GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-31 06:22:32 +01:00
Code Issues Projects Releases Packages Wiki Activity

Make it output correct json without duplicate keys in object

Browse source 
Signed-off-by: Roman Galeev <roman_galeev@mckinsey.com>
This commit is contained in:
Roman Galeev 2018-06-20 10:22:15 +02:00
parent dcb80b9713
commit 9ef520559c
4 changed files with 130 additions and 66 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
tests/1_host_configuration.sh
View file

@ -65,9 +65,11 @@ check_1_4() {
info "$check_1_4" info "$check_1_4"
for u in $docker_users; do for u in $docker_users; do
info " * $u" info " * $u"
logjson "1.4" "INFO: $u"
done done
currentScore=$((currentScore + 0)) if [ ! -z "$docker_users" ]; then
logjson "1.4" "INFO: $docker_users"
fi
currentScore=$((currentScore - 0))
} }
# 1.5 # 1.5

21
tests/4_container_images.sh
View file

@ -21,6 +21,7 @@ check_4_1() {
else else
# We have some containers running, set failure flag to 0. Check for Users. # We have some containers running, set failure flag to 0. Check for Users.
fail=0 fail=0
failData=""
# Make the loop separator be a new-line in POSIX compliant fashion # Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$' set -f; IFS=$'
' '
@ -32,11 +33,11 @@ check_4_1() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_4_1" warn "$check_4_1"
warn " * Running as root: $c" warn " * Running as root: $c"
logjson "4.1" "WARN: $c" failData="$failData $c"
fail=1 fail=1
else else
warn " * Running as root: $c" warn " * Running as root: $c"
logjson "4.1" "WARN: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -46,6 +47,7 @@ check_4_1() {
logjson "4.1" "PASS" logjson "4.1" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "4.1" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
fi fi
@ -100,17 +102,17 @@ check_4_6() {
check_4_6="4.6 - Ensure HEALTHCHECK instructions have been added to the container image" check_4_6="4.6 - Ensure HEALTHCHECK instructions have been added to the container image"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for img in $images; do for img in $images; do
if docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1; then if docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1; then
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
fail=1 fail=1
warn "$check_4_6" warn "$check_4_6"
logjson "4.6" "WARN"
fi fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then if ! [ "$imgName" = '[]' ]; then
warn " * No Healthcheck found: $imgName" warn " * No Healthcheck found: $imgName"
logjson "4.6" "WARN: $imgName" failData="$failData $imgName"
fi fi
fi fi
done done
@ -119,6 +121,7 @@ check_4_6() {
logjson "4.6" "PASS" logjson "4.6" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "4.6" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -128,16 +131,17 @@ check_4_7() {
check_4_7="4.7 - Ensure update instructions are not use alone in the Dockerfile" check_4_7="4.7 - Ensure update instructions are not use alone in the Dockerfile"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for img in $images; do for img in $images; do
if docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1; then if docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1; then
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
fail=1 fail=1
info "$check_4_7" info "$check_4_7"
logjson "4.7" "INFO"
fi fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then if ! [ "$imgName" = '[]' ]; then
info " * Update instruction found: $imgName" info " * Update instruction found: $imgName"
failData="$failData $imgName"
fi fi
fi fi
done done
@ -146,6 +150,7 @@ check_4_7() {
logjson "4.7" "PASS" logjson "4.7" "PASS"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
else else
logjson "4.7" "INFO:$failData"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
} }
@ -164,18 +169,18 @@ check_4_9() {
check_4_9="4.9 - Ensure COPY is used instead of ADD in Dockerfile" check_4_9="4.9 - Ensure COPY is used instead of ADD in Dockerfile"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for img in $images; do for img in $images; do
docker history "$img" 2> /dev/null | grep 'ADD' >/dev/null 2>&1 docker history "$img" 2> /dev/null | grep 'ADD' >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
fail=1 fail=1
info "$check_4_9" info "$check_4_9"
logjson "4.9" "INFO"
fi fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then if ! [ "$imgName" = '[]' ]; then
