure that TLS CA certificate file ownership is set to root:root (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then
@ -262,17 +262,17 @@ check_3_9() {
fi
if [ -f "$tlscacert" ]; then
if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
pass "$check_3_9"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_9"
warn "$check"
warn " * Wrong ownership for $tlscacert"
resulttestjson "WARN" "Wrong ownership for $tlscacert"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_9"
info "$check"
info " * No TLS CA certificate found"
resulttestjson "INFO" "No TLS CA certificate found"
currentScore=$((currentScore + 0))
@ -281,10 +281,10 @@ check_3_9() {
# 3.10
check_3_10() {
id_3_10="3.10"
desc_3_10="Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Scored)"
check_3_10="$id_3_10 - $desc_3_10"
starttestjson "$id_3_10" "$desc_3_10"
local id="3.10"
local desc="Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then
@ -294,17 +294,17 @@ check_3_10() {
fi
if [ -f "$tlscacert" ]; then
if [ "$(stat -c %a $tlscacert)" -le 444 ]; then
pass "$check_3_10"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_10"
warn "$check"
warn " * Wrong permissions for $tlscacert"
resulttestjson "WARN" "Wrong permissions for $tlscacert"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_10"
info "$check"
info " * No TLS CA certificate found"
resulttestjson "INFO" "No TLS CA certificate found"
currentScore=$((currentScore + 0))
@ -313,10 +313,10 @@ check_3_10() {
# 3.11
check_3_11() {
id_3_11="3.11"
desc_3_11="Ensure that Docker server certificate file ownership is set to root:root (Scored)"
check_3_11="$id_3_11 - $desc_3_11"
starttestjson "$id_3_11" "$desc_3_11"
local id="3.11"
local desc="Ensure that Docker server certificate file ownership is set to root:root (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then
@ -326,17 +326,17 @@ check_3_11() {
fi
if [ -f "$tlscert" ]; then
if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
pass "$check_3_11"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_11"
warn "$check"
warn " * Wrong ownership for $tlscert"
resulttestjson "WARN" "Wrong ownership for $tlscert"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_11"
info "$check"
info " * No TLS Server certificate found"
resulttestjson "INFO" "No TLS Server certificate found"
currentScore=$((currentScore + 0))
@ -345,10 +345,10 @@ check_3_11() {
# 3.12
check_3_12() {
id_3_12="3.12"
desc_3_12="Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Scored)"
check_3_12="$id_3_12 - $desc_3_12"
starttestjson "$id_3_12" "$desc_3_12"
local id="3.12"
local desc="Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then
@ -358,17 +358,17 @@ check_3_12() {
fi
if [ -f "$tlscert" ]; then
if [ "$(stat -c %a $tlscert)" -le 444 ]; then
pass "$check_3_12"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_12"
warn "$check"
warn " * Wrong permissions for $tlscert"
resulttestjson "WARN" "Wrong permissions for $tlscert"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_12"
info "$check"
info " * No TLS Server certificate found"
resulttestjson "INFO" "No TLS Server certificate found"
currentScore=$((currentScore + 0))
@ -377,10 +377,10 @@ check_3_12() {
# 3.13
check_3_13() {
id_3_13="3.13"
desc_3_13="Ensure that the Docker server certificate key file ownership is set to root:root (Scored)"
check_3_13="$id_3_13 - $desc_3_13"
starttestjson "$id_3_13" "$desc_3_13"
local id="3.13"
local desc="Ensure that the Docker server certificate key file ownership is set to root:root (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then
@ -390,17 +390,17 @@ check_3_13() {
fi
if [ -f "$tlskey" ]; then
if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
pass "$check_3_13"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_13"
warn "$check"
warn " * Wrong ownership for $tlskey"
resulttestjson "WARN" "Wrong ownership for $tlskey"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_13"
info "$check"
info " * No TLS Key found"
resulttestjson "INFO" "No TLS Key found"
currentScore=$((currentScore + 0))
@ -409,10 +409,10 @@ check_3_13() {
# 3.14
check_3_14() {
id_3_14="3.14"
desc_3_14="Ensure that the Docker server certificate key file permissions are set to 400 (Scored)"
check_3_14="$id_3_14 - $desc_3_14"
starttestjson "$id_3_14" "$desc_3_14"
local id="3.14"
local desc="Ensure that the Docker server certificate key file permissions are set to 400 (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then
@ -422,17 +422,17 @@ check_3_14() {
fi
if [ -f "$tlskey" ]; then
if [ "$(stat -c %a $tlskey)" -eq 400 ]; then
pass "$check_3_14"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_14"
warn "$check"
warn " * Wrong permissions for $tlskey"
resulttestjson "WARN" "Wrong permissions for $tlskey"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_14"
info "$check"
info " * No TLS Key found"
resulttestjson "INFO" "No TLS Key found"
currentScore=$((currentScore + 0))
@ -441,26 +441,26 @@ check_3_14() {
# 3.15
check_3_15() {
id_3_15="3.15"
desc_3_15="Ensure that the Docker socket file ownership is set to root:docker (Scored)"
check_3_15="$id_3_15 - $desc_3_15"
starttestjson "$id_3_15" "$desc_3_15"
local id="3.15"
local desc="Ensure that the Docker socket file ownership is set to root:docker (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
file="/var/run/docker.sock"
if [ -S "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then
pass "$check_3_15"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_15"
warn "$check"
warn " * Wrong ownership for $file"
resulttestjson "WARN" "Wrong ownership for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_15"
info "$check"
info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
@ -469,26 +469,26 @@ check_3_15() {
# 3.16
check_3_16() {
id_3_16="3.16"
desc_3_16="Ensure that the Docker socket file permissions are set to 660 or more restrictively (Scored)"
check_3_16="$id_3_16 - $desc_3_16"
starttestjson "$id_3_16" "$desc_3_16"
local id="3.16"
local desc="Ensure that the Docker socket file permissions are set to 660 or more restrictively (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
file="/var/run/docker.sock"
if [ -S "$file" ]; then
if [ "$(stat -c %a $file)" -le 660 ]; then
pass "$check_3_16"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_16"
warn "$check"
warn " * Wrong permissions for $file"
resulttestjson "WARN" "Wrong permissions for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_16"
info "$check"
info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
@ -497,26 +497,26 @@ check_3_16() {
# 3.17
check_3_17() {
id_3_17="3.17"
desc_3_17="Ensure that the daemon.json file ownership is set to root:root (Scored)"
check_3_17="$id_3_17 - $desc_3_17"
starttestjson "$id_3_17" "$desc_3_17"
local id="3.17"
local desc="Ensure that the daemon.json file ownership is set to root:root (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass "$check_3_17"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_17"
warn "$check"
warn " * Wrong ownership for $file"
resulttestjson "WARN" "Wrong ownership for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_17"
info "$check"
