mirror of
https://github.com/docker/docker-bench-security.git
synced 2025-01-19 00:32:34 +01:00
Merge pull request #314 from draios/master
Improve docker-bench-security json output
This commit is contained in:
commit
9ca5b8b2e1
11 changed files with 1006 additions and 427 deletions
|
@ -141,10 +141,8 @@ main () {
|
|||
printf "\n"
|
||||
info "Checks: $totalChecks"
|
||||
info "Score: $currentScore"
|
||||
integerjson "checks" "$totalChecks"
|
||||
integerjson "score" "$currentScore"
|
||||
|
||||
endjson "$(date +%s)"
|
||||
endjson "$totalChecks" "$currentScore" "$(date +%s)"
|
||||
}
|
||||
|
||||
main "$@"
|
||||
|
|
|
@ -15,6 +15,7 @@ host_configuration() {
|
|||
check_1_11
|
||||
check_1_12
|
||||
check_1_13
|
||||
check_1_end
|
||||
}
|
||||
|
||||
docker_daemon_configuration() {
|
||||
|
@ -37,6 +38,7 @@ docker_daemon_configuration() {
|
|||
check_2_16
|
||||
check_2_17
|
||||
check_2_18
|
||||
check_2_end
|
||||
}
|
||||
|
||||
docker_daemon_files() {
|
||||
|
@ -61,6 +63,7 @@ docker_daemon_files() {
|
|||
check_3_18
|
||||
check_3_19
|
||||
check_3_20
|
||||
check_3_end
|
||||
}
|
||||
|
||||
container_images() {
|
||||
|
@ -76,6 +79,7 @@ container_images() {
|
|||
check_4_9
|
||||
check_4_10
|
||||
check_4_11
|
||||
check_4_end
|
||||
}
|
||||
|
||||
container_runtime() {
|
||||
|
@ -112,12 +116,14 @@ container_runtime() {
|
|||
check_5_29
|
||||
check_5_30
|
||||
check_5_31
|
||||
check_5_end
|
||||
}
|
||||
|
||||
docker_security_operations() {
|
||||
check_6
|
||||
check_6_1
|
||||
check_6_2
|
||||
check_6_end
|
||||
}
|
||||
|
||||
docker_swarm_configuration() {
|
||||
|
@ -131,11 +137,13 @@ docker_swarm_configuration() {
|
|||
check_7_8
|
||||
check_7_9
|
||||
check_7_10
|
||||
check_7_end
|
||||
}
|
||||
|
||||
community_checks() {
|
||||
check_c
|
||||
check_c_1
|
||||
check_c_end
|
||||
}
|
||||
|
||||
# CIS
|
||||
|
|
|
@ -30,17 +30,43 @@ yell () {
|
|||
}
|
||||
|
||||
beginjson () {
|
||||
printf "{\n \"dockerbenchsecurity\": \"%s\",\n \"start\": %s," "$1" "$2" | tee "$logger.json" 2>/dev/null 1>&2
|
||||
printf "{\n \"dockerbenchsecurity\": \"%s\",\n \"start\": %s,\n \"tests\": [" "$1" "$2" | tee "$logger.json" 2>/dev/null 1>&2
|
||||
}
|
||||
|
||||
endjson (){
|
||||
printf "\n \"end\": %s \n}\n" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2
|
||||
printf "\n ], \"checks\": %s, \"score\": %s, \"end\": %s \n}\n" "$1" "$2" "$3" | tee -a "$logger.json" 2>/dev/null 1>&2
|
||||
}
|
||||
|
||||
logjson (){
|
||||
printf "\n \"%s\": \"%s\"," "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
|
||||
}
|
||||
|
||||
integerjson (){
|
||||
printf "\n \"%s\": %s," "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
|
||||
SSEP=
|
||||
SEP=
|
||||
startsectionjson() {
|
||||
printf "%s\n {\"id\": \"%s\", \"desc\": \"%s\", \"results\": [" "$SSEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
|
||||
SEP=
|
||||
SSEP=","
|
||||
}
|
||||
|
||||
endsectionjson() {
|
||||
printf "\n ]}" | tee -a "$logger.json" 2>/dev/null 1>&2
|
||||
}
|
||||
|
||||
starttestjson() {
|
||||
printf "%s\n {\"id\": \"%s\", \"desc\": \"%s\", " "$SEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
|
||||
SEP=","
|
||||
}
|
||||
|
||||
resulttestjson() {
|
||||
if [ $# -eq 1 ]; then
|
||||
printf "\"result\": \"%s\"}" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2
|
||||
elif [ $# -eq 2 ]; then
|
||||
# Result also contains details
|
||||
printf "\"result\": \"%s\", \"details\": \"%s\"}" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
|
||||
else
|
||||
# Result also includes details and a list of items. Add that directly to details and to an array property "items"
|
||||
itemsJson=$(printf "["; ISEP=""; for item in $3; do printf "%s\"%s\"" "$ISEP" "$item"; ISEP=","; done; printf "]")
|
||||
printf "\"result\": \"%s\", \"details\": \"%s: %s\", \"items\": %s}" "$1" "$2" "$3" "$itemsJson" | tee -a "$logger.json" 2>/dev/null 1>&2
|
||||
fi
|
||||
}
|
||||
|
|
|
@ -2,41 +2,57 @@
|
|||
|
||||
check_1() {
|
||||
logit ""
|
||||
info "1 - Host Configuration"
|
||||
id_1="1"
|
||||
desc_1="Host Configuration"
|
||||
check_1="$id_1 - $desc_1"
|
||||
info "$check_1"
|
||||
startsectionjson "$id_1" "$desc_1"
|
||||
}
|
||||
|
||||
# 1.1
|
||||
check_1_1() {
|
||||
check_1_1="1.1 - Ensure a separate partition for containers has been created"
|
||||
id_1_1="1.1"
|
||||
desc_1_1="Ensure a separate partition for containers has been created"
|
||||
check_1_1="$id_1_1 - $desc_1_1"
|
||||
starttestjson "$id_1_1" "$desc_1_1"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
|
||||
if grep /var/lib/docker /etc/fstab >/dev/null 2>&1; then
|
||||
pass "$check_1_1"
|
||||
logjson "1.1" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
elif mountpoint -q -- /var/lib/docker >/dev/null 2>&1; then
|
||||
pass "$check_1_1"
|
||||
logjson "1.1" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_1_1"
|
||||
logjson "1.1" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 1.2
|
||||
check_1_2() {
|
||||
check_1_2="1.2 - Ensure the container host has been Hardened"
|
||||
id_1_2="1.2"
|
||||
desc_1_2="Ensure the container host has been Hardened"
|
||||
check_1_2="$id_1_2 - $desc_1_2"
|
||||
starttestjson "$id_1_2" "$desc_1_2"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
note "$check_1_2"
|
||||
logjson "1.2" "INFO"
|
||||
resulttestjson "INFO"
|
||||
currentScore=$((currentScore + 0))
|
||||
}
|
||||
|
||||
# 1.3
|
||||
check_1_3() {
|
||||
check_1_3="1.3 - Ensure Docker is up to date"
|
||||
id_1_3="1.3"
|
||||
desc_1_3="Ensure Docker is up to date"
|
||||
check_1_3="$id_1_3 - $desc_1_3"
|
||||
starttestjson "$id_1_3" "$desc_1_3"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
|
||||
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,')
|
||||
|
@ -46,316 +62,361 @@ check_1_3() {
|
|||
info "$check_1_3"
|
||||
info " * Using $docker_version, verify is it up to date as deemed necessary"
|
||||
info " * Your operating system vendor may provide support and security maintenance for Docker"
|
||||
logjson "1.3" "INFO"
|
||||
resulttestjson "INFO" "Using $docker_version"
|
||||
currentScore=$((currentScore + 0))
|
||||
else
|
||||
pass "$check_1_3"
|
||||
info " * Using $docker_version which is current"
|
||||
info " * Check with your operating system vendor for support and security maintenance for Docker"
|
||||
logjson "1.3" "PASS"
|
||||
resulttestjson "PASS" "Using $docker_version"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 1.4
|
||||
check_1_4() {
|
||||
check_1_4="1.4 - Ensure only trusted users are allowed to control Docker daemon"
|
||||
id_1_4="1.4"
|
||||
desc_1_4="Ensure only trusted users are allowed to control Docker daemon"
|
||||
check_1_4="$id_1_4 - $desc_1_4"
|
||||
starttestjson "$id_1_4" "$desc_1_4"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
docker_users=$(getent group docker)
|
||||
info "$check_1_4"
|
||||
for u in $docker_users; do
|
||||
info " * $u"
|
||||
logjson "1.4" "INFO: $u"
|
||||
done
|
||||
resulttestjson "INFO" "users" "$docker_users"
|
||||
currentScore=$((currentScore + 0))
|
||||
}
|
||||
|
||||
# 1.5
|
||||
check_1_5() {
|
||||
check_1_5="1.5 - Ensure auditing is configured for the Docker daemon"
|
||||
id_1_5="1.5"
|
||||
desc_1_5="Ensure auditing is configured for the Docker daemon"
|
||||
check_1_5="$id_1_5 - $desc_1_5"
|
||||
starttestjson "$id_1_5" "$desc_1_5"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
file="/usr/bin/docker "
|
||||
if command -v auditctl >/dev/null 2>&1; then
|
||||
if auditctl -l | grep "$file" >/dev/null 2>&1; then
|
||||
pass "$check_1_5"
|
||||
logjson "1.5" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_1_5"
|
||||
logjson "1.5" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
|
||||
pass "$check_1_5"
|
||||
logjson "1.5" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_1_5"
|
||||
logjson "1.5" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 1.6
|
||||
check_1_6() {
|
||||
check_1_6="1.6 - Ensure auditing is configured for Docker files and directories - /var/lib/docker"
|
||||
id_1_6="1.6"
|
||||
desc_1_6="Ensure auditing is configured for Docker files and directories - /var/lib/docker"
|
||||
check_1_6="$id_1_6 - $desc_1_6"
|
||||
starttestjson "$id_1_6" "$desc_1_6"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
directory="/var/lib/docker"
|
||||
if [ -d "$directory" ]; then
|
||||
if command -v auditctl >/dev/null 2>&1; then
|
||||
if auditctl -l | grep $directory >/dev/null 2>&1; then
|
||||
pass "$check_1_6"
|
||||
logjson "1.6" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_1_6"
|
||||
logjson "1.6" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
|
||||
pass "$check_1_6"
|
||||
logjson "1.6" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_1_6"
|
||||