info " * ADD in image history: $imgName" info " * ADD in image history: $imgName"
logjson "4.9" "INFO: $imgName" failData="$failData $imgName"
fi fi
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
@ -184,6 +189,8 @@ check_4_9() {
pass "$check_4_9" pass "$check_4_9"
logjson "4.9" "PASS" logjson "4.9" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else
logjson "4.9" "INFO:$failData"
fi fi
} }

163
tests/5_container_runtime.sh
View file

@ -28,6 +28,7 @@ check_5_1() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
policy=$(docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' "$c") policy=$(docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' "$c")
@ -36,11 +37,11 @@ check_5_1() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_1" warn "$check_5_1"
warn " * No AppArmorProfile Found: $c" warn " * No AppArmorProfile Found: $c"
logjson "5.1" "WARN: $c" failData="$failData $c"
fail=1 fail=1
else else
warn " * No AppArmorProfile Found: $c" warn " * No AppArmorProfile Found: $c"
logjson "5.1" "WARN: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -50,6 +51,7 @@ check_5_1() {
logjson "5.1" "PASS" logjson "5.1" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.1" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -64,6 +66,7 @@ check_5_2() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
policy=$(docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' "$c") policy=$(docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' "$c")
@ -72,11 +75,11 @@ check_5_2() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_2" warn "$check_5_2"
warn " * No SecurityOptions Found: $c" warn " * No SecurityOptions Found: $c"
logjson "5.2" "WARN: $c" failData="$failData $c"
fail=1 fail=1
else else
warn " * No SecurityOptions Found: $c" warn " * No SecurityOptions Found: $c"
logjson "5.2" "WARN: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -86,6 +89,7 @@ check_5_2() {
logjson "5.2" "PASS" logjson "5.2" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.2" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -100,6 +104,7 @@ check_5_3() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
container_caps=$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' "$c") container_caps=$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' "$c")
caps=$(echo "$container_caps" | tr "[:lower:]" "[:upper:]" | \ caps=$(echo "$container_caps" | tr "[:lower:]" "[:upper:]" | \
@ -111,11 +116,11 @@ check_5_3() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_3" warn "$check_5_3"
warn " * Capabilities added: $caps to $c" warn " * Capabilities added: $caps to $c"
logjson "5.3" "WARN: $c" failData="$failData $c"
fail=1 fail=1
else else
warn " * Capabilities added: $caps to $c" warn " * Capabilities added: $caps to $c"
logjson "5.3" "WARN: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -125,6 +130,7 @@ check_5_3() {
logjson "5.3" "PASS" logjson "5.3" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.3" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -139,6 +145,7 @@ check_5_4() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
privileged=$(docker inspect --format '{{ .HostConfig.Privileged }}' "$c") privileged=$(docker inspect --format '{{ .HostConfig.Privileged }}' "$c")
@ -147,11 +154,11 @@ check_5_4() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_4" warn "$check_5_4"
warn " * Container running in Privileged mode: $c" warn " * Container running in Privileged mode: $c"
logjson "5.4" "WARN: $c" failData="$failData $c"
fail=1 fail=1
else else
warn " * Container running in Privileged mode: $c" warn " * Container running in Privileged mode: $c"
logjson "5.4" "WARN: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -161,6 +168,7 @@ check_5_4() {
logjson "5.4" "PASS" logjson "5.4" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.4" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -185,6 +193,7 @@ check_5_5() {
/sys /sys
/usr' /usr'
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
if docker inspect --format '{{ .VolumesRW }}' "$c" 2>/dev/null 1>&2; then if docker inspect --format '{{ .VolumesRW }}' "$c" 2>/dev/null 1>&2; then
volumes=$(docker inspect --format '{{ .VolumesRW }}' "$c") volumes=$(docker inspect --format '{{ .VolumesRW }}' "$c")
@ -202,11 +211,11 @@ check_5_5() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_5" warn "$check_5_5"
warn " * Sensitive directory $v mounted in: $c" warn " * Sensitive directory $v mounted in: $c"