info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
@ -525,26 +525,26 @@ check_3_17() {
# 3.18
check_3_18() {
id_3_18="3.18"
desc_3_18="Ensure that daemon.json file permissions are set to 644 or more restrictive (Scored)"
check_3_18="$id_3_18 - $desc_3_18"
starttestjson "$id_3_18" "$desc_3_18"
local id="3.18"
local desc="Ensure that daemon.json file permissions are set to 644 or more restrictive (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -le 644 ]; then
pass "$check_3_18"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_18"
warn "$check"
warn " * Wrong permissions for $file"
resulttestjson "WARN" "Wrong permissions for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_18"
info "$check"
info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
@ -553,26 +553,26 @@ check_3_18() {
# 3.19
check_3_19() {
id_3_19="3.19"
desc_3_19="Ensure that the /etc/default/docker file ownership is set to root:root (Scored)"
check_3_19="$id_3_19 - $desc_3_19"
starttestjson "$id_3_19" "$desc_3_19"
local id="3.19"
local desc="Ensure that the /etc/default/docker file ownership is set to root:root (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
file="/etc/default/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass "$check_3_19"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_19"
warn "$check"
warn " * Wrong ownership for $file"
resulttestjson "WARN" "Wrong ownership for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_19"
info "$check"
info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
@ -581,26 +581,26 @@ check_3_19() {
# 3.20
check_3_20() {
id_3_20="3.20"
desc_3_20="Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Scored)"
check_3_20="$id_3_20 - $desc_3_20"
starttestjson "$id_3_20" "$desc_3_20"
local id="3.20"
local desc="Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
file="/etc/sysconfig/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass "$check_3_20"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_20"
warn "$check"
warn " * Wrong ownership for $file"
resulttestjson "WARN" "Wrong ownership for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_20"
info "$check"
info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
@ -609,26 +609,26 @@ check_3_20() {
# 3.21
check_3_21() {
id_3_21="3.21"
desc_3_21="Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Scored)"
check_3_21="$id_3_21 - $desc_3_21"
starttestjson "$id_3_21" "$desc_3_21"
local id="3.21"
local desc="Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
file="/etc/sysconfig/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -le 644 ]; then
pass "$check_3_21"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_21"
warn "$check"
warn " * Wrong permissions for $file"
resulttestjson "WARN" "Wrong permissions for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_21"
info "$check"
info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
@ -637,26 +637,26 @@ check_3_21() {
# 3.22
check_3_22() {
id_3_22="3.22"
desc_3_22="Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Scored)"
check_3_22="$id_3_22 - $desc_3_22"
starttestjson "$id_3_22" "$desc_3_22"
local id="3.22"
local desc="Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
file="/etc/default/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -le 644 ]; then
pass "$check_3_22"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_22"
warn "$check"
warn " * Wrong permissions for $file"
resulttestjson "WARN" "Wrong permissions for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_22"
info "$check"
info " * File not found"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))

132
tests/4_container_images.sh
View file

@ -2,25 +2,25 @@
check_4() {
logit "\n"
id_4="4"
desc_4="Container Images and Build File"
check_4="$id_4 - $desc_4"
info "$check_4"
startsectionjson "$id_4" "$desc_4"
local id="4"
local desc="Container Images and Build File"
local check="$id - $desc"
info "$check"
startsectionjson "$id" "$desc"
}
# 4.1
check_4_1() {
id_4_1="4.1"
desc_4_1="Ensure that a user for the container has been created (Scored)"
check_4_1="$id_4_1 - $desc_4_1"
starttestjson "$id_4_1" "$desc_4_1"
local id="4.1"
local desc="Ensure that a user for the container has been created (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
# If container_users is empty, there are no running containers
if [ -z "$containers" ]; then
info "$check_4_1"
info "$check"
info " * No containers running"
resulttestjson "INFO" "No containers running"
currentScore=$((currentScore + 0))
@ -37,7 +37,7 @@ check_4_1() {
if [ "$user" = "User=0" ] || [ "$user" = "User=root" ] || [ "$user" = "User=" ] || [ "$user" = "User=[]" ] || [ "$user" = "User=<no value>" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_4_1"
warn "$check"
warn " * Running as root: $c"
root_containers="$root_containers $c"
fail=1
@ -49,7 +49,7 @@ check_4_1() {
done
# We went through all the containers and found none running as root
if [ $fail -eq 0 ]; then
pass "$check_4_1"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -63,57 +63,57 @@ check_4_1() {
# 4.2
check_4_2() {
id_4_2="4.2"
desc_4_2="Ensure that containers use only trusted base images (Not Scored)"
check_4_2="$id_4_2 - $desc_4_2"
starttestjson "$id_4_2" "$desc_4_2"
local id="4.2"
local desc="Ensure that containers use only trusted base images (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
note "$check_4_2"
note "$check"
resulttestjson "NOTE"
currentScore=$((currentScore + 0))
}
# 4.3
check_4_3() {
id_4_3="4.3"
desc_4_3="Ensure that unnecessary packages are not installed in the container (Not Scored)"
check_4_3="$id_4_3 - $desc_4_3"
starttestjson "$id_4_3" "$desc_4_3"
local id="4.3"
local desc="Ensure that unnecessary packages are not installed in the container (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
note "$check_4_3"
note "$check"
resulttestjson "NOTE"
currentScore=$((currentScore + 0))
}
# 4.4
check_4_4() {
id_4_4="4.4"
desc_4_4="Ensure images are scanned and rebuilt to include security patches (Not Scored)"
check_4_4="$id_4_4 - $desc_4_4"
starttestjson "$id_4_4" "$desc_4_4"
local id="4.4"
local desc="Ensure images are scanned and rebuilt to include security patches (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
note "$check_4_4"
note "$check"
resulttestjson "NOTE"
currentScore=$((currentScore + 0))
}
# 4.5
check_4_5() {
id_4_5="4.5"
desc_4_5="Ensure Content trust for Docker is Enabled (Scored)"
check_4_5="$id_4_5 - $desc_4_5"
starttestjson "$id_4_5" "$desc_4_5"
local id="4.5"
local desc="Ensure Content trust for Docker is Enabled (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
pass "$check_4_5"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_4_5"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -121,10 +121,10 @@ check_4_5() {
# 4.6
check_4_6() {
id_4_6="4.6"
desc_4_6="Ensure that HEALTHCHECK instructions have been added to container images (Scored)"
check_4_6="$id_4_6 - $desc_4_6"
starttestjson "$id_4_6" "$desc_4_6"
local id="4.6"
local desc="Ensure that HEALTHCHECK instructions have been added to container images (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