logjson "1.6" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_1_6"
|
||||
info " * Directory not found"
|
||||
logjson "1.6" "INFO"
|
||||
resulttestjson "INFO" "Directory not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 1.7
|
||||
check_1_7() {
|
||||
check_1_7="1.7 - Ensure auditing is configured for Docker files and directories - /etc/docker"
|
||||
id_1_7="1.7"
|
||||
desc_1_7="Ensure auditing is configured for Docker files and directories - /etc/docker"
|
||||
check_1_7="$id_1_7 - $desc_1_7"
|
||||
starttestjson "$id_1_7" "$desc_1_7"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
directory="/etc/docker"
|
||||
if [ -d "$directory" ]; then
|
||||
if command -v auditctl >/dev/null 2>&1; then
|
||||
if auditctl -l | grep $directory >/dev/null 2>&1; then
|
||||
pass "$check_1_7"
|
||||
logjson "1.7" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_1_7"
|
||||
logjson "1.7" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
|
||||
pass "$check_1_7"
|
||||
logjson "1.7" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_1_7"
|
||||
logjson "1.7" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_1_7"
|
||||
info " * Directory not found"
|
||||
logjson "1.7" "INFO"
|
||||
resulttestjson "INFO" "Directory not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 1.8
|
||||
check_1_8() {
|
||||
check_1_8="1.8 - Ensure auditing is configured for Docker files and directories - docker.service"
|
||||
id_1_8="1.8"
|
||||
desc_1_8="Ensure auditing is configured for Docker files and directories - docker.service"
|
||||
check_1_8="$id_1_8 - $desc_1_8"
|
||||
starttestjson "$id_1_8" "$desc_1_8"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
file="$(get_systemd_service_file docker.service)"
|
||||
if [ -f "$file" ]; then
|
||||
if command -v auditctl >/dev/null 2>&1; then
|
||||
if auditctl -l | grep "$file" >/dev/null 2>&1; then
|
||||
pass "$check_1_8"
|
||||
logjson "1.8" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_1_8"
|
||||
logjson "1.8" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
|
||||
pass "$check_1_8"
|
||||
logjson "1.8" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_1_8"
|
||||
logjson "1.8" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_1_8"
|
||||
info " * File not found"
|
||||
logjson "1.8" "INFO"
|
||||
resulttestjson "INFO" "File not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 1.9
|
||||
check_1_9() {
|
||||
check_1_9="1.9 - Ensure auditing is configured for Docker files and directories - docker.socket"
|
||||
id_1_9="1.9"
|
||||
desc_1_9="Ensure auditing is configured for Docker files and directories - docker.socket"
|
||||
check_1_9="$id_1_9 - $desc_1_9"
|
||||
starttestjson "$id_1_9" "$desc_1_9"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
file="$(get_systemd_service_file docker.socket)"
|
||||
if [ -e "$file" ]; then
|
||||
if command -v auditctl >/dev/null 2>&1; then
|
||||
if auditctl -l | grep "$file" >/dev/null 2>&1; then
|
||||
pass "$check_1_9"
|
||||
logjson "1.9" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_1_9"
|
||||
logjson "1.9" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
|
||||
pass "$check_1_9"
|
||||
logjson "1.9" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_1_9"
|
||||
logjson "1.9" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_1_9"
|
||||
info " * File not found"
|
||||
logjson "1.9" "INFO"
|
||||
resulttestjson "INFO" "File not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 1.10
|
||||
check_1_10() {
|
||||
check_1_10="1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker"
|
||||
id_1_10="1.10"
|
||||
desc_1_10="Ensure auditing is configured for Docker files and directories - /etc/default/docker"
|
||||
check_1_10="$id_1_10 - $desc_1_10"
|
||||
starttestjson "$id_1_10" "$desc_1_10"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
file="/etc/default/docker"
|
||||
if [ -f "$file" ]; then
|
||||
if command -v auditctl >/dev/null 2>&1; then
|
||||
if auditctl -l | grep $file >/dev/null 2>&1; then
|
||||
pass "$check_1_10"
|
||||
logjson "1.10" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_1_10"
|
||||
logjson "1.10" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
|
||||
pass "$check_1_10"
|
||||
logjson "1.10" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_1_10"
|
||||
logjson "1.10" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_1_10"
|
||||
info " * File not found"
|
||||
logjson "1.10" "INFO"
|
||||
resulttestjson "INFO" "File not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 1.11
|
||||
check_1_11() {
|
||||
check_1_11="1.11 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json"
|
||||
id_1_11="1.11"
|
||||
desc_1_11="Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json"
|
||||
check_1_11="$id_1_11 - $desc_1_11"
|
||||
starttestjson "$id_1_11" "$desc_1_11"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
file="/etc/docker/daemon.json"
|
||||
if [ -f "$file" ]; then
|
||||
if command -v auditctl >/dev/null 2>&1; then
|
||||
if auditctl -l | grep $file >/dev/null 2>&1; then
|
||||
pass "$check_1_11"
|
||||
logjson "1.11" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_1_11"
|
||||
logjson "1.11" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
|
||||
pass "$check_1_11"
|
||||
logjson "1.11" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_1_11"
|
||||
logjson "1.11" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_1_11"
|
||||
info " * File not found"
|
||||
logjson "1.11" "INFO"
|
||||
resulttestjson "INFO" "File not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 1.12
|
||||
check_1_12() {
|
||||
check_1_12="1.12 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd"
|
||||
id_1_12="1.12"
|
||||
desc_1_12="Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd"
|
||||
check_1_12="$id_1_12 - $desc_1_12"
|
||||
starttestjson "$id_1_12" "$desc_1_12"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
file="/usr/bin/docker-containerd"
|
||||
if [ -f "$file" ]; then
|
||||
if command -v auditctl >/dev/null 2>&1; then
|
||||
if auditctl -l | grep $file >/dev/null 2>&1; then
|
||||
pass "$check_1_12"
|
||||
logjson "1.12" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_1_12"
|
||||
logjson "1.12" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
|
||||
pass "$check_1_12"
|
||||
logjson "1.12" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_1_12"
|
||||
logjson "1.12" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_1_12"
|
||||
info " * File not found"
|
||||
logjson "1.12" "INFO"
|
||||
resulttestjson "INFO" "File not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 1.13
|
||||
check_1_13() {
|
||||
check_1_13="1.13 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc"
|
||||
id_1_13="1.13"
|
||||
desc_1_13="Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc"
|
||||
check_1_13="$id_1_13 - $desc_1_13"
|
||||
starttestjson "$id_1_13" "$desc_1_13"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
file="/usr/bin/docker-runc"
|
||||
if [ -f "$file" ]; then
|
||||
if command -v auditctl >/dev/null 2>&1; then
|
||||
if auditctl -l | grep $file >/dev/null 2>&1; then
|
||||
pass "$check_1_13"
|
||||
logjson "1.13" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_1_13"
|
||||
logjson "1.13" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
|
||||
pass "$check_1_13"
|
||||
logjson "1.13" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_1_13"
|
||||
logjson "1.13" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_1_13"
|
||||
info " * File not found"
|
||||
logjson "1.13" "INFO"
|
||||
resulttestjson "INFO" "File not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
check_1_end() {
|
||||
endsectionjson
|
||||
}
|
||||
|
||||
|
|
|
@ -2,262 +2,314 @@
|
|||
|
||||
check_2() {
|
||||
logit "\n"
|
||||
info "2 - Docker daemon configuration"
|
||||
id_2="2"
|
||||
desc_2="Docker daemon configuration"
|
||||
check_2="id_2 - $desc_2"
|
||||
info "$check_2"
|
||||
startsectionjson "$id_2" "$desc_2"
|
||||
}
|
||||
|
||||
# 2.1
|
||||
check_2_1() {
|
||||
check_2_1="2.1 - Ensure network traffic is restricted between containers on the default bridge"
|
||||
id_2_1="2.1"
|
||||
desc_2_1="Ensure network traffic is restricted between containers on the default bridge"
|
||||
check_2_1="$id_2_1 - $desc_2_1"
|
||||
starttestjson "$id_2_1" "$desc_2_1"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then
|
||||
pass "$check_2_1"
|
||||
logjson "2.1" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then
|
||||
pass "$check_2_1"
|
||||
logjson "2.1" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_2_1"
|
||||
logjson "2.1" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 2.2
|
||||
check_2_2() {
|
||||
check_2_2="2.2 - Ensure the logging level is set to 'info'"
|
||||
id_2_2="2.2"
|
||||
