GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-31 14:22:33 +01:00
Code Issues Projects Releases Packages Wiki Activity

shellcheck cleaning

Browse source 
Signed-off-by: Alexei Ledenev <alexei.ledenev@hp.com>
This commit is contained in:
Alexei Ledenev 2016-05-17 16:02:25 +03:00
parent dd9b62f5d0
commit a913b25ed3
6 changed files with 33 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
bats_tests/1_host_configuration.bats
View file

@ -48,9 +48,9 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
declare -a trusted_users=("vagrant" "docker" "ubuntu") declare -a trusted_users=("vagrant" "docker" "ubuntu")
users_string=$(awk -F':' '/^docker/{print $4}' /etc/group) users_string=$(awk -F':' '/^docker/{print $4}' /etc/group)
docker_users=(${users_string//,/ }) docker_users=(${users_string//,/ })
for u in ${docker_users[@]}; do for u in "${docker_users[@]}"; do
local found=1 local found=1
for tu in ${trusted_users[@]}; do for tu in "${trusted_users[@]}"; do
if [ "$u" = "$tu" ]; then if [ "$u" = "$tu" ]; then
found=0 found=0
fi fi
@ -75,7 +75,7 @@ test_audit_directory() {
assert [ -d "$directory" ] assert [ -d "$directory" ]
run command -v auditctl >/dev/null run command -v auditctl >/dev/null
assert_success assert_success
run auditctl -l | grep $directory run auditctl -l | grep "$directory"
assert_success assert_success
} }

12
bats_tests/3_docker_daemon_configuration_files.bats
View file

@ -8,7 +8,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
@test "3.1 - Verify that docker.service file ownership is set to root:root" { @test "3.1 - Verify that docker.service file ownership is set to root:root" {
file="$(get_systemd_service_file docker.service)" file="$(get_systemd_service_file docker.service)"
if [ -f "$file" ]; then if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -ne 00 ]; then if [ "$(stat -c %u%g "$file")" -ne 00 ]; then
fail "Wrong ownership for $file" fail "Wrong ownership for $file"
fi fi
fi fi
@ -18,7 +18,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
@test "3.2 - Verify that docker.service file permissions are set to 644" { @test "3.2 - Verify that docker.service file permissions are set to 644" {
file="$(get_systemd_service_file docker.service)" file="$(get_systemd_service_file docker.service)"
if [ -f "$file" ]; then if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -ne 644 ]; then if [ "$(stat -c %a "$file")" -ne 644 ]; then
fail "Wrong permissions for $file" fail "Wrong permissions for $file"
fi fi
fi fi
@ -28,7 +28,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
@test "3.3 - Verify that docker.socket file ownership is set to root:root" { @test "3.3 - Verify that docker.socket file ownership is set to root:root" {
file="$(get_systemd_service_file docker.socket)" file="$(get_systemd_service_file docker.socket)"
if [ -f "$file" ]; then if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -ne 00 ]; then if [ "$(stat -c %u%g "$file")" -ne 00 ]; then
fail "Wrong ownership for $file" fail "Wrong ownership for $file"
fi fi
fi fi
@ -38,7 +38,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
@test "3.4 - Verify that docker.socket file permissions are set to 644" { @test "3.4 - Verify that docker.socket file permissions are set to 644" {
file="$(get_systemd_service_file docker.socket)" file="$(get_systemd_service_file docker.socket)"
if [ -f "$file" ]; then if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -ne 644 ]; then if [ "$(stat -c %a "$file")" -ne 644 ]; then
fail "Wrong permissions for $file" fail "Wrong permissions for $file"
fi fi
fi fi
@ -58,7 +58,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
@test "3.6 - Verify that /etc/docker directory permissions are set to 755 or 700" { @test "3.6 - Verify that /etc/docker directory permissions are set to 755 or 700" {
directory="/etc/docker" directory="/etc/docker"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
if [ "$(stat -c %a $directory)" -ne 755 -a "$(stat -c %a $directory)" -ne 700 ]; then if [ "$(stat -c %a $directory)" -ne 755 ] && [ "$(stat -c %a $directory)" -ne 700 ]; then
fail "Wrong permissions for $directory : $(stat -c %a $directory)" fail "Wrong permissions for $directory : $(stat -c %a $directory)"
fi fi
fi fi
@ -89,7 +89,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
fail=0 fail=0
perms=$(ls -lL $directory | grep ".crt" | awk '{print $1}') perms=$(ls -lL $directory | grep ".crt" | awk '{print $1}')
for p in $perms; do for p in $perms; do
if [ "$p" != "-r--r--r--." -a "$p" = "-r--------." ]; then if [ "$p" != "-r--r--r--." ] && [ "$p" = "-r--------." ]; then
fail=1 fail=1
fi fi
done done