fail=0
@ -133,7 +133,7 @@ check_4_6() {
if docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1; then
if [ $fail -eq 0 ]; then
fail=1
warn "$check_4_6"
warn "$check"
fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then
@ -146,7 +146,7 @@ check_4_6() {
fi
done
if [ $fail -eq 0 ]; then
pass "$check_4_6"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -157,10 +157,10 @@ check_4_6() {
# 4.7
check_4_7() {
id_4_7="4.7"
desc_4_7="Ensure update instructions are not used alone in the Dockerfile (Not Scored)"
check_4_7="$id_4_7 - $desc_4_7"
starttestjson "$id_4_7" "$desc_4_7"
local id="4.7"
local desc="Ensure update instructions are not used alone in the Dockerfile (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
fail=0
@ -169,7 +169,7 @@ check_4_7() {
if docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1; then
if [ $fail -eq 0 ]; then
fail=1
info "$check_4_7"
info "$check"
fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then
@ -179,7 +179,7 @@ check_4_7() {
fi
done
if [ $fail -eq 0 ]; then
pass "$check_4_7"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 0))
else
@ -190,23 +190,23 @@ check_4_7() {
# 4.8
check_4_8() {
id_4_8="4.8"
desc_4_8="Ensure setuid and setgid permissions are removed (Not Scored)"
check_4_8="$id_4_8 - $desc_4_8"
starttestjson "$id_4_8" "$desc_4_8"
local id="4.8"
local desc="Ensure setuid and setgid permissions are removed (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
note "$check_4_8"
note "$check"
resulttestjson "NOTE"
currentScore=$((currentScore + 0))
}
# 4.9
check_4_9() {
id_4_9="4.9"
desc_4_9="Ensure that COPY is used instead of ADD in Dockerfiles (Not Scored)"
check_4_9="$id_4_9 - $desc_4_9"
starttestjson "$id_4_9" "$desc_4_9"
local id="4.9"
local desc="Ensure that COPY is used instead of ADD in Dockerfiles (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
fail=0
@ -216,7 +216,7 @@ check_4_9() {
sed '$d' | grep -q 'ADD'; then
if [ $fail -eq 0 ]; then
fail=1
info "$check_4_9"
info "$check"
fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then
@ -227,7 +227,7 @@ check_4_9() {
fi
done
if [ $fail -eq 0 ]; then
pass "$check_4_9"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 0))
else
@ -237,26 +237,26 @@ check_4_9() {
# 4.10
check_4_10() {
id_4_10="4.10"
desc_4_10="Ensure secrets are not stored in Dockerfiles (Not Scored)"
check_4_10="$id_4_10 - $desc_4_10"
starttestjson "$id_4_10" "$desc_4_10"
local id="4.10"
local desc="Ensure secrets are not stored in Dockerfiles (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
note "$check_4_10"
note "$check"
resulttestjson "NOTE"
currentScore=$((currentScore + 0))
}
# 4.11
check_4_11() {
id_4_11="4.11"
desc_4_11="Ensure only verified packages are are installed (Not Scored)"
check_4_11="$id_4_11 - $desc_4_11"
starttestjson "$id_4_11" "$desc_4_11"
local id="4.11"
local desc="Ensure only verified packages are are installed (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
note "$check_4_11"
note "$check"
resulttestjson "NOTE"
currentScore=$((currentScore + 0))
}

382
tests/5_container_runtime.sh
View file

@ -2,11 +2,11 @@
check_5() {
logit "\n"
id_5="5"
desc_5="Container Runtime"
check_5="$id_5 - $desc_5"
info "$check_5"
startsectionjson "$id_5" "$desc_5"
local id="5"
local desc="Container Runtime"
local check="$id - $desc"
info "$check"
startsectionjson "$id" "$desc"
}
check_running_containers() {
@ -28,10 +28,10 @@ check_5_1() {
return
fi
id_5_1="5.1"
desc_5_1="Ensure that, if applicable, an AppArmor Profile is enabled (Scored)"
check_5_1="$id_5_1 - $desc_5_1"
starttestjson "$id_5_1" "$desc_5_1"
local id="5.1"
local desc="Ensure that, if applicable, an AppArmor Profile is enabled (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -43,7 +43,7 @@ check_5_1() {
if [ "$policy" = "AppArmorProfile=" ] || [ "$policy" = "AppArmorProfile=[]" ] || [ "$policy" = "AppArmorProfile=<no value>" ] || [ "$policy" = "AppArmorProfile=unconfined" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_1"
warn "$check"
warn " * No AppArmorProfile Found: $c"
no_apparmor_containers="$no_apparmor_containers $c"
fail=1
@ -55,7 +55,7 @@ check_5_1() {
done
# We went through all the containers and found none without AppArmor
if [ $fail -eq 0 ]; then
pass "$check_5_1"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -70,10 +70,10 @@ check_5_2() {
return
fi
id_5_2="5.2"
desc_5_2="Ensure that, if applicable, SELinux security options are set (Scored)"
check_5_2="$id_5_2 - $desc_5_2"
starttestjson "$id_5_2" "$desc_5_2"
local id="5.2"
local desc="Ensure that, if applicable, SELinux security options are set (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -85,7 +85,7 @@ check_5_2() {
if [ "$policy" = "SecurityOpt=" ] || [ "$policy" = "SecurityOpt=[]" ] || [ "$policy" = "SecurityOpt=<no value>" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_2"
warn "$check"
warn " * No SecurityOptions Found: $c"
no_securityoptions_containers="$no_securityoptions_containers $c"
fail=1
@ -97,7 +97,7 @@ check_5_2() {
done
# We went through all the containers and found none without SELinux
if [ $fail -eq 0 ]; then
pass "$check_5_2"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -112,10 +112,10 @@ check_5_3() {
return
fi
id_5_3="5.3"
desc_5_3="Ensure that Linux kernel capabilities are restricted within containers (Scored)"
check_5_3="$id_5_3 - $desc_5_3"
starttestjson "$id_5_3" "$desc_5_3"
local id="5.3"
local desc="Ensure that Linux kernel capabilities are restricted within containers (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -130,7 +130,7 @@ check_5_3() {
if [ "$caps" != 'CapAdd=' ] && [ "$caps" != 'CapAdd=[]' ] && [ "$caps" != 'CapAdd=<no value>' ] && [ "$caps" != 'CapAdd=<nil>' ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_3"
warn "$check"
warn " * Capabilities added: $caps to $c"
caps_containers="$caps_containers $c"
fail=1
@ -142,7 +142,7 @@ check_5_3() {
done
# We went through all the containers and found none with extra capabilities
if [ $fail -eq 0 ]; then
pass "$check_5_3"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -157,10 +157,10 @@ check_5_4() {
return
fi
id_5_4="5.4"
desc_5_4="Ensure that privileged containers are not used (Scored)"
check_5_4="$id_5_4 - $desc_5_4"
starttestjson "$id_5_4" "$desc_5_4"
local id="5.4"
local desc="Ensure that privileged containers are not used (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -172,7 +172,7 @@ check_5_4() {
if [ "$privileged" = "true" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_4"
warn "$check"
warn " * Container running in Privileged mode: $c"
privileged_containers="$privileged_containers $c"
fail=1
@ -184,7 +184,7 @@ check_5_4() {
done
# We went through all the containers and found no privileged containers
if [ $fail -eq 0 ]; then
pass "$check_5_4"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -199,10 +199,10 @@ check_5_5() {
return
fi
id_5_5="5.5"
desc_5_5="Ensure sensitive host system directories are not mounted on containers (Scored)"
check_5_5="$id_5_5 - $desc_5_5"
starttestjson "$id_5_5" "$desc_5_5"
local id="5.5"