desc_2_2="Ensure the logging level is set to 'info'"
|
||||
check_2_2="$id_2_2 - $desc_2_2"
|
||||
starttestjson "$id_2_2" "$desc_2_2"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then
|
||||
if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then
|
||||
pass "$check_2_2"
|
||||
logjson "2.2" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then
|
||||
pass "$check_2_2"
|
||||
logjson "2.2" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_2_2"
|
||||
logjson "2.2" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
elif get_docker_effective_command_line_args '-l'; then
|
||||
if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then
|
||||
pass "$check_2_2"
|
||||
logjson "2.2" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_2_2"
|
||||
logjson "2.2" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
pass "$check_2_2"
|
||||
logjson "2.2" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 2.3
|
||||
check_2_3() {
|
||||
check_2_3="2.3 - Ensure Docker is allowed to make changes to iptables"
|
||||
id_2_3="2.3"
|
||||
desc_2_3="Ensure Docker is allowed to make changes to iptables"
|
||||
check_2_3="$id_2_3 - $desc_2_3"
|
||||
starttestjson "$id_2_3" "$desc_2_3"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then
|
||||
warn "$check_2_3"
|
||||
logjson "2.3" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then
|
||||
warn "$check_2_3"
|
||||
logjson "2.3" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
else
|
||||
pass "$check_2_3"
|
||||
logjson "2.3" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 2.4
|
||||
check_2_4() {
|
||||
check_2_4="2.4 - Ensure insecure registries are not used"
|
||||
id_2_4="2.4"
|
||||
desc_2_4="Ensure insecure registries are not used"
|
||||
check_2_4="$id_2_4 - $desc_2_4"
|
||||
starttestjson "$id_2_4" "$desc_2_4"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then
|
||||
warn "$check_2_4"
|
||||
logjson "2.4" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
|
||||
if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then
|
||||
pass "$check_2_4"
|
||||
logjson "2.4" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_2_4"
|
||||
logjson "2.4" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
pass "$check_2_4"
|
||||
logjson "2.4" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 2.5
|
||||
check_2_5() {
|
||||
check_2_5="2.5 - Ensure aufs storage driver is not used"
|
||||
id_2_5="2.5"
|
||||
desc_2_5="Ensure aufs storage driver is not used"
|
||||
check_2_5="$id_2_5 - $desc_2_5"
|
||||
starttestjson "$id_2_5" "$desc_2_5"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1; then
|
||||
warn "$check_2_5"
|
||||
logjson "2.5" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
else
|
||||
pass "$check_2_5"
|
||||
logjson "2.5" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 2.6
|
||||
check_2_6() {
|
||||
check_2_6="2.6 - Ensure TLS authentication for Docker daemon is configured"
|
||||
id_2_6="2.6"
|
||||
desc_2_6="Ensure TLS authentication for Docker daemon is configured"
|
||||
check_2_6="$id_2_6 - $desc_2_6"
|
||||
starttestjson "$id_2_6" "$desc_2_6"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if [ grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2 ] || \
|
||||
[ $(get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://') >/dev/null 2>&1 ]; then
|
||||
if [ $(get_docker_configuration_file_args '"tlsverify":' | grep 'true') ] || \
|
||||
[ $(get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify') >/dev/null 2>&1 ]; then
|
||||
pass "$check_2_6"
|
||||
logjson "2.6" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
elif [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \
|
||||
[ $(get_docker_cumulative_command_line_args '--tls' | grep 'tls$') >/dev/null 2>&1 ]; then
|
||||
warn "$check_2_6"
|
||||
warn " * Docker daemon currently listening on TCP with TLS, but no verification"
|
||||
logjson "2.6" "WARN"
|
||||
resulttestjson "WARN" "Docker daemon currently listening on TCP with TLS, but no verification"
|
||||
currentScore=$((currentScore - 1))
|
||||
else
|
||||
warn "$check_2_6"
|
||||
warn " * Docker daemon currently listening on TCP without TLS"
|
||||
logjson "2.6" "WARN"
|
||||
resulttestjson "WARN" "Docker daemon currently listening on TCP without TLS"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_2_6"
|
||||
info " * Docker daemon not listening on TCP"
|
||||
logjson "2.6" "INFO"
|
||||
resulttestjson "INFO" "Docker daemon not listening on TCP"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 2.7
|
||||
check_2_7() {
|
||||
check_2_7="2.7 - Ensure the default ulimit is configured appropriately"
|
||||
id_2_7="2.7"
|
||||
desc_2_7="Ensure the default ulimit is configured appropriately"
|
||||
check_2_7="$id_2_7 - $desc_2_7"
|
||||
starttestjson "$id_2_7" "$desc_2_7"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then
|
||||
pass "$check_2_7"
|
||||
logjson "2.7" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
|
||||
pass "$check_2_7"
|
||||
logjson "2.7" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
info "$check_2_7"
|
||||
info " * Default ulimit doesn't appear to be set"
|
||||
logjson "2.7" "INFO"
|
||||
resulttestjson "INFO" "Default ulimit doesn't appear to be set"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 2.8
|
||||
check_2_8() {
|
||||
check_2_8="2.8 - Enable user namespace support"
|
||||
id_2_8="2.8"
|
||||
desc_2_8="Enable user namespace support"
|
||||
check_2_8="$id_2_8 - $desc_2_8"
|
||||
starttestjson "$id_2_8" "$desc_2_8"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then
|
||||
pass "$check_2_8"
|
||||
logjson "2.8" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
|
||||
pass "$check_2_8"
|
||||
logjson "2.8" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_2_8"
|
||||
logjson "2.8" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 2.9
|
||||
check_2_9() {
|
||||
check_2_9="2.9 - Ensure the default cgroup usage has been confirmed"
|
||||
id_2_9="2.9"
|
||||
desc_2_9="Ensure the default cgroup usage has been confirmed"
|
||||
check_2_9="$id_2_9 - $desc_2_9"
|
||||
starttestjson "$id_2_9" "$desc_2_9"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if get_docker_configuration_file_args 'cgroup-parent' | grep -v '""'; then
|
||||
warn "$check_2_9"
|
||||
info " * Confirm cgroup usage"
|
||||
logjson "2.9" "INFO"
|
||||
resulttestjson "WARN" "Confirm cgroup usage"
|
||||
currentScore=$((currentScore + 0))
|
||||
elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
|
||||
warn "$check_2_9"
|
||||
info " * Confirm cgroup usage"
|
||||
logjson "2.9" "INFO"
|
||||
resulttestjson "WARN" "Confirm cgroup usage"
|
||||
currentScore=$((currentScore + 0))
|
||||
else
|
||||
pass "$check_2_9"
|
||||
logjson "2.9" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 2.10
|
||||
check_2_10() {
|
||||
check_2_10="2.10 - Ensure base device size is not changed until needed"
|
||||
id_2_10="2.10"
|
||||
desc_2_10="Ensure base device size is not changed until needed"
|
||||
check_2_10="$id_2_10 - $desc_2_10"
|
||||
starttestjson "$id_2_10" "$desc_2_10"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then
|
||||
warn "$check_2_10"
|
||||
logjson "2.10" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
|
||||
warn "$check_2_10"
|
||||
logjson "2.10" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
else
|
||||
pass "$check_2_10"
|
||||
logjson "2.10" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 2.11
|
||||
check_2_11() {
|
||||
check_2_11="2.11 - Ensure that authorization for Docker client commands is enabled"
|
||||
id_2_11="2.11"
|
||||
desc_2_11="Ensure that authorization for Docker client commands is enabled"
|
||||
check_2_11="$id_2_11 - $desc_2_11"
|
||||
starttestjson "$id_2_11" "$desc_2_11"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then
|
||||
pass "$check_2_11"
|
||||
logjson "2.11" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
|
||||
pass "$check_2_11"
|
||||
logjson "2.11" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_2_11"
|
||||
logjson "2.11" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 2.12
|
||||
check_2_12() {
|
||||
check_2_12="2.12 - Ensure centralized and remote logging is configured"
|
||||
id_2_12="2.12"
|
||||
desc_2_12="Ensure centralized and remote logging is configured"
|
||||
check_2_12="$id_2_12 - $desc_2_12"
|
||||
starttestjson "$id_2_12" "$desc_2_12"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then
|
||||
warn "$check_2_12"
|
||||
logjson "2.12" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
else
|
||||
pass "$check_2_12"
|
||||
logjson "2.12" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
@ -267,48 +319,58 @@ check_2_13() {
|
|||
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
|
||||
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,.')
