GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-19 00:32:34 +01:00
Code Issues Projects Releases Packages Wiki Activity

add score and totalChecks to 7_

Browse source 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
This commit is contained in:
Thomas Sjögren 2017-10-23 15:41:15 +02:00
parent 7ebe21823d
commit 976463a87b
1 changed files with 35 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
tests/7_docker_swarm_configuration.sh
View file

@ -5,52 +5,65 @@ info "7 - Docker Swarm Configuration"
# 7.1 # 7.1
check_7_1="7.1 - Ensure swarm mode is not Enabled, if not needed" check_7_1="7.1 - Ensure swarm mode is not Enabled, if not needed"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
pass "$check_7_1" pass "$check_7_1"
logjson "7.1" "PASS" logjson "7.1" "PASS"
currentScore=$((currentScore + 1))
else else
warn "$check_7_1" warn "$check_7_1"
logjson "7.1" "WARN" logjson "7.1" "WARN"
currentScore=$((currentScore - 1))
fi fi
# 7.2 # 7.2
check_7_2="7.2 - Ensure the minimum number of manager nodes have been created in a swarm" check_7_2="7.2 - Ensure the minimum number of manager nodes have been created in a swarm"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
managernodes=$(docker node ls | grep -c "Leader") managernodes=$(docker node ls | grep -c "Leader")
if [ "$managernodes" -le 1 ]; then if [ "$managernodes" -le 1 ]; then
pass "$check_7_2" pass "$check_7_2"
logjson "7.2" "PASS" logjson "7.2" "PASS"
currentScore=$((currentScore + 1))
else else
warn "$check_7_2" warn "$check_7_2"
logjson "7.2" "WARN" logjson "7.2" "WARN"
currentScore=$((currentScore - 1))
fi fi
else else
pass "$check_7_2 (Swarm mode not enabled)" pass "$check_7_2 (Swarm mode not enabled)"
logjson "7.2" "PASS" logjson "7.2" "PASS"
currentScore=$((currentScore + 1))
fi fi
# 7.3 # 7.3
check_7_3="7.3 - Ensure swarm services are binded to a specific host interface" check_7_3="7.3 - Ensure swarm services are binded to a specific host interface"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
netstat -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1 netstat -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1
if [ $? -eq 1 ]; then if [ $? -eq 1 ]; then
pass "$check_7_3" pass "$check_7_3"
logjson "7.3" "PASS" logjson "7.3" "PASS"
currentScore=$((currentScore + 1))
else else
warn "$check_7_3" warn "$check_7_3"
logjson "7.3" "WARN" logjson "7.3" "WARN"
currentScore=$((currentScore - 1))
fi fi
else else
pass "$check_7_3 (Swarm mode not enabled)" pass "$check_7_3 (Swarm mode not enabled)"
logjson "7.3" "PASS" logjson "7.3" "PASS"
currentScore=$((currentScore + 1))
fi fi
# 7.4 # 7.4
check_7_4="7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network" check_7_4="7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network"
totalChecks=$((totalChecks + 1))
if docker network ls --filter driver=overlay --quiet | \ if docker network ls --filter driver=overlay --quiet | \
xargs docker network inspect --format '{{.Name}} {{ .Options }}' 2>/dev/null | \ xargs docker network inspect --format '{{.Name}} {{ .Options }}' 2>/dev/null | \
grep -v 'encrypted:' 2>/dev/null 1>&2; then grep -v 'encrypted:' 2>/dev/null 1>&2; then
warn "$check_7_4" warn "$check_7_4"
currentScore=$((currentScore - 1))
for encnet in $(docker network ls --filter driver=overlay --quiet); do for encnet in $(docker network ls --filter driver=overlay --quiet); do
if docker network inspect --format '{{.Name}} {{ .Options }}' "$encnet" | \ if docker network inspect --format '{{.Name}} {{ .Options }}' "$encnet" | \
grep -v 'encrypted:' 2>/dev/null 1>&2; then grep -v 'encrypted:' 2>/dev/null 1>&2; then