local desc="Ensure sensitive host system directories are not mounted on containers (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -233,7 +233,7 @@ check_5_5() {
if [ $sensitive -eq 1 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_5"
warn "$check"
warn " * Sensitive directory $v mounted in: $c"
sensitive_mount_containers="$sensitive_mount_containers $c:$v"
fail=1
@ -246,7 +246,7 @@ check_5_5() {
done
# We went through all the containers and found none with sensitive mounts
if [ $fail -eq 0 ]; then
pass "$check_5_5"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -261,10 +261,10 @@ check_5_6() {
return
fi
id_5_6="5.6"
desc_5_6="Ensure sshd is not run within containers (Scored)"
check_5_6="$id_5_6 - $desc_5_6"
starttestjson "$id_5_6" "$desc_5_6"
local id="5.6"
local desc="Ensure sshd is not run within containers (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -277,7 +277,7 @@ check_5_6() {
if [ "$processes" -ge 1 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_6"
warn "$check"
warn " * Container running sshd: $c"
ssh_exec_containers="$ssh_exec_containers $c"
fail=1
@ -291,7 +291,7 @@ check_5_6() {
exec_check=$(docker exec "$c" ps -el 2>/dev/null)
if [ $? -eq 255 ]; then
if [ $printcheck -eq 0 ]; then
warn "$check_5_6"
warn "$check"
printcheck=1
fi
warn " * Docker exec fails: $c"
@ -302,7 +302,7 @@ check_5_6() {
done
# We went through all the containers and found none with sshd
if [ $fail -eq 0 ]; then
pass "$check_5_6"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -317,10 +317,10 @@ check_5_7() {
return
fi
id_5_7="5.7"
desc_5_7="Ensure privileged ports are not mapped within containers (Scored)"
check_5_7="$id_5_7 - $desc_5_7"
starttestjson "$id_5_7" "$desc_5_7"
local id="5.7"
local desc="Ensure privileged ports are not mapped within containers (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -335,7 +335,7 @@ check_5_7() {
if [ -n "$port" ] && [ "$port" -lt 1024 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_7"
warn "$check"
warn " * Privileged Port in use: $port in $c"
privileged_port_containers="$privileged_port_containers $c:$port"
fail=1
@ -348,7 +348,7 @@ check_5_7() {
done
# We went through all the containers and found no privileged ports
if [ $fail -eq 0 ]; then
pass "$check_5_7"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -363,13 +363,13 @@ check_5_8() {
return
fi
id_5_8="5.8"
desc_5_8="Ensure that only needed ports are open on the container (Not Scored)"
check_5_8="$id_5_8 - $desc_5_8"
starttestjson "$id_5_8" "$desc_5_8"
local id="5.8"
local desc="Ensure that only needed ports are open on the container (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
note "$check_5_8"
note "$check"
resulttestjson "NOTE"
currentScore=$((currentScore + 0))
}
@ -380,10 +380,10 @@ check_5_9() {
return
fi
id_5_9="5.9"
desc_5_9="Ensure that the host's network namespace is not shared (Scored)"
check_5_9="$id_5_9 - $desc_5_9"
starttestjson "$id_5_9" "$desc_5_9"
local id="5.9"
local desc="Ensure that the host's network namespace is not shared (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -395,7 +395,7 @@ check_5_9() {
if [ "$mode" = "NetworkMode=host" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_9"
warn "$check"
warn " * Container running with networking mode 'host': $c"
net_host_containers="$net_host_containers $c"
fail=1
@ -407,7 +407,7 @@ check_5_9() {
done
# We went through all the containers and found no Network Mode host
if [ $fail -eq 0 ]; then
pass "$check_5_9"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 0))
else
@ -422,10 +422,10 @@ check_5_10() {
return
fi
id_5_10="5.10"
desc_5_10="Ensure that the memory usage for containers is limited (Scored)"
check_5_10="$id_5_10 - $desc_5_10"
starttestjson "$id_5_10" "$desc_5_10"
local id="5.10"
local desc="Ensure that the memory usage for containers is limited (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -441,7 +441,7 @@ check_5_10() {
if [ "$memory" = "0" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_10"
warn "$check"
warn " * Container running without memory restrictions: $c"
mem_unlimited_containers="$mem_unlimited_containers $c"
fail=1
@ -453,7 +453,7 @@ check_5_10() {
done
# We went through all the containers and found no lack of Memory restrictions
if [ $fail -eq 0 ]; then
pass "$check_5_10"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -468,10 +468,10 @@ check_5_11() {
return
fi
id_5_11="5.11"
desc_5_11="Ensure that CPU priority is set appropriately on containers (Scored)"
check_5_11="$id_5_11 - $desc_5_11"
starttestjson "$id_5_11" "$desc_5_11"
local id="5.11"
local desc="Ensure that CPU priority is set appropriately on containers (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -487,7 +487,7 @@ check_5_11() {
if [ "$shares" = "0" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_11"
warn "$check"
warn " * Container running without CPU restrictions: $c"
cpu_unlimited_containers="$cpu_unlimited_containers $c"
fail=1
@ -499,7 +499,7 @@ check_5_11() {
done
# We went through all the containers and found no lack of CPUShare restrictions
if [ $fail -eq 0 ]; then
pass "$check_5_11"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -514,10 +514,10 @@ check_5_12() {
return
fi
id_5_12="5.12"
desc_5_12="Ensure that the container's root filesystem is mounted as read only (Scored)"
check_5_12="$id_5_12 - $desc_5_12"
starttestjson "$id_5_12" "$desc_5_12"
local id="5.12"
local desc="Ensure that the container's root filesystem is mounted as read only (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -529,7 +529,7 @@ check_5_12() {
if [ "$read_status" = "false" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_12"
warn "$check"
warn " * Container running with root FS mounted R/W: $c"
fsroot_mount_containers="$fsroot_mount_containers $c"
fail=1
@ -541,7 +541,7 @@ check_5_12() {
done
# We went through all the containers and found no R/W FS mounts
if [ $fail -eq 0 ]; then
pass "$check_5_12"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -556,10 +556,10 @@ check_5_13() {
return
fi
id_5_13="5.13"
desc_5_13="Ensure that incoming container traffic is bound to a specific host interface (Scored)"
check_5_13="$id_5_13 - $desc_5_13"
starttestjson "$id_5_13" "$desc_5_13"
local id="5.13"
local desc="Ensure that incoming container traffic is bound to a specific host interface (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -570,7 +570,7 @@ check_5_13() {
if [ "$ip" = "0.0.0.0" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_13"
warn "$check"
warn " * Port being bound to wildcard IP: $ip in $c"
incoming_unbound_containers="$incoming_unbound_containers $c:$ip"
fail=1
@ -583,7 +583,7 @@ check_5_13() {
done
# We went through all the containers and found no ports bound to 0.0.0.0
if [ $fail -eq 0 ]; then
pass "$check_5_13"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -598,10 +598,10 @@ check_5_14() {
return
fi
id_5_14="5.14"
desc_5_14="Ensure that the 'on-failure' container restart policy is set to '5' (Scored)"
check_5_14="$id_5_14 - $desc_5_14"
starttestjson "$id_5_14" "$desc_5_14"
local id="5.14"
local desc="Ensure that the 'on-failure' container restart policy is set to '5' (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -613,7 +613,7 @@ check_5_14() {
if [ "$policy" != "MaximumRetryCount=5" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_14"
warn "$check"
warn " * MaximumRetryCount is not set to 5: $c"
maxretry_unset_containers="$maxretry_unset_containers $c"
fail=1
@ -625,7 +625,7 @@ check_5_14() {
done
# We went through all the containers and they all had MaximumRetryCount=5
if [ $fail -eq 0 ]; then
pass "$check_5_14"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -640,10 +640,10 @@ check_5_15() {
return
fi
id_5_15="5.15"
desc_5_15="Ensure that the host's process namespace is not shared (Scored)"
check_5_15="$id_5_15 - $desc_5_15"
starttestjson "$id_5_15" "$desc_5_15"
local id="5.15"
local desc="Ensure that the host's process namespace is not shared (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -655,7 +655,7 @@ check_5_15() {
if [ "$mode" = "PidMode=host" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_15"
warn "$check"
warn " * Host PID namespace being shared with: $c"
pidns_shared_containers="$pidns_shared_containers $c"
fail=1
@ -667,7 +667,7 @@ check_5_15() {
done
# We went through all the containers and found none with PidMode as host
if [ $fail -eq 0 ]; then
pass "$check_5_15"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -682,10 +682,10 @@ check_5_16() {
return
fi
id_5_16="5.16"
desc_5_16="Ensure that the host's IPC namespace is not shared (Scored)"
check_5_16="$id_5_16 - $desc_5_16"
starttestjson "$id_5_16" "$desc_5_16"
local id="5.16"
local desc="Ensure that the host's IPC namespace is not shared (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -697,7 +697,7 @@ check_5_16() {
if [ "$mode" = "IpcMode=host" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_16"
warn "$check"
warn " * Host IPC namespace being shared with: $c"
ipcns_shared_containers="$ipcns_shared_containers $c"
fail=1
@ -709,7 +709,7 @@ check_5_16() {
done
# We went through all the containers and found none with IPCMode as host
if [ $fail -eq 0 ]; then
pass "$check_5_16"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -724,10 +724,10 @@ check_5_17() {
return
fi
id_5_17="5.17"
desc_5_17="Ensure that host devices are not directly exposed to containers (Not Scored)"
check_5_17="$id_5_17 - $desc_5_17"
starttestjson "$id_5_17" "$desc_5_17"
local id="5.17"
local desc="Ensure that host devices are not directly exposed to containers (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -739,7 +739,7 @@ check_5_17() {
if [ "$devices" != "Devices=" ] && [ "$devices" != "Devices=[]" ] && [ "$devices" != "Devices=<no value>" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
info "$check_5_17"
info "$check"
info " * Container has devices exposed directly: $c"
hostdev_exposed_containers="$hostdev_exposed_containers $c"
fail=1
@ -751,7 +751,7 @@ check_5_17() {
done
# We went through all the containers and found none with devices
if [ $fail -eq 0 ]; then
pass "$check_5_17"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -766,10 +766,10 @@ check_5_18() {
return
fi
id_5_18="5.18"
desc_5_18="Ensure that the default ulimit is overwritten at runtime if needed (Not Scored)"
check_5_18="$id_5_18 - $desc_5_18"
starttestjson "$id_5_18" "$desc_5_18"
local id="5.18"
local desc="Ensure that the default ulimit is overwritten at runtime if needed (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -781,7 +781,7 @@ check_5_18() {
if [ "$ulimits" = "Ulimits=" ] || [ "$ulimits" = "Ulimits=[]" ] || [ "$ulimits" = "Ulimits=<no value>" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
info "$check_5_18"
info "$check"
info " * Container no default ulimit override: $c"
no_ulimit_containers="$no_ulimit_containers $c"
fail=1
@ -793,7 +793,7 @@ check_5_18() {
done
# We went through all the containers and found none without Ulimits
if [ $fail -eq 0 ]; then
pass "$check_5_18"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -808,10 +808,10 @@ check_5_19() {
return
fi
id_5_19="5.19"
desc_5_19="Ensure mount propagation mode is not set to shared (Scored)"
check_5_19="$id_5_19 - $desc_5_19"
starttestjson "$id_5_19" "$desc_5_19"
local id="5.19"
local desc="Ensure mount propagation mode is not set to shared (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -822,7 +822,7 @@ check_5_19() {
grep shared 2>/dev/null 1>&2; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_19"
warn "$check"
warn " * Mount propagation mode is shared: $c"
mountprop_shared_containers="$mountprop_shared_containers $c"
fail=1
@ -834,7 +834,7 @@ check_5_19() {
done
# We went through all the containers and found none with shared propagation mode
if [ $fail -eq 0 ]; then
pass "$check_5_19"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -849,10 +849,10 @@ check_5_20() {
return
fi
id_5_20="5.20"
desc_5_20="Ensure that the host's UTS namespace is not shared (Scored)"
check_5_20="$id_5_20 - $desc_5_20"
starttestjson "$id_5_20" "$desc_5_20"
local id="5.20"
local desc="Ensure that the host's UTS namespace is not shared (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -864,7 +864,7 @@ check_5_20() {
if [ "$mode" = "UTSMode=host" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_20"
warn "$check"
warn " * Host UTS namespace being shared with: $c"
utcns_shared_containers="$utcns_shared_containers $c"
fail=1
@ -876,7 +876,7 @@ check_5_20() {
done
# We went through all the containers and found none with UTSMode as host
if [ $fail -eq 0 ]; then
pass "$check_5_20"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -891,10 +891,10 @@ check_5_21() {
return
fi
id_5_21="5.21"
desc_5_21="Ensurethe default seccomp profile is not Disabled (Scored)"
check_5_21="$id_5_21 - $desc_5_21"
starttestjson "$id_5_21" "$desc_5_21"
local id="5.21"
local desc="Ensurethe default seccomp profile is not Disabled (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -905,7 +905,7 @@ check_5_21() {
grep -E 'seccomp:unconfined|seccomp=unconfined' 2>/dev/null 1>&2; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_21"
warn "$check"
warn " * Default seccomp profile disabled: $c"
seccomp_disabled_containers="$seccomp_disabled_containers $c"
fail=1
@ -917,7 +917,7 @@ check_5_21() {
done
# We went through all the containers and found none with default secomp profile disabled
if [ $fail -eq 0 ]; then
pass "$check_5_21"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -932,13 +932,13 @@ check_5_22() {
return
fi
id_5_22="5.22"
desc_5_22="Ensure that docker exec commands are not used with the privileged option (Scored)"
check_5_22="$id_5_22 - $desc_5_22"
starttestjson "$id_5_22" "$desc_5_22"
local id="5.22"
local desc="Ensure that docker exec commands are not used with the privileged option (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
note "$check_5_22"
note "$check"
resulttestjson "NOTE"
currentScore=$((currentScore + 0))
}
@ -949,13 +949,13 @@ check_5_23() {
return
fi
id_5_23="5.23"
desc_5_23="Ensure that docker exec commands are not used with the user=root option (Not Scored)"
check_5_23="$id_5_23 - $desc_5_23"
starttestjson "$id_5_23" "$desc_5_23"
local id="5.23"
local desc="Ensure that docker exec commands are not used with the user=root option (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