|
||||
totalChecks=$((totalChecks + 1))
|
||||
|
||||
id_2_13="2.13"
|
||||
desc_2_13="Ensure operations on legacy registry (v1) are Disabled"
|
||||
check_2_13="$id_2_13 - $desc_2_13"
|
||||
starttestjson "$id_2_13" "$desc_2_13"
|
||||
|
||||
if [ "$docker_version" -lt 1712 ]; then
|
||||
check_2_13="2.13 - Ensure operations on legacy registry (v1) are Disabled"
|
||||
if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then
|
||||
pass "$check_2_13"
|
||||
logjson "2.13" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then
|
||||
pass "$check_2_13"
|
||||
logjson "2.13" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_2_13"
|
||||
logjson "2.13" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
check_2_13="2.13 - Ensure operations on legacy registry (v1) are Disabled (Deprecated)"
|
||||
desc_2_13="$desc_2_13 (Deprecated)"
|
||||
check_2_13="$id_2_13 - $desc_2_13"
|
||||
info "$check_2_13"
|
||||
logjson "2.13" "info"
|
||||
resulttestjson "INFO"
|
||||
fi
|
||||
}
|
||||
|
||||
# 2.14
|
||||
check_2_14() {
|
||||
check_2_14="2.14 - Ensure live restore is Enabled"
|
||||
id_2_14="2.14"
|
||||
desc_2_14="Ensure live restore is Enabled"
|
||||
check_2_14="$id_2_14 - $desc_2_14"
|
||||
starttestjson "$id_2_14" "$desc_2_14"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then
|
||||
pass "$check_2_14"
|
||||
logjson "2.14" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
|
||||
pass "$check_2_14 (Incompatible with swarm mode)"
|
||||
logjson "2.14" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then
|
||||
pass "$check_2_14"
|
||||
logjson "2.14" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_2_14"
|
||||
logjson "2.14" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
fi
|
||||
|
@ -316,68 +378,88 @@ check_2_14() {
|
|||
|
||||
# 2.15
|
||||
check_2_15() {
|
||||
check_2_15="2.15 - Ensure Userland Proxy is Disabled"
|
||||
id_2_15="2.15"
|
||||
desc_2_15="Ensure Userland Proxy is Disabled"
|
||||
check_2_15="$id_2_15 - $desc_2_15"
|
||||
starttestjson "$id_2_15" "$desc_2_15"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then
|
||||
pass "$check_2_15"
|
||||
logjson "2.15" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
|
||||
pass "$check_2_15"
|
||||
logjson "2.15" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_2_15"
|
||||
logjson "2.15" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 2.16
|
||||
check_2_16() {
|
||||
check_2_16="2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed"
|
||||
id_2_16="2.16"
|
||||
desc_2_16="Ensure daemon-wide custom seccomp profile is applied, if needed"
|
||||
check_2_16="$id_2_16 - $desc_2_16"
|
||||
starttestjson "$id_2_16" "$desc_2_16"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then
|
||||
pass "$check_2_16"
|
||||
logjson "2.16" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
info "$check_2_16"
|
||||
logjson "2.16" "INFO"
|
||||
resulttestjson "INFO"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 2.17
|
||||
check_2_17() {
|
||||
check_2_17="2.17 - Ensure experimental features are avoided in production"
|
||||
id_2_17="2.17"
|
||||
desc_2_17="Ensure experimental features are avoided in production"
|
||||
check_2_17="$id_2_17 - $desc_2_17"
|
||||
starttestjson "$id_2_17" "$desc_2_17"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then
|
||||
pass "$check_2_17"
|
||||
logjson "2.17" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_2_17"
|
||||
logjson "2.17" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 2.18
|
||||
check_2_18() {
|
||||
check_2_18="2.18 - Ensure containers are restricted from acquiring new privileges"
|
||||
id_2_18="2.18"
|
||||
desc_2_18="Ensure containers are restricted from acquiring new privileges"
|
||||
check_2_18="$id_2_18 - $desc_2_18"
|
||||
starttestjson "$id_2_18" "$desc_2_18"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if get_docker_effective_command_line_args '--no-new-privileges' | grep "no-new-privileges" >/dev/null 2>&1; then
|
||||
pass "$check_2_18"
|
||||
logjson "2.18" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
elif get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then
|
||||
pass "$check_2_18"
|
||||
logjson "2.18" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_2_18"
|
||||
logjson "2.18" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
}
|
||||
|
||||
check_2_end() {
|
||||
endsectionjson
|
||||
}
|
||||
|
|
|
@ -2,156 +2,188 @@
|
|||
|
||||
check_3() {
|
||||
logit "\n"
|
||||
info "3 - Docker daemon configuration files"
|
||||
id_3="3"
|
||||
desc_3="Docker daemon configuration files"
|
||||
check_3="$id_3 - $desc_3"
|
||||
info "$check_3"
|
||||
startsectionjson "$id_3" "$desc_3"
|
||||
}
|
||||
|
||||
# 3.1
|
||||
check_3_1() {
|
||||
check_3_1="3.1 - Ensure that docker.service file ownership is set to root:root"
|
||||
id_3_1="3.1"
|
||||
desc_3_1="Ensure that docker.service file ownership is set to root:root"
|
||||
check_3_1="$id_3_1 - $desc_3_1"
|
||||
starttestjson "$id_3_1" "$desc_3_1"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
file="$(get_systemd_service_file docker.service)"
|
||||
if [ -f "$file" ]; then
|
||||
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
|
||||
pass "$check_3_1"
|
||||
logjson "3.1" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_3_1"
|
||||
warn " * Wrong ownership for $file"
|
||||
logjson "3.1" "WARN"
|
||||
resulttestjson "WARN" "Wrong ownership for $file"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_3_1"
|
||||
info " * File not found"
|
||||
logjson "3.1" "INFO"
|
||||
resulttestjson "INFO" "File not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 3.2
|
||||
check_3_2() {
|
||||
check_3_2="3.2 - Ensure that docker.service file permissions are set to 644 or more restrictive"
|
||||
id_3_2="3.2"
|
||||
desc_3_2="Ensure that docker.service file permissions are set to 644 or more restrictive"
|
||||
check_3_2="$id_3_2 - $desc_3_2"
|
||||
starttestjson "$id_3_2" "$desc_3_2"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
file="$(get_systemd_service_file docker.service)"
|
||||
if [ -f "$file" ]; then
|
||||
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
|
||||
pass "$check_3_2"
|
||||
logjson "3.2" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_3_2"
|
||||
warn " * Wrong permissions for $file"
|
||||
logjson "3.2" "WARN"
|
||||
resulttestjson "WARN" "Wrong permissions for $file"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_3_2"
|
||||
info " * File not found"
|
||||
logjson "3.2" "INFO"
|
||||
resulttestjson "INFO" "File not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 3.3
|
||||
check_3_3() {
|
||||
check_3_3="3.3 - Ensure that docker.socket file ownership is set to root:root"
|
||||
id_3_3="3.3"
|
||||
desc_3_3="Ensure that docker.socket file ownership is set to root:root"
|
||||
check_3_3="$id_3_3 - $desc_3_3"
|
||||
starttestjson "$id_3_3" "$desc_3_3"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
file="$(get_systemd_service_file docker.socket)"
|
||||
if [ -f "$file" ]; then
|
||||
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
|
||||
pass "$check_3_3"
|
||||
logjson "3.3" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_3_3"
|
||||
warn " * Wrong ownership for $file"
|
||||
logjson "3.3" "WARN"
|
||||
resulttestjson "WARN" "Wrong ownership for $file"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_3_3"
|
||||
info " * File not found"
|
||||
logjson "3.3" "INFO"
|
||||
resulttestjson "INFO" "File not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 3.4
|
||||
check_3_4() {
|
||||
check_3_4="3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive"
|
||||
id_3_4="3.4"
|
||||
desc_3_4="Ensure that docker.socket file permissions are set to 644 or more restrictive"
|
||||
check_3_4="$id_3_4 - $desc_3_4"
|
||||
starttestjson "$id_3_4" "$desc_3_4"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
file="$(get_systemd_service_file docker.socket)"
|
||||
if [ -f "$file" ]; then
|
||||
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
|
||||
pass "$check_3_4"
|
||||
logjson "3.4" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_3_4"
|
||||
warn " * Wrong permissions for $file"
|
||||
logjson "3.4" "WARN"
|
||||
resulttestjson "WARN" "Wrong permissions for $file"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_3_4"
|
||||
info " * File not found"
|
||||
logjson "3.4" "INFO"
|
||||
resulttestjson "INFO" "File not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 3.5
|
||||
check_3_5() {
|
||||
