diff --git a/functions_lib.sh b/functions_lib.sh deleted file mode 100644 index cb44bbe..0000000 --- a/functions_lib.sh +++ /dev/null @@ -1,391 +0,0 @@ -#!/bin/sh - -host_configuration() { - check_1 - check_1_1 - check_1_1_1 - check_1_1_2 - check_1_2 - check_1_2_1 - check_1_2_2 - check_1_2_3 - check_1_2_4 - check_1_2_5 - check_1_2_6 - check_1_2_7 - check_1_2_8 - check_1_2_9 - check_1_2_10 - check_1_2_11 - check_1_2_12 - check_1_end -} - -host_configuration_level1() { - check_1 - check_1_1 - check_1_1_1 - check_1_1_2 - check_1_2 - check_1_2_1 - check_1_2_2 - check_1_2_3 - check_1_2_5 - check_1_2_6 - check_1_2_7 - check_1_2_8 - check_1_2_9 - check_1_2_10 - check_1_2_11 - check_1_2_12 - check_1_end -} - -host_general_configuration() { - check_1 - check_1_1 - check_1_1_1 - check_1_1_2 - check_1_end -} - -linux_hosts_specific_configuration() { - check_1 - check_1_2 - check_1_2_1 - check_1_2_2 - check_1_2_3 - check_1_2_4 - check_1_2_5 - check_1_2_6 - check_1_2_7 - check_1_2_8 - check_1_2_9 - check_1_2_10 - check_1_2_11 - check_1_2_12 - check_1_end -} - -docker_daemon_configuration() { - check_2 - check_2_1 - check_2_2 - check_2_3 - check_2_4 - check_2_5 - check_2_6 - check_2_7 - check_2_8 - check_2_9 - check_2_10 - check_2_11 - check_2_12 - check_2_13 - check_2_14 - check_2_15 - check_2_16 - check_2_17 - check_2_end -} - -docker_daemon_configuration_level1() { - check_2 - check_2_1 - check_2_2 - check_2_3 - check_2_4 - check_2_5 - check_2_6 - check_2_7 - check_2_13 - check_2_14 - check_2_16 - check_2_17 - check_2_end -} - -docker_daemon_files() { - check_3 - check_3_1 - check_3_2 - check_3_3 - check_3_4 - check_3_5 - check_3_6 - check_3_7 - check_3_8 - check_3_9 - check_3_10 - check_3_11 - check_3_12 - check_3_13 - check_3_14 - check_3_15 - check_3_16 - check_3_17 - check_3_18 - check_3_19 - check_3_20 - check_3_21 - check_3_22 - check_3_end -} - -docker_daemon_files_level1() { - check_3 - check_3_1 - check_3_2 - check_3_3 - check_3_4 - check_3_5 - check_3_6 - check_3_7 - check_3_8 - check_3_9 - check_3_10 - check_3_11 - check_3_12 - check_3_13 - check_3_14 - check_3_15 - check_3_16 - check_3_17 - check_3_18 - check_3_19 - check_3_20 - check_3_21 - check_3_22 - check_3_end -} - -container_images() { - check_4 - check_4_1 - check_4_2 - check_4_3 - check_4_4 - check_4_5 - check_4_6 - check_4_7 - check_4_8 - check_4_9 - check_4_10 - check_4_11 - check_4_end -} - -container_images_level1() { - check_4 - check_4_1 - check_4_2 - check_4_3 - check_4_4 - check_4_6 - check_4_7 - check_4_9 - check_4_10 - check_4_end -} - -container_runtime() { - check_5 - check_running_containers - check_5_1 - check_5_2 - check_5_3 - check_5_4 - check_5_5 - check_5_6 - check_5_7 - check_5_8 - check_5_9 - check_5_10 - check_5_11 - check_5_12 - check_5_13 - check_5_14 - check_5_15 - check_5_16 - check_5_17 - check_5_18 - check_5_19 - check_5_20 - check_5_21 - check_5_22 - check_5_23 - check_5_24 - check_5_25 - check_5_26 - check_5_27 - check_5_28 - check_5_29 - check_5_30 - check_5_31 - check_5_end -} - -container_runtime_level1() { - check_5 - check_running_containers - check_5_1 - check_5_3 - check_5_4 - check_5_5 - check_5_6 - check_5_7 - check_5_8 - check_5_9 - check_5_10 - check_5_11 - check_5_12 - check_5_13 - check_5_14 - check_5_15 - check_5_16 - check_5_17 - check_5_18 - check_5_19 - check_5_20 - check_5_21 - check_5_24 - check_5_25 - check_5_26 - check_5_27 - check_5_28 - check_5_30 - check_5_31 - check_5_end -} - -docker_security_operations() { - check_6 - check_6_1 - check_6_2 - check_6_end -} - -docker_security_operations_level1() { - check_6 - check_6_1 - check_6_2 - check_6_end -} - -docker_swarm_configuration() { - check_7 - check_7_1 - check_7_2 - check_7_3 - check_7_4 - check_7_5 - check_7_6 - check_7_7 - check_7_8 - check_7_9 - check_7_10 - check_7_end -} - -docker_swarm_configuration_level1() { - check_7 - check_7_1 - check_7_2 - check_7_3 - check_7_4 - check_7_7 - check_7_end -} - -docker_enterprise_configuration() { - check_8 - check_product_license - check_8_1 - check_8_1_1 - check_8_1_2 - check_8_1_3 - check_8_1_4 - check_8_1_5 - check_8_1_6 - check_8_1_7 - check_8_2 - check_8_2_1 - check_8_end -} - -docker_enterprise_configuration_level1() { - check_8 - check_product_license - check_8_1 - check_8_1_1 - check_8_1_2 - check_8_1_3 - check_8_1_4 - check_8_1_5 - check_8_1_6 - check_8_1_7 - check_8_2 - check_8_2_1 - check_8_end -} - -universal_control_plane_configuration() { - check_8 - check_8_1 - check_8_1_1 - check_8_1_2 - check_8_1_3 - check_8_1_4 - check_8_1_5 - check_8_1_6 - check_8_1_7 - check_8_end -} - -docker_trusted_registry_configuration() { - check_8 - check_8_2 - check_8_2_1 - check_8_end -} - -community_checks() { - check_c - check_c_1 - check_c_2 - check_c_end -} - -# CIS -cis() { - host_configuration - docker_daemon_configuration - docker_daemon_files - container_images - container_runtime - docker_security_operations - docker_swarm_configuration - docker_enterprise_configuration -} - -cis_level1() { - host_configuration_level1 - docker_daemon_configuration_level1 - docker_daemon_files_level1 - container_images_level1 - container_runtime_level1 - docker_security_operations_level1 - docker_swarm_configuration_level1 - docker_enterprise_configuration_level1 -} - -# Community contributed -community() { - community_checks -} - -# All -all() { - cis - community -} diff --git a/helper_lib.sh b/helper_lib.sh deleted file mode 100644 index e24a14c..0000000 --- a/helper_lib.sh +++ /dev/null @@ -1,129 +0,0 @@ -#!/bin/sh - -# Returns the absolute path of a given string -abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; esac; } - -# Audit rules default path -auditrules="/etc/audit/audit.rules" - -# Compares versions of software of the format X.Y.Z -do_version_check() { - [ "$1" = "$2" ] && return 10 - - ver1front=$(printf "%s" "$1" | cut -d "." -f -1) - ver1back=$(printf "%s" "$1" | cut -d "." -f 2-) - ver2front=$(printf "%s" "$2" | cut -d "." -f -1) - ver2back=$(printf "%s" "$2" | cut -d "." -f 2-) - - if [ "$ver1front" != "$1" ] || [ "$ver2front" != "$2" ]; then - [ "$ver1front" -gt "$ver2front" ] && return 11 - [ "$ver1front" -lt "$ver2front" ] && return 9 - - [ "$ver1front" = "$1" ] || [ -z "$ver1back" ] && ver1back=0 - [ "$ver2front" = "$2" ] || [ -z "$ver2back" ] && ver2back=0 - do_version_check "$ver1back" "$ver2back" - return $? - else - [ "$1" -gt "$2" ] && return 11 || return 9 - fi -} - -# Extracts commandline args from the newest running processes named like the first parameter -get_command_line_args() { - PROC="$1" - - for PID in $(pgrep -f -n "$PROC"); do - tr "\0" " " < /proc/"$PID"/cmdline - done -} - -# Extract the cumulative command line arguments for the docker daemon -# -# If specified multiple times, all matches are returned. -# Accounts for long and short variants, call with short option. -# Does not account for option defaults or implicit options. -get_docker_cumulative_command_line_args() { - OPTION="$1" - - if ! get_command_line_args "docker daemon" >/dev/null 2>&1 ; then - line_arg="docker daemon" - else - line_arg="dockerd" - fi - - get_command_line_args "$line_arg" | - # normalize known long options to their short versions - sed \ - -e 's/\-\-debug/-D/g' \ - -e 's/\-\-host/-H/g' \ - -e 's/\-\-log-level/-l/g' \ - -e 's/\-\-version/-v/g' \ - | - # normalize parameters separated by space(s) to -O=VALUE - sed \ - -e 's/\-\([DHlv]\)[= ]\([^- ][^ ]\)/-\1=\2/g' \ - | - # get the last interesting option - tr ' ' "\n" | - grep "^${OPTION}" | - # normalize quoting of values - sed \ - -e 's/"//g' \ - -e "s/'//g" -} - -# Extract the effective command line arguments for the docker daemon -# -# Accounts for multiple specifications, takes the last option. -# Accounts for long and short variants, call with short option -# Does not account for option default or implicit options. -get_docker_effective_command_line_args() { - OPTION="$1" - get_docker_cumulative_command_line_args "$OPTION" | tail -n1 -} - -get_docker_configuration_file() { - FILE="$(get_docker_effective_command_line_args '--config-file' | \ - sed 's/.*=//g')" - - if [ -f "$FILE" ]; then - CONFIG_FILE="$FILE" - elif [ -f '/etc/docker/daemon.json' ]; then - CONFIG_FILE='/etc/docker/daemon.json' - else - CONFIG_FILE='/dev/null' - fi -} - -get_docker_configuration_file_args() { - OPTION="$1" - - get_docker_configuration_file - - grep "$OPTION" "$CONFIG_FILE" | sed 's/.*://g' | tr -d '" ', -} - -get_service_file() { - SERVICE="$1" - - if [ -f "/etc/systemd/system/$SERVICE" ]; then - echo "/etc/systemd/system/$SERVICE" - elif [ -f "/lib/systemd/system/$SERVICE" ]; then - echo "/lib/systemd/system/$SERVICE" - elif systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then - systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//' - else - echo "/usr/lib/systemd/system/$SERVICE" - fi -} - -yell_info() { -yell "# -------------------------------------------------------------------------------------------- -# Docker Bench for Security v$version -# -# Docker, Inc. (c) 2015-$(date +"%Y") -# -# Checks for dozens of common best-practices around deploying Docker containers in production. -# Inspired by the CIS Docker Benchmark v1.2.0. -# --------------------------------------------------------------------------------------------" -} diff --git a/output_lib.sh b/output_lib.sh deleted file mode 100644 index b6580a1..0000000 --- a/output_lib.sh +++ /dev/null @@ -1,155 +0,0 @@ -#!/bin/sh - -if [ -n "$nocolor" ] && [ "$nocolor" = "nocolor" ]; then - bldred='' - bldgrn='' - bldblu='' - bldylw='' - txtrst='' -else - bldred='\033[1;31m' # Bold Red - bldgrn='\033[1;32m' # Bold Green - bldblu='\033[1;34m' # Bold Blue - bldylw='\033[1;33m' # Bold Yellow - txtrst='\033[0m' -fi - -logit () { - printf "%b\n" "$1" | tee -a "$logger" -} - -info () { - printf "%b\n" "${bldblu}[INFO]${txtrst} $1" | tee -a "$logger" -} - -pass () { - printf "%b\n" "${bldgrn}[PASS]${txtrst} $1" | tee -a "$logger" -} - -warn () { - printf "%b\n" "${bldred}[WARN]${txtrst} $1" | tee -a "$logger" -} - -note () { - printf "%b\n" "${bldylw}[NOTE]${txtrst} $1" | tee -a "$logger" -} - -yell () { - printf "%b\n" "${bldylw}$1${txtrst}\n" -} - -appendjson () { - if [ -s "$logger.json" ]; then - tail -n 1 "$logger.json" | wc -c | xargs -I {} truncate "$logger.json" -s -{} - printf "},\n" | tee -a "$logger.json" 2>/dev/null 1>&2 - else - printf "[" | tee -a "$logger.json" 2>/dev/null 1>&2 - fi -} - -beginjson () { - printf "{\n \"dockerbenchsecurity\": \"%s\",\n \"start\": %s,\n \"tests\": [" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2 -} - -endjson (){ - printf "\n ], \"checks\": %s, \"score\": %s, \"end\": %s\n}]" "$1" "$2" "$3" | tee -a "$logger.json" 2>/dev/null 1>&2 -} - -logjson (){ - printf "\n \"%s\": \"%s\"," "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2 -} - -SSEP= -SEP= -startsectionjson() { - printf "%s\n {\"id\": \"%s\", \"desc\": \"%s\", \"results\": [" "$SSEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2 - SEP= - SSEP="," -} - -endsectionjson() { - printf "\n ]}" | tee -a "$logger.json" 2>/dev/null 1>&2 -} - -starttestjson() { - printf "%s\n {\"id\": \"%s\", \"desc\": \"%s\", " "$SEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2 - SEP="," -} - -resulttestjson() { - if [ $# -eq 1 ]; then - printf "\"result\": \"%s\"" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2 - elif [ $# -eq 2 ]; then - # Result also contains details - printf "\"result\": \"%s\", \"details\": \"%s\"" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2 - else - # Result also includes details and a list of items. Add that directly to details and to an array property "items" - # Also limit the number of items to $limit, if $limit is non-zero - if [ $limit != 0 ]; then - truncItems="" - ITEM_COUNT=0 - for item in $3; do - truncItems="$truncItems $item" - ITEM_COUNT=$((ITEM_COUNT + 1)); - if [ "$ITEM_COUNT" == "$limit" ]; then - truncItems="$truncItems (truncated)" - break; - fi - done - else - truncItems=$3 - fi - itemsJson=$(printf "["; ISEP=""; ITEMCOUNT=0; for item in $truncItems; do printf "%s\"%s\"" "$ISEP" "$item"; ISEP=","; done; printf "]") - printf "\"result\": \"%s\", \"details\": \"%s: %s\", \"items\": %s" "$1" "$2" "$truncItems" "$itemsJson" | tee -a "$logger.json" 2>/dev/null 1>&2 - fi - # Log remediation measure - if [ -n "$remediation" ] && [ "$1" != "PASS" ]; then - printf ", \"remediation\": \"%s\"" "$remediation" | tee -a "$logger.json" 2>/dev/null 1>&2 - if [ -n "$remediationImpact" ]; then - printf ", \"remediation-impact\": \"%s\"" "$remediationImpact" | tee -a "$logger.json" 2>/dev/null 1>&2 - fi - fi - printf "}" | tee -a "$logger.json" 2>/dev/null 1>&2 -} - -saveRemediation() { - local id remediation remediationImpact - while [ "${1}" ]; do - case "${1}" in - --id) - id="${2}" - shift - ;; - --rem) - remediation="${2}" - shift - ;; - --imp) - remediationImpact="${2}" - shift - ;; - *) - echo "Unknown parameter: ${1}" >&2 - return 1 - esac - if ! shift; then - echo 'Missing parameter argument.' >&2 - return 1 - fi - done - - if [ -n "${remediation}" ]; then - if [ -n "${checkHeader}" ]; then - if [ -n "${addSpaceHeader}" ]; then - globalRemediation="${globalRemediation}\n" - fi - globalRemediation="${globalRemediation}\n${bldblu}[INFO]${txtrst} ${checkHeader}" - checkHeader="" - addSpaceHeader="1" - fi - globalRemediation="${globalRemediation}\n${bldblu}[INFO]${txtrst} ${id} - ${remediation}" - if [ -n "${remediationImpact}" ]; then - globalRemediation="${globalRemediation} Impact: ${remediationImpact}" - fi - fi -}