logjson "5.5" "WARN: $v in $c" failData="$failData $c:$v"
fail=1 fail=1
else else
warn " * Sensitive directory $v mounted in: $c" warn " * Sensitive directory $v mounted in: $c"
logjson "5.5" "WARN: $v in $c" failData="$failData $c:$v"
fi fi
fi fi
done done
@ -217,6 +226,7 @@ check_5_5() {
logjson "5.5" "PASS" logjson "5.5" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.5" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -231,6 +241,7 @@ check_5_6() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
printcheck=0 printcheck=0
for c in $containers; do for c in $containers; do
@ -240,12 +251,12 @@ check_5_6() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_6" warn "$check_5_6"
warn " * Container running sshd: $c" warn " * Container running sshd: $c"
logjson "5.6" "WARN: $c"
fail=1 fail=1
printcheck=1 printcheck=1
failData="$failData $c"
else else
warn " * Container running sshd: $c" warn " * Container running sshd: $c"
logjson "5.6" "WARN: $c" failData="$failData $c"
fi fi
fi fi
@ -253,11 +264,10 @@ check_5_6() {
if [ $? -eq 255 ]; then if [ $? -eq 255 ]; then
if [ $printcheck -eq 0 ]; then if [ $printcheck -eq 0 ]; then
warn "$check_5_6" warn "$check_5_6"
logjson "5.6" "WARN"
printcheck=1 printcheck=1
fi fi
warn " * Docker exec fails: $c" warn " * Docker exec fails: $c"
logjson "5.6" "WARN: $c" failData="$failData $c"
fail=1 fail=1
fi fi
@ -267,6 +277,7 @@ check_5_6() {
pass "$check_5_6" pass "$check_5_6"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.6" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -281,6 +292,7 @@ check_5_7() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
# Port format is private port -> ip: public port # Port format is private port -> ip: public port
ports=$(docker port "$c" | awk '{print $0}' | cut -d ':' -f2) ports=$(docker port "$c" | awk '{print $0}' | cut -d ':' -f2)
@ -292,11 +304,11 @@ check_5_7() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_7" warn "$check_5_7"
warn " * Privileged Port in use: $port in $c" warn " * Privileged Port in use: $port in $c"
logjson "5.7" "WARN: $port in $c" failData="$failData $c:$port"
fail=1 fail=1
else else
warn " * Privileged Port in use: $port in $c" warn " * Privileged Port in use: $port in $c"
logjson "5.7" "WARN: $port in $c" failData="$failData $c:$port"
fi fi
fi fi
done done
@ -307,6 +319,7 @@ check_5_7() {
logjson "5.7" "PASS" logjson "5.7" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.7" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -334,6 +347,7 @@ check_5_9() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
mode=$(docker inspect --format 'NetworkMode={{ .HostConfig.NetworkMode }}' "$c") mode=$(docker inspect --format 'NetworkMode={{ .HostConfig.NetworkMode }}' "$c")
@ -342,11 +356,11 @@ check_5_9() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_9" warn "$check_5_9"
warn " * Container running with networking mode 'host': $c" warn " * Container running with networking mode 'host': $c"
logjson "5.9" "WARN: $c" failData="$failData $c"
fail=1 fail=1
else else
failData="$failData $c"
warn " * Container running with networking mode 'host': $c" warn " * Container running with networking mode 'host': $c"
logjson "5.9" "WARN: $c"
fi fi
fi fi
done done
@ -356,6 +370,7 @@ check_5_9() {
logjson "5.9" "PASS" logjson "5.9" "PASS"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
else else
logjson "5.9" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -370,6 +385,7 @@ check_5_10() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
if docker inspect --format '{{ .Config.Memory }}' "$c" 2> /dev/null 1>&2; then if docker inspect --format '{{ .Config.Memory }}' "$c" 2> /dev/null 1>&2; then
memory=$(docker inspect --format '{{ .Config.Memory }}' "$c") memory=$(docker inspect --format '{{ .Config.Memory }}' "$c")
@ -382,11 +398,11 @@ check_5_10() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_10" warn "$check_5_10"
warn " * Container running without memory restrictions: $c" warn " * Container running without memory restrictions: $c"
logjson "5.10" "WARN: $c" failData="$failData $c"
fail=1 fail=1
else else
warn " * Container running without memory restrictions: $c" warn " * Container running without memory restrictions: $c"
logjson "5.10" "WARN: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -396,6 +412,7 @@ check_5_10() {
logjson "5.10" "PASS" logjson "5.10" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.10" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -410,6 +427,7 @@ check_5_11() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
if docker inspect --format '{{ .Config.CpuShares }}' "$c" 2> /dev/null 1>&2; then if docker inspect --format '{{ .Config.CpuShares }}' "$c" 2> /dev/null 1>&2; then
shares=$(docker inspect --format '{{ .Config.CpuShares }}' "$c") shares=$(docker inspect --format '{{ .Config.CpuShares }}' "$c")
@ -422,11 +440,11 @@ check_5_11() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_11" warn "$check_5_11"
warn " * Container running without CPU restrictions: $c" warn " * Container running without CPU restrictions: $c"
logjson "5.11" "WARN: $c" failData="$failData $c"
fail=1 fail=1
else else
warn " * Container running without CPU restrictions: $c" warn " * Container running without CPU restrictions: $c"
logjson "5.11" "WARN: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -436,6 +454,7 @@ check_5_11() {
logjson "5.11" "PASS" logjson "5.11" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.11" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -450,6 +469,7 @@ check_5_12() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
read_status=$(docker inspect --format '{{ .HostConfig.ReadonlyRootfs }}' "$c") read_status=$(docker inspect --format '{{ .HostConfig.ReadonlyRootfs }}' "$c")
@ -458,11 +478,11 @@ check_5_12() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_12" warn "$check_5_12"
warn " * Container running with root FS mounted R/W: $c" warn " * Container running with root FS mounted R/W: $c"
logjson "5.12" "WARN: $c" failData="$failData $c"
fail=1 fail=1
else else
warn " * Container running with root FS mounted R/W: $c" warn " * Container running with root FS mounted R/W: $c"
logjson "5.12" "WARN: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -472,6 +492,7 @@ check_5_12() {
logjson "5.12" "PASS" logjson "5.12" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.12" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -486,6 +507,7 @@ check_5_13() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
for ip in $(docker port "$c" | awk '{print $3}' | cut -d ':' -f1); do for ip in $(docker port "$c" | awk '{print $3}' | cut -d ':' -f1); do
if [ "$ip" = "0.0.0.0" ]; then if [ "$ip" = "0.0.0.0" ]; then
@ -493,11 +515,11 @@ check_5_13() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_13" warn "$check_5_13"
warn " * Port being bound to wildcard IP: $ip in $c" warn " * Port being bound to wildcard IP: $ip in $c"
logjson "5.13" "WARN: $ip in $c" failData="$failData $c:$ip"
fail=1 fail=1
else else
warn " * Port being bound to wildcard IP: $ip in $c" warn " * Port being bound to wildcard IP: $ip in $c"
logjson "5.13" "WARN: $ip in $c" failData="$failData $c:$ip"
fi fi
fi fi
done done
@ -508,6 +530,7 @@ check_5_13() {
logjson "5.13" "PASS" logjson "5.13" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.13" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -522,6 +545,7 @@ check_5_14() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
policy=$(docker inspect --format MaximumRetryCount='{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c") policy=$(docker inspect --format MaximumRetryCount='{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
@ -530,11 +554,11 @@ check_5_14() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_14" warn "$check_5_14"
warn " * MaximumRetryCount is not set to 5: $c" warn " * MaximumRetryCount is not set to 5: $c"
logjson "5.14" "WARN: $c" failData="$failData $c"
fail=1 fail=1
else else
warn " * MaximumRetryCount is not set to 5: $c" warn " * MaximumRetryCount is not set to 5: $c"
logjson "5.14" "WARN: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -544,6 +568,7 @@ check_5_14() {
logjson "5.14" "PASS" logjson "5.14" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.14" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -558,6 +583,7 @@ check_5_15() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
mode=$(docker inspect --format 'PidMode={{.HostConfig.PidMode }}' "$c") mode=$(docker inspect --format 'PidMode={{.HostConfig.PidMode }}' "$c")
@ -566,11 +592,11 @@ check_5_15() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_15" warn "$check_5_15"
warn " * Host PID namespace being shared with: $c" warn " * Host PID namespace being shared with: $c"
logjson "5.15" "WARN: $c" failData="$failData $c"
fail=1 fail=1
else else
warn " * Host PID namespace being shared with: $c" warn " * Host PID namespace being shared with: $c"
logjson "5.15" "WARN: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -580,6 +606,7 @@ check_5_15() {
logjson "5.15" "PASS" logjson "5.15" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.15" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -594,6 +621,7 @@ check_5_16() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
mode=$(docker inspect --format 'IpcMode={{.HostConfig.IpcMode }}' "$c") mode=$(docker inspect --format 'IpcMode={{.HostConfig.IpcMode }}' "$c")
@ -602,11 +630,11 @@ check_5_16() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_16" warn "$check_5_16"
warn " * Host IPC namespace being shared with: $c" warn " * Host IPC namespace being shared with: $c"
logjson "5.16" "WARN: $c" failData="$failData $c"
fail=1 fail=1
else else
warn " * Host IPC namespace being shared with: $c" warn " * Host IPC namespace being shared with: $c"
logjson "5.16" "WARN: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -616,6 +644,7 @@ check_5_16() {
logjson "5.16" "PASS" logjson "5.16" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.16" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -630,6 +659,7 @@ check_5_17() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
devices=$(docker inspect --format 'Devices={{ .HostConfig.Devices }}' "$c") devices=$(docker inspect --format 'Devices={{ .HostConfig.Devices }}' "$c")
@ -638,11 +668,11 @@ check_5_17() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
info "$check_5_17" info "$check_5_17"
info " * Container has devices exposed directly: $c" info " * Container has devices exposed directly: $c"
logjson "5.17" "INFO: $c" failData="$failData $c"
fail=1 fail=1
else else
info " * Container has devices exposed directly: $c" info " * Container has devices exposed directly: $c"
logjson "5.17" "INFO: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -652,6 +682,7 @@ check_5_17() {
logjson "5.17" "PASS" logjson "5.17" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.17" "INFO:$failData"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
} }
@ -666,6 +697,7 @@ check_5_18() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
ulimits=$(docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' "$c") ulimits=$(docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' "$c")
@ -674,11 +706,11 @@ check_5_18() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
info "$check_5_18" info "$check_5_18"
info " * Container no default ulimit override: $c" info " * Container no default ulimit override: $c"
logjson "5.18" "INFO: $c" failData="$failData $c"
fail=1 fail=1
else else
info " * Container no default ulimit override: $c" info " * Container no default ulimit override: $c"
logjson "5.18" "INFO: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -688,6 +720,7 @@ check_5_18() {
logjson "5.18" "PASS" logjson "5.18" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.18" "INFO:$failData"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
} }
@ -702,6 +735,7 @@ check_5_19() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
if docker inspect --format 'Propagation={{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}' "$c" | \ if docker inspect --format 'Propagation={{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}' "$c" | \
grep shared 2>/dev/null 1>&2; then grep shared 2>/dev/null 1>&2; then
@ -709,11 +743,11 @@ check_5_19() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_19" warn "$check_5_19"
warn " * Mount propagation mode is shared: $c" warn " * Mount propagation mode is shared: $c"
logjson "5.19" "WARN: $c" failData="$failData $c"
fail=1 fail=1
else else
warn " * Mount propagation mode is shared: $c" warn " * Mount propagation mode is shared: $c"
logjson "5.19" "WARN: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -723,6 +757,7 @@ check_5_19() {
logjson "5.19" "PASS" logjson "5.19" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.19" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -737,6 +772,7 @@ check_5_20() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
mode=$(docker inspect --format 'UTSMode={{.HostConfig.UTSMode }}' "$c") mode=$(docker inspect --format 'UTSMode={{.HostConfig.UTSMode }}' "$c")
@ -745,11 +781,11 @@ check_5_20() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_20" warn "$check_5_20"
warn " * Host UTS namespace being shared with: $c" warn " * Host UTS namespace being shared with: $c"
logjson "5.20" "WARN: $c" failData="$failData $c"
fail=1 fail=1
else else
warn " * Host UTS namespace being shared with: $c" warn " * Host UTS namespace being shared with: $c"
logjson "5.20" "WARN: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -759,6 +795,7 @@ check_5_20() {
logjson "5.20" "PASS" logjson "5.20" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.20" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -773,6 +810,7 @@ check_5_21() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
if docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | \ if docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | \
grep -E 'seccomp:unconfined|seccomp=unconfined' 2>/dev/null 1>&2; then grep -E 'seccomp:unconfined|seccomp=unconfined' 2>/dev/null 1>&2; then
@ -780,11 +818,11 @@ check_5_21() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_21" warn "$check_5_21"
warn " * Default seccomp profile disabled: $c" warn " * Default seccomp profile disabled: $c"
logjson "5.21" "WARN: $c" failData="$failData $c"
fail=1 fail=1
else else
warn " * Default seccomp profile disabled: $c" warn " * Default seccomp profile disabled: $c"
logjson "5.21" "WARN: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -794,6 +832,7 @@ check_5_21() {
logjson "5.21" "PASS" logjson "5.21" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.21" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -834,6 +873,7 @@ check_5_24() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
mode=$(docker inspect --format 'CgroupParent={{.HostConfig.CgroupParent }}x' "$c") mode=$(docker inspect --format 'CgroupParent={{.HostConfig.CgroupParent }}x' "$c")
@ -842,11 +882,11 @@ check_5_24() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_24" warn "$check_5_24"
warn " * Confirm cgroup usage: $c" warn " * Confirm cgroup usage: $c"
logjson "5.24" "WARN: $c" failData="$failData $c"
fail=1 fail=1
else else
warn " * Confirm cgroup usage: $c" warn " * Confirm cgroup usage: $c"
logjson "5.24" "WARN: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -856,6 +896,7 @@ check_5_24() {
logjson "5.24" "PASS" logjson "5.24" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.24" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -869,17 +910,18 @@ check_5_25() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
if ! docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'no-new-privileges' 2>/dev/null 1>&2; then if ! docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'no-new-privileges' 2>/dev/null 1>&2; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_25" warn "$check_5_25"
warn " * Privileges not restricted: $c" warn " * Privileges not restricted: $c"
logjson "5.25" "WARN: $c" failData="$failData $c"
fail=1 fail=1
else else
warn " * Privileges not restricted: $c" warn " * Privileges not restricted: $c"
logjson "5.25" "WARN: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -889,6 +931,7 @@ check_5_25() {
logjson "5.25" "PASS" logjson "5.25" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.25" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -903,16 +946,17 @@ check_5_26() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
if ! docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}' "$c" 2>/dev/null 1>&2; then if ! docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}' "$c" 2>/dev/null 1>&2; then
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_26" warn "$check_5_26"
warn " * Health check not set: $c" warn " * Health check not set: $c"
logjson "5.26" "WARN: $c" failData="$failData $c"
fail=1 fail=1
else else
warn " * Health check not set: $c" warn " * Health check not set: $c"
logjson "5.26" "WARN: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -921,6 +965,7 @@ check_5_26() {
logjson "5.26" "PASS" logjson "5.26" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.26" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -948,6 +993,7 @@ check_5_28() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
pidslimit=$(docker inspect --format '{{.HostConfig.PidsLimit }}' "$c") pidslimit=$(docker inspect --format '{{.HostConfig.PidsLimit }}' "$c")
@ -956,11 +1002,11 @@ check_5_28() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_28" warn "$check_5_28"
warn " * PIDs limit not set: $c" warn " * PIDs limit not set: $c"
logjson "5.28" "WARN: $c" failData="$failData $c"
fail=1 fail=1
else else
warn " * PIDs limit not set: $c" warn " * PIDs limit not set: $c"
logjson "5.28" "WARN: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -970,6 +1016,7 @@ check_5_28() {
logjson "5.28" "PASS" logjson "5.28" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.28" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -984,6 +1031,7 @@ check_5_29() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
networks=$(docker network ls -q 2>/dev/null) networks=$(docker network ls -q 2>/dev/null)
for net in $networks; do for net in $networks; do
if docker network inspect --format '{{ .Options }}' "$net" 2>/dev/null | grep "com.docker.network.bridge.name:docker0" >/dev/null 2>&1; then if docker network inspect --format '{{ .Options }}' "$net" 2>/dev/null | grep "com.docker.network.bridge.name:docker0" >/dev/null 2>&1; then
@ -993,7 +1041,6 @@ check_5_29() {
if [ -n "$docker0Containers" ]; then if [ -n "$docker0Containers" ]; then
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
info "$check_5_29" info "$check_5_29"
logjson "5.29" "INFO"
fail=1 fail=1
fi fi
for c in $docker0Containers; do for c in $docker0Containers; do
@ -1005,7 +1052,7 @@ check_5_29() {
fi fi
if ! [ -z "$cName" ]; then if ! [ -z "$cName" ]; then
info " * Container in docker0 network: $cName" info " * Container in docker0 network: $cName"
logjson "5.29" "INFO: $c" failData="$failData $c:$cName"
fi fi
done done
fi fi
@ -1018,6 +1065,7 @@ check_5_29() {
logjson "5.29" "PASS" logjson "5.29" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.29" "INFO:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -1032,17 +1080,18 @@ check_5_30() {
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
failData=""
for c in $containers; do for c in $containers; do
if docker inspect --format '{{ .HostConfig.UsernsMode }}' "$c" 2>/dev/null | grep -i 'host' >/dev/null 2>&1; then if docker inspect --format '{{ .HostConfig.UsernsMode }}' "$c" 2>/dev/null | grep -i 'host' >/dev/null 2>&1; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_30" warn "$check_5_30"
warn " * Namespace shared: $c" warn " * Namespace shared: $c"
logjson "5.30" "WARN: $c" failData="$failData $c"
fail=1 fail=1
else else
warn " * Namespace shared: $c" warn " * Namespace shared: $c"
logjson "5.30" "WARN: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -1052,6 +1101,7 @@ check_5_30() {
logjson "5.30" "PASS" logjson "5.30" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.30" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }
@ -1072,11 +1122,11 @@ check_5_31() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_31" warn "$check_5_31"
warn " * Docker socket shared: $c" warn " * Docker socket shared: $c"
logjson "5.31" "WARN: $c" failData="$failData $c"
fail=1 fail=1
else else
warn " * Docker socket shared: $c" warn " * Docker socket shared: $c"
logjson "5.31" "WARN: $c" failData="$failData $c"
fi fi
fi fi
done done
@ -1086,6 +1136,7 @@ check_5_31() {
logjson "5.31" "PASS" logjson "5.31" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
logjson "5.31" "WARN:$failData"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
} }

6
tests/7_docker_swarm_configuration.sh
View file

@ -68,6 +68,7 @@ check_7_3() {
check_7_4(){ check_7_4(){
check_7_4="7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network" check_7_4="7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
failData=""
if docker network ls --filter driver=overlay --quiet | \ if docker network ls --filter driver=overlay --quiet | \
xargs docker network inspect --format '{{.Name}} {{ .Options }}' 2>/dev/null | \ xargs docker network inspect --format '{{.Name}} {{ .Options }}' 2>/dev/null | \
grep -v 'encrypted:' 2>/dev/null 1>&2; then grep -v 'encrypted:' 2>/dev/null 1>&2; then
@ -77,9 +78,12 @@ check_7_4(){
if docker network inspect --format '{{.Name}} {{ .Options }}' "$encnet" | \ if docker network inspect --format '{{.Name}} {{ .Options }}' "$encnet" | \
grep -v 'encrypted:' 2>/dev/null 1>&2; then grep -v 'encrypted:' 2>/dev/null 1>&2; then
warn " * Unencrypted overlay network: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")" warn " * Unencrypted overlay network: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
logjson "7.4" "WARN: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")" failData="$failData $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
fi fi
done done
if [ ! -z "$failData" ]; then
logjson "7.4" "WARN:$failData"
fi
else else
pass "$check_7_4" pass "$check_7_4"
logjson "7.4" "PASS" logjson "7.4" "PASS"