check_3_5="3.5 - Ensure that /etc/docker directory ownership is set to root:root"
|
||||
id_3_5="3.5"
|
||||
desc_3_5="Ensure that /etc/docker directory ownership is set to root:root"
|
||||
check_3_5="$id_3_5 - $desc_3_5"
|
||||
starttestjson "$id_3_5" "$desc_3_5"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
directory="/etc/docker"
|
||||
if [ -d "$directory" ]; then
|
||||
if [ "$(stat -c %u%g $directory)" -eq 00 ]; then
|
||||
pass "$check_3_5"
|
||||
logjson "3.5" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_3_5"
|
||||
warn " * Wrong ownership for $directory"
|
||||
logjson "3.5" "WARN"
|
||||
resulttestjson "WARN" "Wrong ownership for $directory"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_3_5"
|
||||
info " * Directory not found"
|
||||
logjson "3.5" "INFO"
|
||||
resulttestjson "INFO" "Directory not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 3.6
|
||||
check_3_6() {
|
||||
check_3_6="3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive"
|
||||
id_3_6="3.6"
|
||||
desc_3_6="Ensure that /etc/docker directory permissions are set to 755 or more restrictive"
|
||||
check_3_6="$id_3_6 - $desc_3_6"
|
||||
starttestjson "$id_3_6" "$desc_3_6"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
directory="/etc/docker"
|
||||
if [ -d "$directory" ]; then
|
||||
if [ "$(stat -c %a $directory)" -eq 755 -o "$(stat -c %a $directory)" -eq 700 ]; then
|
||||
pass "$check_3_6"
|
||||
logjson "3.6" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_3_6"
|
||||
warn " * Wrong permissions for $directory"
|
||||
logjson "3.6" "WARN"
|
||||
resulttestjson "WARN" "Wrong permissions for $directory"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_3_6"
|
||||
info " * Directory not found"
|
||||
logjson "3.6" "INFO"
|
||||
resulttestjson "INFO" "Directory not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 3.7
|
||||
check_3_7() {
|
||||
check_3_7="3.7 - Ensure that registry certificate file ownership is set to root:root"
|
||||
id_3_7="3.7"
|
||||
desc_3_7="Ensure that registry certificate file ownership is set to root:root"
|
||||
check_3_7="$id_3_7 - $desc_3_7"
|
||||
starttestjson "$id_3_7" "$desc_3_7"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
directory="/etc/docker/certs.d/"
|
||||
if [ -d "$directory" ]; then
|
||||
|
@ -165,24 +197,28 @@ check_3_7() {
|
|||
if [ $fail -eq 1 ]; then
|
||||
warn "$check_3_7"
|
||||
warn " * Wrong ownership for $directory"
|
||||
logjson "3.7" "WARN"
|
||||
resulttestjson "WARN" "Wrong ownership for $directory"
|
||||
currentScore=$((currentScore - 1))
|
||||
else
|
||||
pass "$check_3_7"
|
||||
logjson "3.7" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
else
|
||||
info "$check_3_7"
|
||||
info " * Directory not found"
|
||||
logjson "3.7" "INFO"
|
||||
resulttestjson "INFO" "Directory not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 3.8
|
||||
check_3_8() {
|
||||
check_3_8="3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive"
|
||||
id_3_8="3.8"
|
||||
desc_3_8="Ensure that registry certificate file permissions are set to 444 or more restrictive"
|
||||
check_3_8="$id_3_8 - $desc_3_8"
|
||||
starttestjson "$id_3_8" "$desc_3_8"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
directory="/etc/docker/certs.d/"
|
||||
if [ -d "$directory" ]; then
|
||||
|
@ -196,24 +232,28 @@ check_3_8() {
|
|||
if [ $fail -eq 1 ]; then
|
||||
warn "$check_3_8"
|
||||
warn " * Wrong permissions for $directory"
|
||||
logjson "3.8" "WARN"
|
||||
resulttestjson "WARN" "Wrong permissions for $directory"
|
||||
currentScore=$((currentScore - 1))
|
||||
else
|
||||
pass "$check_3_8"
|
||||
logjson "3.8" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
else
|
||||
info "$check_3_8"
|
||||
info " * Directory not found"
|
||||
logjson "3.8" "INFO"
|
||||
resulttestjson "INFO" "Directory not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 3.9
|
||||
check_3_9() {
|
||||
check_3_9="3.9 - Ensure that TLS CA certificate file ownership is set to root:root"
|
||||
id_3_9="3.9"
|
||||
desc_3_9="Ensure that TLS CA certificate file ownership is set to root:root"
|
||||
check_3_9="$id_3_9 - $desc_3_9"
|
||||
starttestjson "$id_3_9" "$desc_3_9"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then
|
||||
tlscacert=$(get_docker_configuration_file_args 'tlscacert')
|
||||
|
@ -223,25 +263,29 @@ check_3_9() {
|
|||
if [ -f "$tlscacert" ]; then
|
||||
if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
|
||||
pass "$check_3_9"
|
||||
logjson "3.9" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_3_9"
|
||||
warn " * Wrong ownership for $tlscacert"
|
||||
logjson "3.9" "WARN"
|
||||
resulttestjson "WARN" "Wrong ownership for $tlscacert"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_3_9"
|
||||
info " * No TLS CA certificate found"
|
||||
logjson "3.9" "INFO"
|
||||
resulttestjson "INFO" "No TLS CA certificate found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 3.10
|
||||
check_3_10() {
|
||||
check_3_10="3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive"
|
||||
id_3_10="3.10"
|
||||
desc_3_10="Ensure that TLS CA certificate file permissions are set to 444 or more restrictive"
|
||||
check_3_10="$id_3_10 - $desc_3_10"
|
||||
starttestjson "$id_3_10" "$desc_3_10"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then
|
||||
tlscacert=$(get_docker_configuration_file_args 'tlscacert')
|
||||
|
@ -251,25 +295,29 @@ check_3_10() {
|
|||
if [ -f "$tlscacert" ]; then
|
||||
if [ "$(stat -c %a $tlscacert)" -eq 444 -o "$(stat -c %a $tlscacert)" -eq 400 ]; then
|
||||
pass "$check_3_10"
|
||||
logjson "3.10" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_3_10"
|
||||
warn " * Wrong permissions for $tlscacert"
|
||||
logjson "3.10" "WARN"
|
||||
resulttestjson "WARN" "Wrong permissions for $tlscacert"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_3_10"
|
||||
info " * No TLS CA certificate found"
|
||||
logjson "3.10" "INFO"
|
||||
resulttestjson "INFO" "No TLS CA certificate found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 3.11
|
||||
check_3_11() {
|
||||
check_3_11="3.11 - Ensure that Docker server certificate file ownership is set to root:root"
|
||||
id_3_11="3.11"
|
||||
desc_3_11="Ensure that Docker server certificate file ownership is set to root:root"
|
||||
check_3_11="$id_3_11 - $desc_3_11"
|
||||
starttestjson "$id_3_11" "$desc_3_11"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then
|
||||
tlscert=$(get_docker_configuration_file_args 'tlscert')
|
||||
|
@ -279,25 +327,29 @@ check_3_11() {
|
|||
if [ -f "$tlscert" ]; then
|
||||
if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
|
||||
pass "$check_3_11"
|
||||
logjson "3.11" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_3_11"
|
||||
warn " * Wrong ownership for $tlscert"
|
||||
logjson "3.11" "WARN"
|
||||
resulttestjson "WARN" "Wrong ownership for $tlscert"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_3_11"
|
||||
info " * No TLS Server certificate found"
|
||||
logjson "3.11" "INFO"
|
||||
resulttestjson "INFO" "No TLS Server certificate found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 3.12
|
||||
check_3_12() {
|
||||
check_3_12="3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive"
|
||||
id_3_12="3.12"
|
||||
desc_3_12="Ensure that Docker server certificate file permissions are set to 444 or more restrictive"
|
||||
check_3_12="$id_3_12 - $desc_3_12"
|
||||
starttestjson "$id_3_12" "$desc_3_12"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then
|
||||
tlscert=$(get_docker_configuration_file_args 'tlscert')
|
||||
|
@ -307,25 +359,29 @@ check_3_12() {
|
|||
if [ -f "$tlscert" ]; then
|
||||
if [ "$(stat -c %a $tlscert)" -eq 444 -o "$(stat -c %a $tlscert)" -eq 400 ]; then
|
||||
pass "$check_3_12"
|
||||
logjson "3.12" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_3_12"
|
||||
warn " * Wrong permissions for $tlscert"
|
||||
logjson "3.12" "WARN"
|
||||
resulttestjson "WARN" "Wrong permissions for $tlscert"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_3_12"
|
||||
info " * No TLS Server certificate found"
|
||||
logjson "3.12" "INFO"
|
||||
resulttestjson "INFO" "No TLS Server certificate found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 3.13
|
||||
check_3_13() {
|
||||
check_3_13="3.13 - Ensure that Docker server certificate key file ownership is set to root:root"
|
||||
id_3_13="3.13"
|
||||
desc_3_13="Ensure that Docker server certificate key file ownership is set to root:root"
|
||||