note "$check_5_23"
note "$check"
resulttestjson "NOTE"
currentScore=$((currentScore + 0))
}
@ -966,10 +966,10 @@ check_5_24() {
return
fi
id_5_24="5.24"
desc_5_24="Ensure that cgroup usage is confirmed (Scored)"
check_5_24="$id_5_24 - $desc_5_24"
starttestjson "$id_5_24" "$desc_5_24"
local id="5.24"
local desc="Ensure that cgroup usage is confirmed (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -981,7 +981,7 @@ check_5_24() {
if [ "$mode" != "CgroupParent=x" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_24"
warn "$check"
warn " * Confirm cgroup usage: $c"
unexpected_cgroup_containers="$unexpected_cgroup_containers $c"
fail=1
@ -993,7 +993,7 @@ check_5_24() {
done
# We went through all the containers and found none with UTSMode as host
if [ $fail -eq 0 ]; then
pass "$check_5_24"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -1007,10 +1007,10 @@ check_5_25() {
if [ "$running_containers" -ne 1 ]; then
return
fi
id_5_25="5.25"
desc_5_25="Ensure that the container is restricted from acquiring additional privileges (Scored)"
check_5_25="$id_5_25 - $desc_5_25"
starttestjson "$id_5_25" "$desc_5_25"
local id="5.25"
local desc="Ensure that the container is restricted from acquiring additional privileges (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -1020,7 +1020,7 @@ check_5_25() {
if ! docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'no-new-privileges' 2>/dev/null 1>&2; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_25"
warn "$check"
warn " * Privileges not restricted: $c"
addprivs_containers="$addprivs_containers $c"
fail=1
@ -1032,7 +1032,7 @@ check_5_25() {
done
# We went through all the containers and found none with capability to acquire additional privileges
if [ $fail -eq 0 ]; then
pass "$check_5_25"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -1047,30 +1047,30 @@ check_5_26() {
return
fi
id_5_26="5.26"
desc_5_26="Ensure that container health is checked at runtime (Scored)"
check_5_26="$id_5_26 - $desc_5_26"
starttestjson "$id_5_26" "$desc_5_26"
local id="5.26"
local desc="Ensure that container health is checked at runtime (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
fail=0
nohealthcheck_containers=""
nohealthlocal check=""
for c in $containers; do
if ! docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}' "$c" 2>/dev/null 1>&2; then
if [ $fail -eq 0 ]; then
warn "$check_5_26"
warn "$check"
warn " * Health check not set: $c"
nohealthcheck_containers="$nohealthcheck_containers $c"
nohealthlocal check="$nohealthcheck_containers $c"
fail=1
else
warn " * Health check not set: $c"
nohealthcheck_containers="$nohealthcheck_containers $c"
nohealthlocal check="$nohealthcheck_containers $c"
fi
fi
done
if [ $fail -eq 0 ]; then
pass "$check_5_26"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -1085,13 +1085,13 @@ check_5_27() {
return
fi
id_5_27="5.27"
desc_5_27="Ensure that Docker commands always make use of the latest version of their image (Not Scored)"
check_5_27="$id_5_27 - $desc_5_27"
starttestjson "$id_5_27" "$desc_5_27"
local id="5.27"
local desc="Ensure that Docker commands always make use of the latest version of their image (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
info "$check_5_27"
info "$check"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
}
@ -1102,10 +1102,10 @@ check_5_28() {
return
fi
id_5_28="5.28"
desc_5_28="Ensure that the PIDs cgroup limit is used (Scored)"
check_5_28="$id_5_28 - $desc_5_28"
starttestjson "$id_5_28" "$desc_5_28"
local id="5.28"
local desc="Ensure that the PIDs cgroup limit is used (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -1117,7 +1117,7 @@ check_5_28() {
if [ "$pidslimit" = "0" ] || [ "$pidslimit" = "<nil>" ] || [ "$pidslimit" = "-1" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_28"
warn "$check"
warn " * PIDs limit not set: $c"
nopids_limit_containers="$nopids_limit_containers $c"
fail=1
@ -1129,7 +1129,7 @@ check_5_28() {
done
# We went through all the containers and found all with PIDs limit
if [ $fail -eq 0 ]; then
pass "$check_5_28"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -1144,10 +1144,10 @@ check_5_29() {
return
fi
id_5_29="5.29"
desc_5_29="Ensure that Docker's default bridge "docker0" is not used (Not Scored)"
check_5_29="$id_5_29 - $desc_5_29"
starttestjson "$id_5_29" "$desc_5_29"
local id="5.29"
local desc="Ensure that Docker's default bridge "docker0" is not used (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -1161,7 +1161,7 @@ check_5_29() {
if [ -n "$docker0Containers" ]; then
if [ $fail -eq 0 ]; then
info "$check_5_29"
info "$check"
fail=1
fi
for c in $docker0Containers; do
@ -1182,7 +1182,7 @@ check_5_29() {
done
# We went through all the containers and found none in docker0 network
if [ $fail -eq 0 ]; then
pass "$check_5_29"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -1197,10 +1197,10 @@ check_5_30() {
return
fi
id_5_30="5.30"
desc_5_30="Ensure that the host's user namespaces are not shared (Scored)"
check_5_30="$id_5_30 - $desc_5_30"
starttestjson "$id_5_30" "$desc_5_30"
local id="5.30"
local desc="Ensure that the host's user namespaces are not shared (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -1210,7 +1210,7 @@ check_5_30() {
if docker inspect --format '{{ .HostConfig.UsernsMode }}' "$c" 2>/dev/null | grep -i 'host' >/dev/null 2>&1; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_30"
warn "$check"
warn " * Namespace shared: $c"
hostns_shared_containers="$hostns_shared_containers $c"
fail=1
@ -1222,7 +1222,7 @@ check_5_30() {
done
# We went through all the containers and found none with host's user namespace shared
if [ $fail -eq 0 ]; then
pass "$check_5_30"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -1237,10 +1237,10 @@ check_5_31() {
return
fi
id_5_31="5.31"
desc_5_31="Ensure that the Docker socket is not mounted inside any containers (Scored)"
check_5_31="$id_5_31 - $desc_5_31"
starttestjson "$id_5_31" "$desc_5_31"
local id="5.31"
local desc="Ensure that the Docker socket is not mounted inside any containers (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
@ -1250,7 +1250,7 @@ check_5_31() {
if docker inspect --format '{{ .Mounts }}' "$c" 2>/dev/null | grep 'docker.sock' >/dev/null 2>&1; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_31"
warn "$check"
warn " * Docker socket shared: $c"
docker_sock_containers="$docker_sock_containers $c"
fail=1
@ -1262,7 +1262,7 @@ check_5_31() {
done
# We went through all the containers and found none with docker.sock shared
if [ $fail -eq 0 ]; then
pass "$check_5_31"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else

32
tests/6_docker_security_operations.sh
View file

@ -2,19 +2,19 @@
check_6() {
logit "\n"
id_6="6"
desc_6="Docker Security Operations"
check_6="$id_6 - $desc_6"
info "$check_6"
startsectionjson "$id_6" "$desc_6"
local id="6"
local desc="Docker Security Operations"
local check="$id - $desc"
info "$check"
startsectionjson "$id" "$desc"
}
# 6.1
check_6_1() {
id_6_1="6.1"
desc_6_1="Ensure that image sprawl is avoided (Not Scored)"
check_6_1="$id_6_1 - $desc_6_1"
starttestjson "$id_6_1" "$desc_6_1"
local id="6.1"
local desc="Ensure that image sprawl is avoided (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
images=$(docker images -q | sort -u | wc -l | awk '{print $1}')
@ -26,7 +26,7 @@ check_6_1() {
fi
done
info "$check_6_1"
info "$check"
info " * There are currently: $images images"
if [ "$active_images" -lt "$((images / 2))" ]; then
@ -38,21 +38,21 @@ check_6_1() {
# 6.2
check_6_2() {
id_6_2="6.2"
desc_6_2="Ensure that container sprawl is avoided (Not Scored)"
check_6_2="$id_6_2 - $desc_6_2"
starttestjson "$id_6_2" "$desc_6_2"
local id="6.2"
local desc="Ensure that container sprawl is avoided (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}')
running_containers=$(docker ps -q | wc -l | awk '{print $1}')
diff="$((total_containers - running_containers))"
if [ "$diff" -gt 25 ]; then
info "$check_6_2"
info "$check"
info " * There are currently a total of $total_containers containers, with only $running_containers of them currently running"
resulttestjson "INFO" "$total_containers total/$running_containers running"
else
info "$check_6_2"
info "$check"
info " * There are currently a total of $total_containers containers, with $running_containers of them currently running"
resulttestjson "INFO" "$total_containers total/$running_containers running"
fi

140
tests/7_docker_swarm_configuration.sh
View file

@ -2,27 +2,27 @@
check_7() {
logit "\n"
id_7="7"
desc_7="Docker Swarm Configuration"
check_7="$id_7 - $desc_7"
info "$check_7"
startsectionjson "$id_7" "$desc_7"
local id="7"
local desc="Docker Swarm Configuration"
local check="$id - $desc"
info "$check"
startsectionjson "$id" "$desc"
}
# 7.1
check_7_1() {
id_7_1="7.1"
desc_7_1="Ensure swarm mode is not Enabled, if not needed (Scored)"
check_7_1="$id_7_1 - $desc_7_1"
starttestjson "$id_7_1" "$desc_7_1"
local id="7.1"
local desc="Ensure swarm mode is not Enabled, if not needed (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
pass "$check_7_1"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_7_1"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
@ -30,25 +30,25 @@ check_7_1() {
# 7.2
check_7_2() {
id_7_2="7.2"
desc_7_2="Ensure that the minimum number of manager nodes have been created in a swarm (Scored)"
check_7_2="$id_7_2 - $desc_7_2"
starttestjson "$id_7_2" "$desc_7_2"
local id="7.2"
local desc="Ensure that the minimum number of manager nodes have been created in a swarm (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
managernodes=$(docker node ls | grep -c "Leader")
if [ "$managernodes" -eq 1 ]; then
pass "$check_7_2"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_7_2"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
pass "$check_7_2 (Swarm mode not enabled)"
pass "$check (Swarm mode not enabled)"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
@ -56,25 +56,25 @@ check_7_2() {
# 7.3
check_7_3() {
id_7_3="7.3"
desc_7_3="Ensure that swarm services are bound to a specific host interface (Scored)"
check_7_3="$id_7_3 - $desc_7_3"
starttestjson "$id_7_3" "$desc_7_3"
local id="7.3"
local desc="Ensure that swarm services are bound to a specific host interface (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
$netbin -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1
if [ $? -eq 1 ]; then
pass "$check_7_3"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_7_3"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
pass "$check_7_3 (Swarm mode not enabled)"
pass "$check (Swarm mode not enabled)"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
@ -82,10 +82,10 @@ check_7_3() {
# 7.4
check_7_4() {
id_7_4="7.4"
desc_7_4="Ensure that all Docker swarm overlay networks are encrypted (Scored)"
check_7_4="$id_7_4 - $desc_7_4"
starttestjson "$id_7_4" "$desc_7_4"
local id="7.4"
local desc="Ensure that all Docker swarm overlay networks are encrypted (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
fail=0
@ -95,7 +95,7 @@ check_7_4() {
grep -v 'encrypted:' 2>/dev/null 1>&2; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_7_4"
warn "$check"
fail=1
fi
warn " * Unencrypted overlay network: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
@ -104,7 +104,7 @@ check_7_4() {
done
# We went through all the networks and found none that are unencrypted
if [ $fail -eq 0 ]; then
pass "$check_7_4"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
@ -115,24 +115,24 @@ check_7_4() {
# 7.5
check_7_5() {
id_7_5="7.5"
desc_7_5="Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Not Scored)"
check_7_5="$id_7_5 - $desc_7_5"
starttestjson "$id_7_5" "$desc_7_5"
local id="7.5"
local desc="Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then
pass "$check_7_5"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
info "$check_7_5"
info "$check"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
fi
else
pass "$check_7_5 (Swarm mode not enabled)"
pass "$check (Swarm mode not enabled)"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
@ -140,24 +140,24 @@ check_7_5() {
# 7.6
check_7_6() {
id_7_6="7.6"
desc_7_6="Ensure that swarm manager is run in auto-lock mode (Scored)"
check_7_6="$id_7_6 - $desc_7_6"
starttestjson "$id_7_6" "$desc_7_6"
local id="7.6"
local desc="Ensure that swarm manager is run in auto-lock mode (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then
warn "$check_7_6"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
else
pass "$check_7_6"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
else
pass "$check_7_6 (Swarm mode not enabled)"
pass "$check (Swarm mode not enabled)"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
@ -165,18 +165,18 @@ check_7_6() {
# 7.7
check_7_7() {
id_7_7="7.7"
desc_7_7="Ensure that the swarm manager auto-lock key is rotated periodically (Not Scored)"
check_7_7="$id_7_7 - $desc_7_7"
starttestjson "$id_7_7" "$desc_7_7"
local id="7.7"
local desc="Ensure that the swarm manager auto-lock key is rotated periodically (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
note "$check_7_7"
note "$check"
resulttestjson "NOTE"
currentScore=$((currentScore + 0))
else
pass "$check_7_7 (Swarm mode not enabled)"
pass "$check (Swarm mode not enabled)"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
@ -184,24 +184,24 @@ check_7_7() {
# 7.8
check_7_8() {
id_7_8="7.8"
desc_7_8="Ensure that node certificates are rotated as appropriate (Not Scored)"
check_7_8="$id_7_8 - $desc_7_8"
starttestjson "$id_7_8" "$desc_7_8"
local id="7.8"
local desc="Ensure that node certificates are rotated as appropriate (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then
pass "$check_7_8"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
info "$check_7_8"
info "$check"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
fi
else
pass "$check_7_8 (Swarm mode not enabled)"
pass "$check (Swarm mode not enabled)"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
@ -209,18 +209,18 @@ check_7_8() {
# 7.9
check_7_9() {
id_7_9="7.9"
desc_7_9="Ensure that CA certificates are rotated as appropriate (Not Scored)"
check_7_9="$id_7_9 - $desc_7_9"
starttestjson "$id_7_9" "$desc_7_9"
local id="7.9"
local desc="Ensure that CA certificates are rotated as appropriate (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
info "$check_7_9"
info "$check"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
else
pass "$check_7_9 (Swarm mode not enabled)"
pass "$check (Swarm mode not enabled)"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
@ -228,18 +228,18 @@ check_7_9() {
# 7.10
check_7_10() {
id_7_10="7.10"
desc_7_10="Ensure that management plane traffic is separated from data plane traffic (Not Scored)"
check_7_10="$id_7_10 - $desc_7_10"
starttestjson "$id_7_10" "$desc_7_10"
local id="7.10"
local desc="Ensure that management plane traffic is separated from data plane traffic (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
info "$check_7_10"
info "$check"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
else
pass "$check_7_10 (Swarm mode not enabled)"
pass "$check (Swarm mode not enabled)"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi

106
tests/8_docker_enterprise_configuration.sh
View file

@ -2,11 +2,11 @@
check_8() {
logit "\n"
id_8="8"
desc_8="Docker Enterprise Configuration"
check_8="$id_8 - $desc_8"
info "$check_8"
startsectionjson "$id_8" "$desc_8"
local id="8"
local desc="Docker Enterprise Configuration"
local check="$id - $desc"
info "$check"
startsectionjson "$id" "$desc"
}
check_product_license() {
@ -23,10 +23,10 @@ check_8_1() {
return
fi
id_8_1="8.1"
desc_8_1="Universal Control Plane Configuration"
check_8_1="$id_8_1 - $desc_8_1"
info "$check_8_1"
local id="8.1"
local desc="Universal Control Plane Configuration"
local check="$id - $desc"
info "$check"
}
# 8.1.1
@ -35,13 +35,13 @@ check_8_1_1() {
return
fi
id_8_1_1="8.1.1"
desc_8_1_1="Configure the LDAP authentication service (Scored)"
check_8_1_1="$id_8_1_1 - $desc_8_1_1"
starttestjson "$id_8_1_1" "$desc_8_1_1"
local id="8.1.1"
local desc="Configure the LDAP authentication service (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
note "$check_8_1_1"
note "$check"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
}
@ -52,13 +52,13 @@ check_8_1_2() {
return
fi
id_8_1_2="8.1.2"
desc_8_1_2="Use external certificates (Scored)"
check_8_1_2="$id_8_1_2 - $desc_8_1_2"
starttestjson "$id_8_1_2" "$desc_8_1_2"
local id="8.1.2"
local desc="Use external certificates (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
note "$check_8_1_2"
note "$check"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
}
@ -69,13 +69,13 @@ check_8_1_3() {
return
fi
id_8_1_3="8.1.3"
desc_8_1_3="Enforce the use of client certificate bundles for unprivileged users (Not Scored)"
check_8_1_3="$id_8_1_3 - $desc_8_1_3"
starttestjson "$id_8_1_3" "$desc_8_1_3"
local id="8.1.3"
local desc="Enforce the use of client certificate bundles for unprivileged users (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
note "$check_8_1_3"
note "$check"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
}
@ -86,13 +86,13 @@ check_8_1_4() {
return
fi
id_8_1_4="8.1.4"
desc_8_1_4="Configure applicable cluster role-based access control policies (Not Scored)"
check_8_1_4="$id_8_1_4 - $desc_8_1_4"
starttestjson "$id_8_1_4" "$desc_8_1_4"
local id="8.1.4"
local desc="Configure applicable cluster role-based access control policies (Not Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
note "$check_8_1_4"
note "$check"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
}
@ -103,13 +103,13 @@ check_8_1_5() {
return
fi
id_8_1_5="8.1.5"
desc_8_1_5="Enable signed image enforcement (Scored)"
check_8_1_5="$id_8_1_5 - $desc_8_1_5"
starttestjson "$id_8_1_5" "$desc_8_1_5"
local id="8.1.5"
local desc="Enable signed image enforcement (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
note "$check_8_1_5"
note "$check"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
}
@ -120,13 +120,13 @@ check_8_1_6() {
return
fi
id_8_1_6="8.1.6"
desc_8_1_6="Set the Per-User Session Limit to a value of '3' or lower (Scored)"
check_8_1_6="$id_8_1_6 - $desc_8_1_6"
starttestjson "$id_8_1_6" "$desc_8_1_6"
local id="8.1.6"
local desc="Set the Per-User Session Limit to a value of '3' or lower (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
note "$check_8_1_6"
note "$check"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
}
@ -137,13 +137,13 @@ check_8_1_7() {
return
fi
id_8_1_7="8.1.7"
desc_8_1_7="Set the 'Lifetime Minutes' and 'Renewal Threshold Minutes' values to '15' or lower and '0' respectively (Scored)"
check_8_1_7="$id_8_1_7 - $desc_8_1_7"
starttestjson "$id_8_1_7" "$desc_8_1_7"
local id="8.1.7"
local desc="Set the 'Lifetime Minutes' and 'Renewal Threshold Minutes' values to '15' or lower and '0' respectively (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
note "$check_8_1_7"
note "$check"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
}
@ -154,10 +154,10 @@ check_8_2() {
fi
logit "\n"
id_8_2="8.2"
desc_8_2="Docker Trusted Registry Configuration"
check_8_2="$id_8_2 - $desc_8_2"
info "$check_8_2"
local id="8.2"
local desc="Docker Trusted Registry Configuration"
local check="$id - $desc"
info "$check"
}
check_8_2_1() {
@ -165,13 +165,13 @@ check_8_2_1() {
return
fi
id_8_2_1="8.2.1"
desc_8_2_1="Enable image vulnerability scanning (Scored)"
check_8_2_1="$id_8_2_1 - $desc_8_2_1"
starttestjson "$id_8_2_1" "$desc_8_2_1"
local id="8.2.1"
local desc="Enable image vulnerability scanning (Scored)"
local check="$id - $desc"
starttestjson "$id" "$desc"
totalChecks=$((totalChecks + 1))
note "$check_8_2_1"
note "$check"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
}

36
tests/99_community_checks.sh
View file

@ -1,22 +1,22 @@
#!/bin/sh
check_c() {
logit "\n"
id_99="99"
desc_99="Community contributed checks"
check_99="$id_99 - $desc_99"
info "$check_99"
startsectionjson "$id_99" "$desc_99"
local id="99"
local desc="Community contributed checks"
local check="$id - $desc"
info "$check"
startsectionjson "$id" "$desc"
}
# check_c_1
check_c_1() {
check_c_1="C.1 - This is a example check"
local check="C.1 - This is a example check"
totalChecks=$((totalChecks + 1))
if docker info --format='{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>&2; then
pass "$check_c_1"
pass "$check"
resulttestjson "PASS"
else
warn "$check_c_1"
warn "$check"
resulttestjson "WARN"
fi
}
@ -27,29 +27,29 @@ check_c_2() {
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,.' | cut -c 1-4)
totalChecks=$((totalChecks + 1))
id_c_2="C.2"
desc_c_2="Ensure operations on legacy registry (v1) are Disabled"
check_c_2="$id_c_2 - $desc_c_2"
starttestjson "$id_c_2" "$desc_c_2"
local id="C.2"
local desc="Ensure operations on legacy registry (v1) are Disabled"
local check="$id - $desc"
starttestjson "$id" "$desc"
if [ "$docker_version" -lt 1712 ]; then
if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then
pass "$check_c_2"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then
pass "$check_c_2"
pass "$check"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_c_2"
warn "$check"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
desc_c_2="$desc_c_2 (Deprecated)"
check_c_2="$id_c_2 - $desc_c_2"
info "$check_c_2"
local desc="$desc (Deprecated)"
local check="$id - $desc"
info "$check"
resulttestjson "INFO"
fi
}