@ -61,79 +74,101 @@ if docker network ls --filter driver=overlay --quiet | \
else else
pass "$check_7_4" pass "$check_7_4"
logjson "7.4" "PASS" logjson "7.4" "PASS"
currentScore=$((currentScore + 1))
fi fi
# 7.5 # 7.5
check_7_5="7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster" check_7_5="7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then
pass "$check_7_5" pass "$check_7_5"
logjson "7.5" "PASS" logjson "7.5" "PASS"
currentScore=$((currentScore + 1))
else else
info "$check_7_5" info "$check_7_5"
logjson "7.5" "INFO" logjson "7.5" "INFO"
currentScore=$((currentScore + 0))
fi fi
else else
pass "$check_7_5 (Swarm mode not enabled)" pass "$check_7_5 (Swarm mode not enabled)"
logjson "7.5" "PASS" logjson "7.5" "PASS"
currentScore=$((currentScore + 1))
fi fi
# 7.6 # 7.6
check_7_6="7.6 - Ensure swarm manager is run in auto-lock mode" check_7_6="7.6 - Ensure swarm manager is run in auto-lock mode"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then
warn "$check_7_6" warn "$check_7_6"
logjson "7.6" "WARN" logjson "7.6" "WARN"
currentScore=$((currentScore - 1))
else else
pass "$check_7_6" pass "$check_7_6"
logjson "7.6" "PASS" logjson "7.6" "PASS"
currentScore=$((currentScore + 1))
fi fi
else else
pass "$check_7_6 (Swarm mode not enabled)" pass "$check_7_6 (Swarm mode not enabled)"
logjson "7.6" "PASS" logjson "7.6" "PASS"
currentScore=$((currentScore + 1))
fi fi
# 7.7 # 7.7
check_7_7="7.7 - Ensure swarm manager auto-lock key is rotated periodically" check_7_7="7.7 - Ensure swarm manager auto-lock key is rotated periodically"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
note "$check_7_7" note "$check_7_7"
logjson "7.7" "NOTE" logjson "7.7" "NOTE"
currentScore=$((currentScore + 0))
else else
pass "$check_7_7 (Swarm mode not enabled)" pass "$check_7_7 (Swarm mode not enabled)"
logjson "7.7" "PASS" logjson "7.7" "PASS"
currentScore=$((currentScore + 1))
fi fi
# 7.8 # 7.8
check_7_8="7.8 - Ensure node certificates are rotated as appropriate" check_7_8="7.8 - Ensure node certificates are rotated as appropriate"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then
pass "$check_7_8" pass "$check_7_8"
logjson "7.8" "PASS" logjson "7.8" "PASS"
currentScore=$((currentScore + 1))
else else
info "$check_7_8" info "$check_7_8"
logjson "7.8" "INFO" logjson "7.8" "INFO"
currentScore=$((currentScore + 0))
fi fi
else else
pass "$check_7_8 (Swarm mode not enabled)" pass "$check_7_8 (Swarm mode not enabled)"
logjson "7.8" "PASS" logjson "7.8" "PASS"
currentScore=$((currentScore + 1))
fi fi
# 7.9 # 7.9
check_7_9="7.9 - Ensure CA certificates are rotated as appropriate" check_7_9="7.9 - Ensure CA certificates are rotated as appropriate"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
info "$check_7_9" info "$check_7_9"
logjson "7.9" "INFO" logjson "7.9" "INFO"
currentScore=$((currentScore + 0))
else else
pass "$check_7_9 (Swarm mode not enabled)" pass "$check_7_9 (Swarm mode not enabled)"
logjson "7.9" "PASS" logjson "7.9" "PASS"
currentScore=$((currentScore + 1))
fi fi
# 7.10 # 7.10
check_7_10="7.10 - Ensure management plane traffic has been separated from data plane traffic" check_7_10="7.10 - Ensure management plane traffic has been separated from data plane traffic"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
info "$check_7_10" info "$check_7_10"
logjson "7.10" "INFO" logjson "7.10" "INFO"
currentScore=$((currentScore + 0))
else else
pass "$check_7_10 (Swarm mode not enabled)" pass "$check_7_10 (Swarm mode not enabled)"
logjson "7.10" "PASS" logjson "7.10" "PASS"
currentScore=$((currentScore + 1))
fi fi