check_3_13="$id_3_13 - $desc_3_13"
|
||||
starttestjson "$id_3_13" "$desc_3_13"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then
|
||||
tlskey=$(get_docker_configuration_file_args 'tlskey')
|
||||
|
@ -335,25 +391,29 @@ check_3_13() {
|
|||
if [ -f "$tlskey" ]; then
|
||||
if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
|
||||
pass "$check_3_13"
|
||||
logjson "3.13" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_3_13"
|
||||
warn " * Wrong ownership for $tlskey"
|
||||
logjson "3.13" "WARN"
|
||||
resulttestjson "WARN" "Wrong ownership for $tlskey"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_3_13"
|
||||
info " * No TLS Key found"
|
||||
logjson "3.13" "INFO"
|
||||
resulttestjson "INFO" "No TLS Key found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 3.14
|
||||
check_3_14() {
|
||||
check_3_14="3.14 - Ensure that Docker server certificate key file permissions are set to 400"
|
||||
id_3_14="3.14"
|
||||
desc_3_14="Ensure that Docker server certificate key file permissions are set to 400"
|
||||
check_3_14="$id_3_14 - $desc_3_14"
|
||||
starttestjson "$id_3_14" "$desc_3_14"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then
|
||||
tlskey=$(get_docker_configuration_file_args 'tlskey')
|
||||
|
@ -363,162 +423,190 @@ check_3_14() {
|
|||
if [ -f "$tlskey" ]; then
|
||||
if [ "$(stat -c %a $tlskey)" -eq 400 ]; then
|
||||
pass "$check_3_14"
|
||||
logjson "3.14" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_3_14"
|
||||
warn " * Wrong permissions for $tlskey"
|
||||
logjson "3.14" "WARN"
|
||||
resulttestjson "WARN" "Wrong permissions for $tlskey"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_3_14"
|
||||
info " * No TLS Key found"
|
||||
logjson "3.14" "INFO"
|
||||
resulttestjson "INFO" "No TLS Key found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 3.15
|
||||
check_3_15() {
|
||||
check_3_15="3.15 - Ensure that Docker socket file ownership is set to root:docker"
|
||||
id_3_15="3.15"
|
||||
desc_3_15="Ensure that Docker socket file ownership is set to root:docker"
|
||||
check_3_15="$id_3_15 - $desc_3_15"
|
||||
starttestjson "$id_3_15" "$desc_3_15"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
file="/var/run/docker.sock"
|
||||
if [ -S "$file" ]; then
|
||||
if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then
|
||||
pass "$check_3_15"
|
||||
logjson "3.15" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_3_15"
|
||||
warn " * Wrong ownership for $file"
|
||||
logjson "3.15" "WARN"
|
||||
resulttestjson "WARN" "Wrong ownership for $file"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_3_15"
|
||||
info " * File not found"
|
||||
logjson "3.15" "INFO"
|
||||
resulttestjson "INFO" "File not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 3.16
|
||||
check_3_16() {
|
||||
check_3_16="3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive"
|
||||
id_3_16="3.16"
|
||||
desc_3_16="Ensure that Docker socket file permissions are set to 660 or more restrictive"
|
||||
check_3_16="$id_3_16 - $desc_3_16"
|
||||
starttestjson "$id_3_16" "$desc_3_16"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
file="/var/run/docker.sock"
|
||||
if [ -S "$file" ]; then
|
||||
if [ "$(stat -c %a $file)" -eq 660 -o "$(stat -c %a $file)" -eq 600 ]; then
|
||||
pass "$check_3_16"
|
||||
logjson "3.16" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_3_16"
|
||||
warn " * Wrong permissions for $file"
|
||||
logjson "3.16" "WARN"
|
||||
resulttestjson "WARN" "Wrong permissions for $file"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_3_16"
|
||||
info " * File not found"
|
||||
logjson "3.16" "INFO"
|
||||
resulttestjson "INFO" "File not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 3.17
|
||||
check_3_17() {
|
||||
check_3_17="3.17 - Ensure that daemon.json file ownership is set to root:root"
|
||||
id_3_17="3.17"
|
||||
desc_3_17="Ensure that daemon.json file ownership is set to root:root"
|
||||
check_3_17="$id_3_17 - $desc_3_17"
|
||||
starttestjson "$id_3_17" "$desc_3_17"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
file="/etc/docker/daemon.json"
|
||||
if [ -f "$file" ]; then
|
||||
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
|
||||
pass "$check_3_17"
|
||||
logjson "3.17" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_3_17"
|
||||
warn " * Wrong ownership for $file"
|
||||
logjson "3.17" "WARN"
|
||||
resulttestjson "WARN" "Wrong ownership for $file"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_3_17"
|
||||
info " * File not found"
|
||||
logjson "3.17" "INFO"
|
||||
resulttestjson "INFO" "File not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 3.18
|
||||
check_3_18() {
|
||||
check_3_18="3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive"
|
||||
id_3_18="3.18"
|
||||
desc_3_18="Ensure that daemon.json file permissions are set to 644 or more restrictive"
|
||||
check_3_18="$id_3_18 - $desc_3_18"
|
||||
starttestjson "$id_3_18" "$desc_3_18"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
file="/etc/docker/daemon.json"
|
||||
if [ -f "$file" ]; then
|
||||
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 ]; then
|
||||
pass "$check_3_18"
|
||||
logjson "3.18" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_3_18"
|
||||
warn " * Wrong permissions for $file"
|
||||
logjson "3.18" "WARN"
|
||||
resulttestjson "WARN" "Wrong permissions for $file"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_3_18"
|
||||
info " * File not found"
|
||||
logjson "3.18" "INFO"
|
||||
resulttestjson "INFO" "File not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 3.19
|
||||
check_3_19() {
|
||||
check_3_19="3.19 - Ensure that /etc/default/docker file ownership is set to root:root"
|
||||
id_3_19="3.19"
|
||||
desc_3_19="Ensure that /etc/default/docker file ownership is set to root:root"
|
||||
check_3_19="$id_3_19 - $desc_3_19"
|
||||
starttestjson "$id_3_19" "$desc_3_19"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
file="/etc/default/docker"
|
||||
if [ -f "$file" ]; then
|
||||
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
|
||||
pass "$check_3_19"
|
||||
logjson "3.19" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_3_19"
|
||||
warn " * Wrong ownership for $file"
|
||||
logjson "3.19" "WARN"
|
||||
resulttestjson "WARN" "Wrong ownership for $file"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_3_19"
|
||||
info " * File not found"
|
||||
logjson "3.19" "INFO"
|
||||
resulttestjson "INFO" "File not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 3.20
|
||||
check_3_20() {
|
||||
check_3_20="3.20 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive"
|
||||
id_3_20="3.20"
|
||||
desc_3_20="Ensure that /etc/default/docker file permissions are set to 644 or more restrictive"
|
||||
check_3_20="$id_3_20 - $desc_3_20"
|
||||
starttestjson "$id_3_20" "$desc_3_20"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
file="/etc/default/docker"
|
||||
if [ -f "$file" ]; then
|
||||
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
|
||||
pass "$check_3_20"
|
||||
logjson "3.20" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_3_20"
|
||||
warn " * Wrong permissions for $file"
|
||||
logjson "3.20" "WARN"
|
||||
resulttestjson "WARN" "Wrong permissions for $file"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
info "$check_3_20"
|
||||
info " * File not found"
|
||||
logjson "3.20" "INFO"
|
||||
resulttestjson "INFO" "File not found"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
check_3_end() {
|
||||
endsectionjson
|
||||
}
|
||||
|
|
|
@ -4,19 +4,27 @@ images=$(docker images -q)
|
|||
|
||||
check_4() {
|
||||
logit "\n"
|
||||
info "4 - Container Images and Build File"
|
||||
id_4="4"
|
||||
desc_4="Container Images and Build File"
|
||||
check_4="$id_4 - $desc_4"
|
||||
info "$check_4"
|
||||
startsectionjson "$id_4" "$desc_4"
|
||||
}
|
||||
|
||||
# 4.1
|
||||
check_4_1() {
|
||||
check_4_1="4.1 - Ensure a user for the container has been created"
|
||||
id_4_1="4.1"
|
||||
desc_4_1="Ensure a user for the container has been created"
|
||||
check_4_1="$id_4_1 - $desc_4_1"
|
||||
starttestjson "$id_4_1" "$desc_4_1"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
|
||||
# If container_users is empty, there are no running containers
|
||||
if [ -z "$containers" ]; then
|
||||
info "$check_4_1"
|
||||
info " * No containers running"
|
||||
logjson "4.1" "INFO"
|
||||
resulttestjson "INFO" "No containers running"
|
||||
currentScore=$((currentScore + 0))