6
bats_tests/4_1_create_user_in_container.bats.template
View file

@ -7,10 +7,10 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
# 4.1 # 4.1
@test "4.1 - Create a user for the container: {{c}}" { @test "4.1 - Create a user for the container: {{c}}" {
local user=$(docker inspect --format 'User={{.Config.User}}' "{{c}}") user=$(docker inspect --format 'User={{.Config.User}}' "{{c}}")
if [ "$user" = "User=" -o "$user" = "User=[]" -o "$user" = "User=<no value>" ]; then if [ "$user" = "User=" ] || [ "$user" = "User=[]" ] || [ "$user" = "User=<no value>" ]; then
# get PID 1 and check if it's running as root (uid=0) # get PID 1 and check if it's running as root (uid=0)
local uid=$(docker exec {{c}} awk '/^Uid:/{print $2}' /proc/1/status) uid=$(docker exec {{c}} awk '/^Uid:/{print $2}' /proc/1/status)
if [ $uid -eq 0 ]; then if [ $uid -eq 0 ]; then
fail "Running as root: {{c}}" fail "Running as root: {{c}}"
fi fi

12
bats_tests/5_container_runtime.bats.template
View file

@ -7,7 +7,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
# 5.1 # 5.1
@test "5.1 - Verify AppArmor Profile, if applicable: {{c}}" { @test "5.1 - Verify AppArmor Profile, if applicable: {{c}}" {
policy=$(docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' "{{c}}") policy=$(docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' "{{c}}")
if [ "$policy" = "AppArmorProfile=" -o "$policy" = "AppArmorProfile=[]" -o "$policy" = "AppArmorProfile=<no value>" ]; then if [ "$policy" = "AppArmorProfile=" ] || [ "$policy" = "AppArmorProfile=[]" ] || [ "$policy" = "AppArmorProfile=<no value>" ]; then
fail "No AppArmorProfile Found: {{c}}" fail "No AppArmorProfile Found: {{c}}"
fi fi
} }
@ -15,7 +15,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
# 5.2 # 5.2
@test "5.2 - Verify SELinux security options, if applicable: {{c}}" { @test "5.2 - Verify SELinux security options, if applicable: {{c}}" {
policy=$(docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' "{{c}}") policy=$(docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' "{{c}}")
if [ "$policy" = "SecurityOpt=" -o "$policy" = "SecurityOpt=[]" -o "$policy" = "SecurityOpt=<no value>" ]; then if [ "$policy" = "SecurityOpt=" ] || [ "$policy" = "SecurityOpt=[]" ] || [ "$policy" = "SecurityOpt=<no value>" ]; then
fail "No SecurityOptions Found: {{c}}" fail "No SecurityOptions Found: {{c}}"
fi fi
} }
@ -23,7 +23,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
# 5.3 # 5.3
@test "5.3 - Restrict Linux Kernel Capabilities within containers: {{c}}" { @test "5.3 - Restrict Linux Kernel Capabilities within containers: {{c}}" {
caps=$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' "{{c}}") caps=$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' "{{c}}")
if [ "$caps" != 'CapAdd=' -a "$caps" != 'CapAdd=[]' -a "$caps" != 'CapAdd=<no value>' -a "$caps" != 'CapAdd=<nil>' ]; then if [ "$caps" != 'CapAdd=' ] && [ "$caps" != 'CapAdd=[]' ] && [ "$caps" != 'CapAdd=<no value>' ] && [ "$caps" != 'CapAdd=<nil>' ]; then
fail "Capabilities added: $caps to {{c}}" fail "Capabilities added: $caps to {{c}}"
fi fi
} }
@ -48,7 +48,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
volumes=$(docker inspect --format '{{ .Mounts }}' "{{c}}") volumes=$(docker inspect --format '{{ .Mounts }}' "{{c}}")
fi fi
# Go over each directory in sensitive dir and see if they exist in the volumes # Go over each directory in sensitive dir and see if they exist in the volumes
for v in ${sensitive_dirs[@]}; do for v in "${sensitive_dirs[@]}"; do
run contains "$volumes" "$v" run contains "$volumes" "$v"
if [ $status -eq 0 ]; then if [ $status -eq 0 ]; then
fail "Sensitive directory $v mounted in: {{c}}" fail "Sensitive directory $v mounted in: {{c}}"
@ -146,7 +146,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
# 5.17 # 5.17
@test "5.17 - Do not directly expose host devices to containers: {{c}}" { @test "5.17 - Do not directly expose host devices to containers: {{c}}" {
devices=$(docker inspect --format 'Devices={{ .HostConfig.Devices }}' "{{c}}") devices=$(docker inspect --format 'Devices={{ .HostConfig.Devices }}' "{{c}}")
if [ "$devices" != "Devices=" -a "$devices" != "Devices=[]" -a "$devices" != "Devices=<no value>" ]; then if [ "$devices" != "Devices=" ] && [ "$devices" != "Devices=[]" ] && [ "$devices" != "Devices=<no value>" ]; then
fail "Container has devices exposed directly: {{c}}" fail "Container has devices exposed directly: {{c}}"
fi fi
} }
@ -154,7 +154,7 @@ load "$BATS_TEST_DIRNAME/../helper_lib.sh"
# 5.18 # 5.18
@test "5.18 - Override default ulimit at runtime only if needed: {{c}}" { @test "5.18 - Override default ulimit at runtime only if needed: {{c}}" {
ulimits=$(docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' "{{c}}") ulimits=$(docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' "{{c}}")
if [ "$ulimits" = "Ulimits=" -o "$ulimits" = "Ulimits=[]" -o "$ulimits" = "Ulimits=<no value>" ]; then if [ "$ulimits" = "Ulimits=" ] || [ "$ulimits" = "Ulimits=[]" ] || [ "$ulimits" = "Ulimits=<no value>" ]; then
fail "Container no default ulimit override: {{c}}" fail "Container no default ulimit override: {{c}}"
fi fi
} }

10
generate_tests.sh
View file

@ -20,10 +20,10 @@ prepare_tests_directory()
list_running_containers() { list_running_containers() {
# List all running containers # List all running containers
local containers=$(docker ps | sed '1d' | awk '{print $NF}') containers=($(docker ps | sed '1d' | awk '{print $NF}' | tr "\n" " "))
# If there is a container with label docker_bench_security, memorize it: # If there is a container with label docker_bench_security, memorize it:
local benchcont="nil" local benchcont="nil"
for c in $containers; do for c in "${containers[@]}"; do
labels=$(docker inspect --format '{{ .Config.Labels }}' "$c") labels=$(docker inspect --format '{{ .Config.Labels }}' "$c")
contains "$labels" "docker_bench_security" && benchcont="$c" contains "$labels" "docker_bench_security" && benchcont="$c"
done done
@ -35,9 +35,9 @@ generate_all_tests() {
# prepare test direcory: copy tests and templates # prepare test direcory: copy tests and templates
prepare_tests_directory prepare_tests_directory
# generate tests from templates for running containers # generate tests from templates for running containers
local containers=$(list_running_containers) containers=($(list_running_containers))
( cd $TEST_ROOT ( cd $TEST_ROOT || exit 1
for c in ${containers[@]}; do for c in "${containers[@]}"; do
for t in *.bats.template; do for t in *.bats.template; do
sed -e "s/{{c}}/$c/g" "${t}" > "${t%.*.*}_${c}.bats" sed -e "s/{{c}}/$c/g" "${t}" > "${t%.*.*}_${c}.bats"
done done

22
run_tests.sh
View file

@ -2,8 +2,6 @@
. ./generate_tests.sh . ./generate_tests.sh
TERMINFO=/usr/share/terminfo
TEST_RESULTS=$BENCH_ROOT/results TEST_RESULTS=$BENCH_ROOT/results
# make result folder (inside VOLUME) # make result folder (inside VOLUME)
@ -23,9 +21,9 @@ OPT_RESULTS=1
#Set fonts for Help. #Set fonts for Help.
if [ -e "/usr/bin/tput" ]; then if [ -e "/usr/bin/tput" ]; then
BOLD=`tput bold` BOLD=$(tput bold)
REV=`tput smso` REV=$(tput smso)
NORM=`tput sgr0` NORM=$(tput sgr0)
else else
BOLD="" BOLD=""
REV="" REV=""
@ -50,7 +48,7 @@ HELP() {
#Check the number of arguments. If none are passed, print help and exit. #Check the number of arguments. If none are passed, print help and exit.
NUMARGS=$# NUMARGS=$#
if [ $NUMARGS -eq 0 ]; then if [ "$NUMARGS" -eq 0 ]; then
HELP HELP
fi fi
@ -73,7 +71,7 @@ while getopts o:rptcgh FLAG; do
;; ;;
c) # count tests c) # count tests
if [ -d "$TEST_ROOT" ]; then if [ -d "$TEST_ROOT" ]; then
echo -e "There are ${BOLD}$(bats $TEST_ROOT -c)${NORM} tests in ${BOLD}$TEST_ROOT${NORM}" echo -e "There are ${BOLD}$(bats "${TEST_ROOT}" -c)${NORM} tests in ${BOLD}${TEST_ROOT}${NORM}"
else else
echo -e "No tests found, run ${BOLD}${SCRIPT}${NORM} with ${REV}-g${NORM} option first." echo -e "No tests found, run ${BOLD}${SCRIPT}${NORM} with ${REV}-g${NORM} option first."
fi fi
@ -99,8 +97,8 @@ shift $((OPTIND-1)) #This tells getopts to move on to the next argument.
### Run Bats tests ### ### Run Bats tests ###
TESTS=$TEST_ROOT TESTS="${TEST_ROOT}"
if [ ! -d $TEST_ROOT ]; then # generate tests if needed if [ ! -d "${TEST_ROOT}" ]; then # generate tests if needed
generate_all_tests generate_all_tests
fi fi
@ -108,13 +106,13 @@ if [ $# -ne 0 ]; then # get tests from command line
TESTS=$* TESTS=$*
fi fi
if [ $OPT_RESULTS -eq 0 ]; then # run tests and [create test result file] if [ ${OPT_RESULTS} -eq 0 ]; then # run tests and [create test result file]
if [ ! -d "$OPT_OUTPUT" ]; then if [ ! -d "$OPT_OUTPUT" ]; then
mkdir -p "$OPT_OUTPUT" mkdir -p "$OPT_OUTPUT"
fi fi
bats $TESTS -${OPT_FORMAT} > "${OPT_OUTPUT}/tests_$(date +%s).tap" bats "${TESTS}" -${OPT_FORMAT} > "${OPT_OUTPUT}/tests_$(date +%s).tap"
else else
bats $TESTS -${OPT_FORMAT} bats "${TESTS}" -${OPT_FORMAT}
fi fi
exit 0 exit 0