|
||||
else
|
||||
# We have some containers running, set failure flag to 0. Check for Users.
|
||||
|
@ -24,6 +32,7 @@ check_4_1() {
|
|||
# Make the loop separator be a new-line in POSIX compliant fashion
|
||||
set -f; IFS=$'
|
||||
'
|
||||
root_containers=""
|
||||
for c in $containers; do
|
||||
user=$(docker inspect --format 'User={{.Config.User}}' "$c")
|
||||
|
||||
|
@ -32,20 +41,21 @@ check_4_1() {
|
|||
if [ $fail -eq 0 ]; then
|
||||
warn "$check_4_1"
|
||||
warn " * Running as root: $c"
|
||||
logjson "4.1" "WARN: $c"
|
||||
root_containers="$root_containers $c"
|
||||
fail=1
|
||||
else
|
||||
warn " * Running as root: $c"
|
||||
logjson "4.1" "WARN: $c"
|
||||
root_containers="$root_containers $c"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
# We went through all the containers and found none running as root
|
||||
if [ $fail -eq 0 ]; then
|
||||
pass "$check_4_1"
|
||||
logjson "4.1" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
resulttestjson "WARN" "running as root" "$root_containers"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
fi
|
||||
|
@ -55,152 +65,201 @@ check_4_1() {
|
|||
|
||||
# 4.2
|
||||
check_4_2() {
|
||||
check_4_2="4.2 - Ensure that containers use trusted base images"
|
||||
id_4_2="4.2"
|
||||
desc_4_2="Ensure that containers use trusted base images"
|
||||
check_4_2="$id_4_2 - $desc_4_2"
|
||||
starttestjson "$id_4_2" "$desc_4_2"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
note "$check_4_2"
|
||||
logjson "4.2" "NOTE"
|
||||
resulttestjson "NOTE"
|
||||
currentScore=$((currentScore + 0))
|
||||
}
|
||||
|
||||
# 4.3
|
||||
check_4_3() {
|
||||
check_4_3="4.3 - Ensure unnecessary packages are not installed in the container"
|
||||
id_4_3="4.3"
|
||||
desc_4_3="Ensure unnecessary packages are not installed in the container"
|
||||
check_4_3="$id_4_3 - $desc_4_3"
|
||||
starttestjson "$id_4_3" "$desc_4_3"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
note "$check_4_3"
|
||||
logjson "4.3" "NOTE"
|
||||
resulttestjson "NOTE"
|
||||
currentScore=$((currentScore + 0))
|
||||
}
|
||||
|
||||
# 4.4
|
||||
check_4_4() {
|
||||
check_4_4="4.4 - Ensure images are scanned and rebuilt to include security patches"
|
||||
id_4_4="4.4"
|
||||
desc_4_4="Ensure images are scanned and rebuilt to include security patches"
|
||||
check_4_4="$id_4_4 - $desc_4_4"
|
||||
starttestjson "$id_4_4" "$desc_4_4"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
note "$check_4_4"
|
||||
logjson "4.4" "NOTE"
|
||||
resulttestjson "NOTE"
|
||||
currentScore=$((currentScore + 0))
|
||||
}
|
||||
|
||||
# 4.5
|
||||
check_4_5() {
|
||||
check_4_5="4.5 - Ensure Content trust for Docker is Enabled"
|
||||
id_4_5="4.5"
|
||||
desc_4_5="Ensure Content trust for Docker is Enabled"
|
||||
check_4_5="$id_4_5 - $desc_4_5"
|
||||
starttestjson "$id_4_5" "$desc_4_5"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
|
||||
pass "$check_4_5"
|
||||
logjson "4.5" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_4_5"
|
||||
logjson "4.5" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 4.6
|
||||
check_4_6() {
|
||||
check_4_6="4.6 - Ensure HEALTHCHECK instructions have been added to the container image"
|
||||
id_4_6="4.6"
|
||||
desc_4_6="Ensure HEALTHCHECK instructions have been added to the container image"
|
||||
check_4_6="$id_4_6 - $desc_4_6"
|
||||
starttestjson "$id_4_6" "$desc_4_6"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
fail=0
|
||||
no_health_images=""
|
||||
for img in $images; do
|
||||
if docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1; then
|
||||
if [ $fail -eq 0 ]; then
|
||||
fail=1
|
||||
warn "$check_4_6"
|
||||
logjson "4.6" "WARN"
|
||||
fi
|
||||
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
|
||||
if ! [ "$imgName" = '[]' ]; then
|
||||
warn " * No Healthcheck found: $imgName"
|
||||
logjson "4.6" "WARN: $imgName"
|
||||
no_health_images="$no_health_images $imgName"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
if [ $fail -eq 0 ]; then
|
||||
pass "$check_4_6"
|
||||
logjson "4.6" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
resulttestjson "WARN" "Images w/o HEALTHCHECK" "$no_health_images"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 4.7
|
||||
check_4_7() {
|
||||
check_4_7="4.7 - Ensure update instructions are not use alone in the Dockerfile"
|
||||
id_4_7="4.7"
|
||||
desc_4_7="Ensure update instructions are not use alone in the Dockerfile"
|
||||
check_4_7="$id_4_7 - $desc_4_7"
|
||||
starttestjson "$id_4_7" "$desc_4_7"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
fail=0
|
||||
update_images=""
|
||||
for img in $images; do
|
||||
if docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1; then
|
||||
if [ $fail -eq 0 ]; then
|
||||
fail=1
|
||||
info "$check_4_7"
|
||||
logjson "4.7" "INFO"
|
||||
fi
|
||||
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
|
||||
if ! [ "$imgName" = '[]' ]; then
|
||||
info " * Update instruction found: $imgName"
|
||||
update_images="$update_images $imgName"
|
||||
fi
|
||||
fi
|
||||
done
|
||||
if [ $fail -eq 0 ]; then
|
||||
pass "$check_4_7"
|
||||
logjson "4.7" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 0))
|
||||
else
|
||||
resulttestjson "INFO" "Update instructions found" "$update_images"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
}
|
||||
|
||||
# 4.8
|
||||
check_4_8() {
|
||||
check_4_8="4.8 - Ensure setuid and setgid permissions are removed in the images"
|
||||
id_4_8="4.8"
|
||||
desc_4_8="Ensure setuid and setgid permissions are removed in the images"
|
||||
check_4_8="$id_4_8 - $desc_4_8"
|
||||
starttestjson "$id_4_8" "$desc_4_8"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
note "$check_4_8"
|
||||
logjson "4.8" "NOTE"
|
||||
resulttestjson "NOTE"
|
||||
currentScore=$((currentScore + 0))
|
||||
}
|
||||
|
||||
# 4.9
|
||||
check_4_9() {
|
||||
check_4_9="4.9 - Ensure COPY is used instead of ADD in Dockerfile"
|
||||
id_4_9="4.9"
|
||||
desc_4_9="Ensure COPY is used instead of ADD in Dockerfile"
|
||||
check_4_9="$id_4_9 - $desc_4_9"
|
||||
starttestjson "$id_4_9" "$desc_4_9"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
fail=0
|
||||
add_images=""
|
||||
for img in $images; do
|
||||
docker history "$img" 2> /dev/null | grep 'ADD' >/dev/null 2>&1
|
||||
if [ $? -eq 0 ]; then
|
||||
if [ $fail -eq 0 ]; then
|
||||
fail=1
|
||||
info "$check_4_9"
|
||||
logjson "4.9" "INFO"
|
||||
fi
|
||||
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
|
||||
if ! [ "$imgName" = '[]' ]; then
|
||||
info " * ADD in image history: $imgName"
|
||||
logjson "4.9" "INFO: $imgName"
|
||||
add_images="$add_images $imgName"
|
||||
fi
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
done
|
||||
if [ $fail -eq 0 ]; then
|
||||
pass "$check_4_9"
|
||||
logjson "4.9" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
resulttestjson "WARN" "Images using ADD" "$add_images"
|
||||
fi
|
||||
}
|
||||
|
||||
# 4.10
|
||||
check_4_10() {
|
||||
check_4_10="4.10 - Ensure secrets are not stored in Dockerfiles"
|
||||
id_4_10="4.10"
|
||||
desc_4_10="Ensure secrets are not stored in Dockerfiles"
|
||||
check_4_10="$id_4_10 - $desc_4_10"
|
||||
starttestjson "$id_4_10" "$desc_4_10"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
note "$check_4_10"
|
||||
logjson "4.10" "NOTE"
|
||||
resulttestjson "NOTE"
|
||||
currentScore=$((currentScore + 0))
|
||||
}
|
||||
|
||||
# 4.11
|
||||
check_4_11() {
|
||||
check_4_11="4.11 - Ensure verified packages are only Installed"
|
||||
id_4_11="4.11"
|
||||
desc_4_11="Ensure verified packages are only Installed"
|
||||
check_4_11="$id_4_11 - $desc_4_11"
|
||||
starttestjson "$id_4_11" "$desc_4_11"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
note "$check_4_11"
|
||||
logjson "4.11" "NOTE"
|
||||
resulttestjson "NOTE"
|
||||
currentScore=$((currentScore + 0))
|
||||
}
|
||||
|
||||
check_4_end() {
|
||||
endsectionjson
|
||||
}
|
||||
|
|
File diff suppressed because it is too large
Load diff
|
@ -2,12 +2,20 @@
|
|||
|
||||
check_6() {
|
||||
logit "\n"
|
||||
info "6 - Docker Security Operations"
|
||||
id_6="6"
|
||||
desc_6="Docker Security Operations"
|
||||
check_6="$id_6 - $desc_6"
|
||||
info "$check_6"
|
||||
startsectionjson "$id_6" "$desc_6"
|
||||
}
|
||||
|
||||
# 6.1
|
||||
check_6_1() {
|
||||
check_6_1="6.1 - Avoid image sprawl"
|
||||
id_6_1="6.1"
|
||||
desc_6_1="Avoid image sprawl"
|
||||
check_6_1="$id_6_1 - $desc_6_1"
|
||||
starttestjson "$id_6_1" "$desc_6_1"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
images=$(docker images -q | sort -u | wc -l | awk '{print $1}')
|
||||
active_images=0
|
||||
|
@ -23,26 +31,34 @@ check_6_1() {
|
|||
|
||||
if [ "$active_images" -lt "$((images / 2))" ]; then
|
||||
info " * Only $active_images out of $images are in use"
|
||||
logjson "6.1" "INFO: $active_images"
|
||||
fi
|
||||
resulttestjson "INFO" "$active_images active/$images in use"
|
||||
currentScore=$((currentScore + 0))
|
||||
}
|
||||
|
||||
# 6.2
|
||||
check_6_2() {
|
||||
check_6_2="6.2 - Avoid container sprawl"
|
||||
id_6_2="6.2"
|
||||
desc_6_2="Avoid container sprawl"
|
||||
check_6_2="$id_6_2 - $desc_6_2"
|
||||
starttestjson "$id_6_2" "$desc_6_2"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
total_containers=$(docker info 2>/dev/null | grep "^Containers" | awk '{print $2}')
|
||||
total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}')
|
||||
running_containers=$(docker ps -q | wc -l | awk '{print $1}')
|
||||
diff="$((total_containers - running_containers))"
|
||||
if [ "$diff" -gt 25 ]; then
|
||||
info "$check_6_2"
|
||||
info " * There are currently a total of $total_containers containers, with only $running_containers of them currently running"
|
||||
logjson "6.2" "INFO: $running_containers"
|
||||
resulttestjson "INFO" "$total_containers total/$running_containers running"
|
||||
else
|
||||
info "$check_6_2"
|
||||
info " * There are currently a total of $total_containers containers, with $running_containers of them currently running"
|
||||
logjson "6.2" "INFO: $running_containers"
|
||||
resulttestjson "INFO" "$total_containers total/$running_containers running"
|
||||
fi
|
||||
currentScore=$((currentScore + 0))
|
||||
}
|
||||
|
||||
check_6_end() {
|
||||
endsectionjson
|
||||
}
|
||||
|
|
|
@ -2,71 +2,91 @@
|
|||
|
||||
check_7() {
|
||||
logit "\n"
|
||||
info "7 - Docker Swarm Configuration"
|
||||
id_7="7"
|
||||
desc_7="Docker Swarm Configuration"
|
||||
check_7="$id_7 - $desc_7"
|
||||
info "$check_7"
|
||||
startsectionjson "$id_7" "$desc_7"
|
||||
}
|
||||
|
||||
# 7.1
|
||||
check_7_1() {
|
||||
check_7_1="7.1 - Ensure swarm mode is not Enabled, if not needed"
|
||||
id_7_1="7.1"
|
||||
desc_7_1="Ensure swarm mode is not Enabled, if not needed"
|
||||
check_7_1="$id_7_1 - $desc_7_1"
|
||||
starttestjson "$id_7_1" "$desc_7_1"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
|
||||
pass "$check_7_1"
|
||||
logjson "7.1" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_7_1"
|
||||
logjson "7.1" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 7.2
|
||||
check_7_2() {
|
||||
check_7_2="7.2 - Ensure the minimum number of manager nodes have been created in a swarm"
|
||||
id_7_2="7.2"
|
||||
desc_7_2="Ensure the minimum number of manager nodes have been created in a swarm"
|
||||
check_7_2="$id_7_2 - $desc_7_2"
|
||||
starttestjson "$id_7_2" "$desc_7_2"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
|
||||
managernodes=$(docker node ls | grep -c "Leader")
|
||||
if [ "$managernodes" -le 1 ]; then
|
||||
pass "$check_7_2"
|
||||
logjson "7.2" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_7_2"
|
||||
logjson "7.2" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
pass "$check_7_2 (Swarm mode not enabled)"
|
||||
logjson "7.2" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 7.3
|
||||
check_7_3() {
|
||||
check_7_3="7.3 - Ensure swarm services are binded to a specific host interface"
|
||||
id_7_3="7.3"
|
||||
desc_7_3="Ensure swarm services are binded to a specific host interface"
|
||||
check_7_3="$id_7_3 - $desc_7_3"
|
||||
starttestjson "$id_7_3" "$desc_7_3"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
|
||||
ss -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1
|
||||
if [ $? -eq 1 ]; then
|
||||
pass "$check_7_3"
|
||||
logjson "7.3" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
warn "$check_7_3"
|
||||
logjson "7.3" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
fi
|
||||
else
|
||||
pass "$check_7_3 (Swarm mode not enabled)"
|
||||
logjson "7.3" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 7.4
|
||||
check_7_4(){
|
||||
check_7_4="7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network"
|
||||
id_7_4="7.4"
|
||||
desc_7_4="Ensure data exchanged between containers are encrypted on different nodes on the overlay network"
|
||||
check_7_4="$id_7_4 - $desc_7_4"
|
||||
starttestjson "$id_7_4" "$desc_7_4"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker network ls --filter driver=overlay --quiet | \
|
||||
xargs docker network inspect --format '{{.Name}} {{ .Options }}' 2>/dev/null | \
|
||||
|
@ -77,120 +97,148 @@ check_7_4(){
|
|||
if docker network inspect --format '{{.Name}} {{ .Options }}' "$encnet" | \
|
||||
grep -v 'encrypted:' 2>/dev/null 1>&2; then
|
||||
warn " * Unencrypted overlay network: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
|
||||
logjson "7.4" "WARN: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
|
||||
resulttestjson "WARN" "Unencrypted overlay network: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
|
||||
fi
|
||||
done
|
||||
else
|
||||
pass "$check_7_4"
|
||||
logjson "7.4" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 7.5
|
||||
check_7_5() {
|
||||
check_7_5="7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster"
|
||||
id_7_5="7.5"
|
||||
desc_7_5="Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster"
|
||||
check_7_5="$id_7_5 - $desc_7_5"
|
||||
starttestjson "$id_7_5" "$desc_7_5"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
||||
if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then
|
||||
pass "$check_7_5"
|
||||
logjson "7.5" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
info "$check_7_5"
|
||||
logjson "7.5" "INFO"
|
||||
resulttestjson "INFO"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
else
|
||||
pass "$check_7_5 (Swarm mode not enabled)"
|
||||
logjson "7.5" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 7.6
|
||||
check_7_6() {
|
||||
check_7_6="7.6 - Ensure swarm manager is run in auto-lock mode"
|
||||
id_7_6="7.6"
|
||||
desc_7_6="Ensure swarm manager is run in auto-lock mode"
|
||||
check_7_6="$id_7_6 - $desc_7_6"
|
||||
starttestjson "$id_7_6" "$desc_7_6"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
||||
if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then
|
||||
warn "$check_7_6"
|
||||
logjson "7.6" "WARN"
|
||||
resulttestjson "WARN"
|
||||
currentScore=$((currentScore - 1))
|
||||
else
|
||||
pass "$check_7_6"
|
||||
logjson "7.6" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
else
|
||||
pass "$check_7_6 (Swarm mode not enabled)"
|
||||
logjson "7.6" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 7.7
|
||||
check_7_7() {
|
||||
check_7_7="7.7 - Ensure swarm manager auto-lock key is rotated periodically"
|
||||
id_7_7="7.7"
|
||||
desc_7_7="Ensure swarm manager auto-lock key is rotated periodically"
|
||||
check_7_7="$id_7_7 - $desc_7_7"
|
||||
starttestjson "$id_7_7" "$desc_7_7"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
||||
note "$check_7_7"
|
||||
logjson "7.7" "NOTE"
|
||||
resulttestjson "NOTE"
|
||||
currentScore=$((currentScore + 0))
|
||||
else
|
||||
pass "$check_7_7 (Swarm mode not enabled)"
|
||||
logjson "7.7" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 7.8
|
||||
check_7_8() {
|
||||
check_7_8="7.8 - Ensure node certificates are rotated as appropriate"
|
||||
id_7_8="7.8"
|
||||
desc_7_8="Ensure node certificates are rotated as appropriate"
|
||||
check_7_8="$id_7_8 - $desc_7_8"
|
||||
starttestjson "$id_7_8" "$desc_7_8"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
||||
if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then
|
||||
pass "$check_7_8"
|
||||
logjson "7.8" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
else
|
||||
info "$check_7_8"
|
||||
logjson "7.8" "INFO"
|
||||
resulttestjson "INFO"
|
||||
currentScore=$((currentScore + 0))
|
||||
fi
|
||||
else
|
||||
pass "$check_7_8 (Swarm mode not enabled)"
|
||||
logjson "7.8" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 7.9
|
||||
check_7_9() {
|
||||
check_7_9="7.9 - Ensure CA certificates are rotated as appropriate"
|
||||
id_7_9="7.9"
|
||||
desc_7_9="Ensure CA certificates are rotated as appropriate"
|
||||
check_7_9="$id_7_9 - $desc_7_9"
|
||||
starttestjson "$id_7_9" "$desc_7_9"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
||||
info "$check_7_9"
|
||||
logjson "7.9" "INFO"
|
||||
resulttestjson "INFO"
|
||||
currentScore=$((currentScore + 0))
|
||||
else
|
||||
pass "$check_7_9 (Swarm mode not enabled)"
|
||||
logjson "7.9" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
# 7.10
|
||||
check_7_10() {
|
||||
check_7_10="7.10 - Ensure management plane traffic has been separated from data plane traffic"
|
||||
id_7_10="7.10"
|
||||
desc_7_10="Ensure management plane traffic has been separated from data plane traffic"
|
||||
check_7_10="$id_7_10 - $desc_7_10"
|
||||
starttestjson "$id_7_10" "$desc_7_10"
|
||||
|
||||
totalChecks=$((totalChecks + 1))
|
||||
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
||||
info "$check_7_10"
|
||||
logjson "7.10" "INFO"
|
||||
resulttestjson "INFO"
|
||||
currentScore=$((currentScore + 0))
|
||||
else
|
||||
pass "$check_7_10 (Swarm mode not enabled)"
|
||||
logjson "7.10" "PASS"
|
||||
resulttestjson "PASS"
|
||||
currentScore=$((currentScore + 1))
|
||||
fi
|
||||
}
|
||||
|
||||
check_7_end() {
|
||||
endsectionjson
|
||||
}
|
||||
|
|
|
@ -1,7 +1,11 @@
|
|||
#!/bin/sh
|
||||
check_c() {
|
||||
logit "\n"
|
||||
info "99 - Community contributed checks"
|
||||
id_99="99"
|
||||
desc_99="Community contributed checks"
|
||||
check_99="$id_99 - $desc_99"
|
||||
info "$check_99"
|
||||
startsectionjson "$id_99" "$desc_99"
|
||||
}
|
||||
|
||||
# check_c_1
|
||||
|
@ -10,9 +14,13 @@ check_c_1() {
|
|||
totalChecks=$((totalChecks + 1))
|
||||
if docker info --format='{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>&2; then
|
||||
pass "$check_c_1"
|
||||
logjson "c.1" "PASS"
|
||||
resulttestjson "PASS"
|
||||
else
|
||||
warn "$check_c_1"
|
||||
logjson "c.1" "WARN"
|
||||
resulttestjson "WARN"
|
||||
fi
|
||||
}
|
||||
|
||||
check_c_end() {
|
||||
endsectionjson
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue