GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-19 00:32:34 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #264 from konstruktoid/issue247

Browse source 
skeleton json
This commit is contained in:
Thomas Sjögren 2017-10-23 09:35:21 +02:00 committed by GitHub
commit ad045075eb
10 changed files with 324 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.gitignore vendored
View file

@ -1 +1 @@
*.log
*.log*

3
docker-bench-security.sh
View file

@ -72,6 +72,7 @@ if [ "x$ID" != "x0" ]; then
fi
logit "Initializing $(date)\n"
beginjson "1.3.4" "$(date +%s)"
# Load all the tests from tests/ and run them
main () {
@ -92,6 +93,8 @@ main () {
do
. ./"$test"
done
endjson "$(date +%s)"
}
main "$@"

12
output_lib.sh
View file

@ -28,3 +28,15 @@ note () {
yell () {
printf "%b\n" "${bldylw}$1${txtrst}\n"
}
beginjson () {
printf "{\n \"dockerbenchsecurity\": \"%s\",\n \"start\": %s," "$1" "$2" | tee "$logger.json" 2>/dev/null 1>&2
}
endjson (){
printf "\n \"end\": %s \n}\n" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2
}
logjson (){
printf "\n \"%s\": \"%s\"," "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
}

51
tests/1_host_configuration.sh
View file

@ -8,15 +8,19 @@ auditrules="/etc/audit/audit.rules"
check_1_1="1.1 - Ensure a separate partition for containers has been created"
if grep /var/lib/docker /etc/fstab >/dev/null 2>&1; then
pass "$check_1_1"
logjson "1.1" "PASS"
elif mountpoint -q -- /var/lib/docker >/dev/null 2>&1; then
pass "$check_1_1"
logjson "1.1" "PASS"
else
warn "$check_1_1"
logjson "1.1" "WARN"
fi
# 1.2
check_1_2="1.2 - Ensure the container host has been Hardened"
note "$check_1_2"
logjson "1.2" "INFO"
# 1.3
check_1_3="1.3 - Ensure Docker is up to date"
@ -28,10 +32,12 @@ if [ $? -eq 11 ]; then
info "$check_1_3"
info " * Using $docker_version, verify is it up to date as deemed necessary"
info " * Your operating system vendor may provide support and security maintenance for Docker"
logjson "1.3" "INFO"
else
pass "$check_1_3"
info " * Using $docker_version which is current"
info " * Check with your operating system vendor for support and security maintenance for Docker"
logjson "1.3" "PASS"
fi
# 1.4
@ -40,6 +46,7 @@ docker_users=$(getent group docker)
info "$check_1_4"
for u in $docker_users; do
info " * $u"
logjson "1.4" "$u"
done
# 1.5
@ -48,13 +55,17 @@ file="/usr/bin/docker "
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_5"
logjson "1.5" "PASS"
else
warn "$check_1_5"
logjson "1.5" "WARN"
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_5"
logjson "1.5" "PASS"
else
warn "$check_1_5"
logjson "1.5" "WARN"
fi
# 1.6
@ -64,17 +75,22 @@ if [ -d "$directory" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $directory >/dev/null 2>&1; then
pass "$check_1_6"
logjson "1.6" "PASS"
else
warn "$check_1_6"
logjson "1.6" "WARN"
fi
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_6"
logjson "1.6" "PASS"
else
warn "$check_1_6"
logjson "1.6" "WARN"
fi
else
info "$check_1_6"
info " * Directory not found"
logjson "1.6" "INFO"
fi
# 1.7
@ -84,17 +100,22 @@ if [ -d "$directory" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $directory >/dev/null 2>&1; then
pass "$check_1_7"
logjson "1.7" "PASS"
else
warn "$check_1_7"
logjson "1.7" "WARN"
fi
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_7"
logjson "1.7" "PASS"
else
warn "$check_1_7"
logjson "1.7" "WARN"
fi
else
info "$check_1_7"
info " * Directory not found"
logjson "1.7" "INFO"
fi
# 1.8
@ -104,17 +125,22 @@ if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_8"
logjson "1.8" "PASS"
else
warn "$check_1_8"
logjson "1.8" "WARN"
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_8"
logjson "1.8" "pass"
else
warn "$check_1_8"
logjson "1.8" "WARN"
fi
else
info "$check_1_8"
info " * File not found"
logjson "1.8" "INFO"
fi
# 1.9
@ -124,17 +150,22 @@ if [ -e "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_9"
logjson "1.9" "PASS"
else
warn "$check_1_9"
logjson "1.9" "WARN"
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_9"
logjson "1.9" "PASS"
else
warn "$check_1_9"
logjson "1.9" "WARN"
fi
else
info "$check_1_9"
info " * File not found"
logjson "1.9" "INFO"
fi
# 1.10
@ -144,17 +175,22 @@ if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_10"
logjson "1.10" "PASS"
else
warn "$check_1_10"
logjson "1.10" "WARN"
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_10"
logjson "1.10" "PASS"
else
warn "$check_1_10"
logjson "1.10" "WARN"
fi
else
info "$check_1_10"
info " * File not found"
logjson "1.10" "INFO"
fi
# 1.11
@ -164,17 +200,22 @@ if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_11"
logjson "1.11" "PASS"
else
warn "$check_1_11"
logjson "1.11" "WARN"
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_11"
logjson "1.11" "PASS"
else
warn "$check_1_11"
logjson "1.11" "WARN"
fi
else
info "$check_1_11"
info " * File not found"
logjson "1.11" "INFO"
fi
# 1.12
@ -184,17 +225,22 @@ if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_12"
logjson "1.12" "PASS"
else
warn "$check_1_12"
logjson "1.12" "WARN"
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_12"
logjson "1.12" "PASS"
else
warn "$check_1_12"
logjson "1.12" "WARN"
fi
else
info "$check_1_12"
info " * File not found"
logjson "1.12" "INFO"
fi
# 1.13
@ -204,15 +250,20 @@ if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_13"
logjson "1.13" "PASS"
else
warn "$check_1_13"
logjson "1.13" "WARN"
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_13"
logjson "1.13" "PASS"
else
warn "$check_1_13"
logjson "1.13" "WARN"
fi
else
info "$check_1_13"
info " * File not found"
logjson "1.13" "INFO"
fi

59
tests/2_docker_daemon_configuration.sh
View file

@ -7,10 +7,13 @@ info "2 - Docker daemon configuration"
check_2_1="2.1 - Ensure network traffic is restricted between containers on the default bridge"
if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then
pass "$check_2_1"
logjson "2.1" "PASS"
elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then
pass "$check_2_1"
logjson "2.1" "PASS"
else
warn "$check_2_1"
logjson "2.1" "WARN"
fi
# 2.2
@ -18,51 +21,66 @@ check_2_2="2.2 - Ensure the logging level is set to 'info'"
if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then
if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then
pass "$check_2_2"
logjson "2.2" "PASS"
elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then
pass "$check_2_2"
logjson "2.2" "PASS"
else
warn "$check_2_2"
logjson "2.2" "WARN"
fi
elif get_docker_effective_command_line_args '-l'; then
if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then
pass "$check_2_2"
logjson "2.2" "PASS"
else
warn "$check_2_2"
logjson "2.2" "WARN"
fi
else
pass "$check_2_2"
logjson "2.2" "PASS"
fi
# 2.3
check_2_3="2.3 - Ensure Docker is allowed to make changes to iptables"
if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then
warn "$check_2_3"
logjson "2.3" "WARN"
elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then
warn "$check_2_3"
logjson "2.3" "WARN"
else
pass "$check_2_3"
logjson "2.3" "PASS"
fi
# 2.4
check_2_4="2.4 - Ensure insecure registries are not used"
if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then
warn "$check_2_4"
logjson "2.4" "WARN"
elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then
pass "$check_2_4"
logjson "2.4" "PASS"
else
warn "$check_2_4"
logjson "2.4" "WARN"
fi
else
pass "$check_2_4"
logjson "2.4" "PASS"
fi
# 2.5
check_2_5="2.5 - Ensure aufs storage driver is not used"
if docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1; then
warn "$check_2_5"
logjson "2.5" "WARN"
else
pass "$check_2_5"
logjson "2.5" "PASS"
fi
# 2.6
@ -73,30 +91,37 @@ if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then
if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then
if get_docker_configuration_file_args 'tlsverify' | grep 'true' >/dev/null 2>&1; then
pass "$check_2_6"
logjson "2.6" "PASS"
else
warn "$check_2_6"
warn " * Docker daemon currently listening on TCP with TLS, but no verification"
logjson "2.6" "WARN"
fi
fi
else
warn "$check_2_6"
warn " * Docker daemon currently listening on TCP without TLS"
logjson "2.6" "WARN"
fi
elif get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1; then
if get_docker_cumulative_command_line_args '--tlskey' | grep 'tlskey=' >/dev/null 2>&1; then
if get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify' >/dev/null 2>&1; then
pass "$check_2_6"
logjson "2.6" "PASS"
else
warn "$check_2_6"
warn " * Docker daemon currently listening on TCP with TLS, but no verification"
logjson "2.6" "WARN"
fi
else
warn "$check_2_6"
warn " * Docker daemon currently listening on TCP without TLS"
logjson "2.6" "WARN"
fi
else
info "$check_2_6"
info " * Docker daemon not listening on TCP"
logjson "2.6" "INFO"
fi
@ -104,21 +129,27 @@ fi
check_2_7="2.7 - Ensure the default ulimit is configured appropriately"
if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then
pass "$check_2_7"
logjson "2.7" "PASS"
elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
pass "$check_2_7"
logjson "2.7" "PASS"
else
info "$check_2_7"
info " * Default ulimit doesn't appear to be set"
logjson "2.7" "INFO"
fi
# 2.8
check_2_8="2.8 - Enable user namespace support"
if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then
pass "$check_2_8"
logjson "2.8" "PASS"
elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
pass "$check_2_8"
logjson "2.8" "PASS"
else
warn "$check_2_8"
logjson "2.8" "WARN"
fi
# 2.9
@ -126,62 +157,80 @@ check_2_9="2.9 - Ensure the default cgroup usage has been confirmed"
if get_docker_configuration_file_args 'cgroup-parent' | grep -v '""'; then
warn "$check_2_9"
info " * Confirm cgroup usage"
logjson "2.9" "INFO"
elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
warn "$check_2_9"
info " * Confirm cgroup usage"
logjson "2.9" "INFO"
else
pass "$check_2_9"
logjson "2.9" "PASS"
fi
# 2.10
check_2_10="2.10 - Ensure base device size is not changed until needed"
if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then
warn "$check_2_10"
logjson "2.10" "WARN"
elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
warn "$check_2_10"
logjson "2.10" "WARN"
else
pass "$check_2_10"
logjson "2.10" "PASS"
fi
# 2.11
check_2_11="2.11 - Ensure that authorization for Docker client commands is enabled"
if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then
pass "$check_2_11"
logjson "2.11" "PASS"
elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
pass "$check_2_11"
logjson "2.11" "PASS"
else
warn "$check_2_11"
logjson "2.11" "WARN"
fi
# 2.12
check_2_12="2.12 - Ensure centralized and remote logging is configured"
if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then
warn "$check_2_12"
logjson "2.12" "WARN"
else
pass "$check_2_12"
logjson "2.12" "PASS"
fi
# 2.13
check_2_13="2.13 - Ensure operations on legacy registry (v1) are Disabled"
if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then
pass "$check_2_13"
logjson "2.13" "PASS"
elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then
pass "$check_2_13"
logjson "2.13" "PASS"
else
warn "$check_2_13"
logjson "2.13" "WARN"
fi
# 2.14
check_2_14="2.14 - Ensure live restore is Enabled"
if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then
pass "$check_2_14"
logjson "2.14" "PASS"
else
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
pass "$check_2_14 (Incompatible with swarm mode)"
logjson "2.14" "PASS"
elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then
pass "$check_2_14"
logjson "2.14" "PASS"
else
warn "$check_2_14"
logjson "2.14" "WARN"
fi
fi
@ -189,34 +238,44 @@ fi
check_2_15="2.15 - Ensure Userland Proxy is Disabled"
if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then
pass "$check_2_15"
logjson "2.15" "PASS"
elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
pass "$check_2_15"
logjson "2.15" "PASS"
else
warn "$check_2_15"
logjson "2.15" "WARN"
fi
# 2.16
check_2_16="2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed"
if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then
pass "$check_2_16"
logjson "2.16" "PASS"
else
info "$check_2_16"
logjson "2.16" "INFO"
fi
# 2.17
check_2_17="2.17 - Ensure experimental features are avoided in production"
if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then
pass "$check_2_17"
logjson "2.17" "PASS"
else
warn "$check_2_17"
logjson "2.17" "WARN"
fi
# 2.18
check_2_18="2.18 - Ensure containers are restricted from acquiring new privileges"
if get_docker_effective_command_line_args '--no-new-privileges' >/dev/null 2>&1; then
pass "$check_2_18"
logjson "2.18" "PASS"
elif get_docker_configuration_file_args 'no-new-privileges' >/dev/null 2>&1; then
pass "$check_2_18"
logjson "2.18" "PASS"
else
warn "$check_2_18"
logjson "2.18" "WARN"
fi

60
tests/3_docker_daemon_configuration_files.sh
View file

@ -9,13 +9,16 @@ file="$(get_systemd_service_file docker.service)"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_1"
logjson "3.1" "PASS"
else
warn "$check_3_1"
warn " * Wrong ownership for $file"
logjson "3.1" "WARN"
fi
else
info "$check_3_1"
info " * File not found"
logjson "3.1" "INFO"
fi
# 3.2
@ -24,13 +27,16 @@ file="$(get_systemd_service_file docker.service)"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_2"
logjson "3.2" "PASS"
else
warn "$check_3_2"
warn " * Wrong permissions for $file"
logjson "3.2" "WARN"
fi
else
info "$check_3_2"
info " * File not found"
logjson "3.2" "INFO"
fi
# 3.3
@ -39,13 +45,16 @@ file="$(get_systemd_service_file docker.socket)"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_3"
logjson "3.3" "PASS"
else
warn "$check_3_3"
warn " * Wrong ownership for $file"
logjson "3.3" "WARN"
fi
else
info "$check_3_3"
info " * File not found"
logjson "3.3" "INFO"
fi
# 3.4
@ -54,13 +63,16 @@ file="$(get_systemd_service_file docker.socket)"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_4"
logjson "3.4" "PASS"
else
warn "$check_3_4"
warn " * Wrong permissions for $file"
logjson "3.4" "WARN"
fi
else
info "$check_3_4"
info " * File not found"
logjson "3.4" "INFO"
fi
# 3.5
@ -69,13 +81,16 @@ directory="/etc/docker"
if [ -d "$directory" ]; then
if [ "$(stat -c %u%g $directory)" -eq 00 ]; then
pass "$check_3_5"
logjson "3.5" "PASS"
else
warn "$check_3_5"
warn " * Wrong ownership for $directory"
logjson "3.5" "WARN"
fi
else
info "$check_3_5"
info " * Directory not found"
logjson "3.5" "INFO"
fi
# 3.6
@ -84,13 +99,16 @@ directory="/etc/docker"
if [ -d "$directory" ]; then
if [ "$(stat -c %a $directory)" -eq 755 -o "$(stat -c %a $directory)" -eq 700 ]; then
pass "$check_3_6"
logjson "3.6" "PASS"
else
warn "$check_3_6"
warn " * Wrong permissions for $directory"
logjson "3.6" "WARN"
fi
else
info "$check_3_6"
info " * Directory not found"
logjson "3.6" "INFO"
fi
# 3.7
@ -107,12 +125,15 @@ if [ -d "$directory" ]; then
if [ $fail -eq 1 ]; then
warn "$check_3_7"
warn " * Wrong ownership for $directory"
logjson "3.7" "WARN"
else
pass "$check_3_7"
logjson "3.7" "PASS"
fi
else
info "$check_3_7"
info " * Directory not found"
logjson "3.7" "INFO"
fi
# 3.8
@ -129,12 +150,15 @@ if [ -d "$directory" ]; then
if [ $fail -eq 1 ]; then
warn "$check_3_8"
warn " * Wrong permissions for $directory"
logjson "3.8" "WARN"
else
pass "$check_3_8"
logjson "3.8" "PASS"
fi
else
info "$check_3_8"
info " * Directory not found"
logjson "3.8" "INFO"
fi
# 3.9
@ -147,13 +171,16 @@ fi
if [ -f "$tlscacert" ]; then
if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
pass "$check_3_9"
logjson "3.9" "PASS"
else
warn "$check_3_9"
warn " * Wrong ownership for $tlscacert"
logjson "3.9" "WARN"
fi
else
info "$check_3_9"
info " * No TLS CA certificate found"
logjson "3.9" "INFO"
fi
# 3.10
@ -166,13 +193,16 @@ fi
if [ -f "$tlscacert" ]; then
if [ "$(stat -c %a $tlscacert)" -eq 444 -o "$(stat -c %a $tlscacert)" -eq 400 ]; then
pass "$check_3_10"
logjson "3.10" "PASS"
else
warn "$check_3_10"
warn " * Wrong permissions for $tlscacert"
logjson "3.10" "WARN"
fi
else
info "$check_3_10"
info " * No TLS CA certificate found"
logjson "3.10" "INFO"
fi
# 3.11
@ -185,13 +215,16 @@ fi
if [ -f "$tlscert" ]; then
if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
pass "$check_3_11"
logjson "3.11" "PASS"
else
warn "$check_3_11"
warn " * Wrong ownership for $tlscert"
logjson "3.11" "WARN"
fi
else
info "$check_3_11"
info " * No TLS Server certificate found"
logjson "3.11" "INFO"
fi
# 3.12
@ -204,13 +237,16 @@ fi
if [ -f "$tlscert" ]; then
if [ "$(stat -c %a $tlscert)" -eq 444 -o "$(stat -c %a $tlscert)" -eq 400 ]; then
pass "$check_3_12"
logjson "3.12" "PASS"
else
warn "$check_3_12"
warn " * Wrong permissions for $tlscert"
logjson "3.12" "WARN"
fi
else
info "$check_3_12"
info " * No TLS Server certificate found"
logjson "3.12" "INFO"
fi
# 3.13
@ -223,13 +259,16 @@ fi
if [ -f "$tlskey" ]; then
if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
pass "$check_3_13"
logjson "3.13" "PASS"
else
warn "$check_3_13"
warn " * Wrong ownership for $tlskey"
logjson "3.13" "WARN"
fi
else
info "$check_3_13"
info " * No TLS Key found"
logjson "3.13" "INFO"
fi
# 3.14
@ -242,13 +281,16 @@ fi
if [ -f "$tlskey" ]; then
if [ "$(stat -c %a $tlskey)" -eq 400 ]; then
pass "$check_3_14"
logjson "3.14" "PASS"
else
warn "$check_3_14"
warn " * Wrong permissions for $tlskey"
logjson "3.14" "WARN"
fi
else
info "$check_3_14"
info " * No TLS Key found"
logjson "3.14" "INFO"
fi
# 3.15
@ -257,13 +299,16 @@ file="/var/run/docker.sock"
if [ -S "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then
pass "$check_3_15"
logjson "3.15" "PASS"
else
warn "$check_3_15"
warn " * Wrong ownership for $file"
logjson "3.15" "WARN"
fi
else
info "$check_3_15"
info " * File not found"
logjson "3.15" "INFO"
fi
# 3.16
@ -272,13 +317,16 @@ file="/var/run/docker.sock"
if [ -S "$file" ]; then
if [ "$(stat -c %a $file)" -eq 660 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_16"
logjson "3.16" "PASS"
else
warn "$check_3_16"
warn " * Wrong permissions for $file"
logjson "3.16" "WARN"
fi
else
info "$check_3_16"
info " * File not found"
logjson "3.16" "INFO"
fi
# 3.17
@ -287,13 +335,16 @@ file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass "$check_3_17"
logjson "3.17" "PASS"
else
warn "$check_3_17"
warn " * Wrong ownership for $file"
logjson "3.17" "WARN"
fi
else
info "$check_3_17"
info " * File not found"
logjson "3.17" "INFO"
fi
# 3.18
@ -302,13 +353,16 @@ file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_18"
logjson "3.18" "PASS"
else
warn "$check_3_18"
warn " * Wrong permissions for $file"
logjson "3.18" "WARN"
fi
else
info "$check_3_18"
info " * File not found"
logjson "3.18" "INFO"
fi
# 3.19
@ -317,13 +371,16 @@ file="/etc/default/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass "$check_3_19"
logjson "3.19" "PASS"
else
warn "$check_3_19"
warn " * Wrong ownership for $file"
logjson "3.19" "WARN"
fi
else
info "$check_3_19"
info " * File not found"
logjson "3.19" "INFO"
fi
# 3.20
@ -332,11 +389,14 @@ file="/etc/default/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_20"
logjson "3.20" "PASS"
else
warn "$check_3_20"
warn " * Wrong permissions for $file"
logjson "3.20" "WARN"
fi
else
info "$check_3_20"
info " * File not found"
logjson "3.20" "INFO"
fi

20
tests/4_container_images.sh
View file

@ -10,6 +10,7 @@ check_4_1="4.1 - Ensure a user for the container has been created"
if [ -z "$containers" ]; then
info "$check_4_1"
info " * No containers running"
logjson "4.1" "INFO"
else
# We have some containers running, set failure flag to 0. Check for Users.
fail=0
@ -24,15 +25,18 @@ else
if [ $fail -eq 0 ]; then
warn "$check_4_1"
warn " * Running as root: $c"
logjson "4.1" "WARN: $c"
fail=1
else
warn " * Running as root: $c"
logjson "4.1" "WARN: $c"
fi
fi
done
# We went through all the containers and found none running as root
if [ $fail -eq 0 ]; then
pass "$check_4_1"
logjson "4.1" "PASS"
fi
fi
# Make the loop separator go back to space
@ -43,21 +47,26 @@ images=$(docker images -q)
# 4.2
check_4_2="4.2 - Ensure that containers use trusted base images"
note "$check_4_2"
logjson "4.2" "NOTE"
# 4.3
check_4_3="4.3 - Ensure unnecessary packages are not installed in the container"
note "$check_4_3"
logjson "4.3" "NOTE"
# 4.4
check_4_4="4.4 - Ensure images are scanned and rebuilt to include security patches"
note "$check_4_4"
logjson "4.4" "NOTE"
# 4.5
check_4_5="4.5 - Ensure Content trust for Docker is Enabled"
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
pass "$check_4_5"
logjson "4.5" "PASS"
else
warn "$check_4_5"
logjson "4.5" "WARN"
fi
# 4.6
@ -68,15 +77,18 @@ for img in $images; do
if [ $fail -eq 0 ]; then
fail=1
warn "$check_4_6"
logjson "4.6" "WARN"
fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then
warn " * No Healthcheck found: $imgName"
logjson "4.6" "WARN: $imgName"
fi
fi
done
if [ $fail -eq 0 ]; then
pass "$check_4_6"
logjson "4.6" "PASS"
fi
# 4.7
@ -87,6 +99,7 @@ for img in $images; do
if [ $fail -eq 0 ]; then
fail=1
info "$check_4_7"
logjson "4.7" "INFO"
fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then
@ -96,11 +109,13 @@ for img in $images; do
done
if [ $fail -eq 0 ]; then
pass "$check_4_7"
logjson "4.7" "PASS"
fi
# 4.8
check_4_8="4.8 - Ensure setuid and setgid permissions are removed in the images"
note "$check_4_8"
logjson "4.8" "NOTE"
# 4.9
check_4_9="4.9 - Ensure COPY is used instead of ADD in Dockerfile"
@ -111,21 +126,26 @@ for img in $images; do
if [ $fail -eq 0 ]; then
fail=1
info "$check_4_9"
logjson "4.9" "INFO"
fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then
info " * ADD in image history: $imgName"
logjson "4.9" "INFO: $imgName"
fi
fi
done
if [ $fail -eq 0 ]; then
pass "$check_4_9"
logjson "4.9" "PASS"
fi
# 4.10
check_4_10="4.10 - Ensure secrets are not stored in Dockerfiles"
note "$check_4_10"
logjson "4.10" "NOTE"
# 4.11
check_4_11="4.11 - Ensure verified packages are only Installed"
note "$check_4_11"
logjson "4.11" "NOTE"

86
tests/5_container_runtime.sh
View file

@ -22,15 +22,18 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_1"
warn " * No AppArmorProfile Found: $c"
logjson "5.1" "WARN: $c"
fail=1
else
warn " * No AppArmorProfile Found: $c"
logjson "5.1" "WARN: $c"
fi
fi
done
# We went through all the containers and found none without AppArmor
if [ $fail -eq 0 ]; then
pass "$check_5_1"
logjson "5.1" "PASS"
fi
# 5.2
@ -45,15 +48,18 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_2"
warn " * No SecurityOptions Found: $c"
logjson "5.2" "WARN: $c"
fail=1
else
warn " * No SecurityOptions Found: $c"
logjson "5.2" "WARN: $c"
fi
fi
done
# We went through all the containers and found none without SELinux
if [ $fail -eq 0 ]; then
pass "$check_5_2"
logjson "5.2" "PASS"
fi
# 5.3
@ -71,15 +77,18 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_3"
warn " * Capabilities added: $caps to $c"
logjson "5.3" "WARN: $c"
fail=1
else
warn " * Capabilities added: $caps to $c"
logjson "5.3" "WARN: $c"
fi
fi
done
# We went through all the containers and found none with extra capabilities
if [ $fail -eq 0 ]; then
pass "$check_5_3"
logjson "5.3" "PASS"
fi
# 5.4
@ -94,15 +103,18 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_4"
warn " * Container running in Privileged mode: $c"
logjson "5.4" "WARN: $c"
fail=1
else
warn " * Container running in Privileged mode: $c"
logjson "5.4" "WARN: $c"
fi
fi
done
# We went through all the containers and found no privileged containers
if [ $fail -eq 0 ]; then
pass "$check_5_4"
logjson "5.4" "PASS"
fi
# 5.5
@ -136,9 +148,11 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_5"
warn " * Sensitive directory $v mounted in: $c"
logjson "5.5" "WARN: $v in $c"
fail=1
else
warn " * Sensitive directory $v mounted in: $c"
logjson "5.5" "WARN: $v in $c"
fi
fi
done
@ -146,6 +160,7 @@ else
# We went through all the containers and found none with sensitive mounts
if [ $fail -eq 0 ]; then
pass "$check_5_5"
logjson "5.5" "PASS"
fi
# 5.6
@ -161,10 +176,12 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_6"
warn " * Container running sshd: $c"
logjson "5.6" "WARN: $c"
fail=1
printcheck=1
else
warn " * Container running sshd: $c"
logjson "5.6" "WARN: $c"
fi
fi
@ -172,9 +189,11 @@ else
if [ $? -eq 255 ]; then
if [ $printcheck -eq 0 ]; then
warn "$check_5_6"
logjson "5.6" "WARN"
printcheck=1
fi
warn " * Docker exec fails: $c"
logjson "5.6" "WARN: $c"
fail=1
fi
@ -199,9 +218,11 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_7"
warn " * Privileged Port in use: $port in $c"
logjson "5.7" "WARN: $port in $c"
fail=1
else
warn " * Privileged Port in use: $port in $c"
logjson "5.7" "WARN: $port in $c"
fi
fi
done
@ -209,11 +230,13 @@ else
# We went through all the containers and found no privileged ports
if [ $fail -eq 0 ]; then
pass "$check_5_7"
logjson "5.7" "PASS"
fi
# 5.8
check_5_8="5.8 - Ensure only needed ports are open on the container"
note "$check_5_8"
logjson "5.8" "NOTE"
# 5.9
check_5_9="5.9 - Ensure the host's network namespace is not shared"
@ -227,15 +250,18 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_9"
warn " * Container running with networking mode 'host': $c"
logjson "5.9" "WARN: $c"
fail=1
else
warn " * Container running with networking mode 'host': $c"
logjson "5.9" "WARN: $c"
fi
fi
done
# We went through all the containers and found no Network Mode host
if [ $fail -eq 0 ]; then
pass "$check_5_9"
logjson "5.9" "PASS"
fi
# 5.10
@ -254,15 +280,18 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_10"
warn " * Container running without memory restrictions: $c"
logjson "5.10" "WARN: $c"
fail=1
else
warn " * Container running without memory restrictions: $c"
logjson "5.10" "WARN: $c"
fi
fi
done
# We went through all the containers and found no lack of Memory restrictions
if [ $fail -eq 0 ]; then
pass "$check_5_10"
logjson "5.10" "PASS"
fi
# 5.11
@ -281,15 +310,18 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_11"
warn " * Container running without CPU restrictions: $c"
logjson "5.11" "WARN: $c"
fail=1
else
warn " * Container running without CPU restrictions: $c"
logjson "5.11" "WARN: $c"
fi
fi
done
# We went through all the containers and found no lack of CPUShare restrictions
if [ $fail -eq 0 ]; then
pass "$check_5_11"
logjson "5.11" "PASS"
fi
# 5.12
@ -304,15 +336,18 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_12"
warn " * Container running with root FS mounted R/W: $c"
logjson "5.12" "WARN: $c"
fail=1
else
warn " * Container running with root FS mounted R/W: $c"
logjson "5.12" "WARN: $c"
fi
fi
done
# We went through all the containers and found no R/W FS mounts
if [ $fail -eq 0 ]; then
pass "$check_5_12"
logjson "5.12" "PASS"
fi
# 5.13
@ -326,9 +361,11 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_13"
warn " * Port being bound to wildcard IP: $ip in $c"
logjson "5.13" "WARN: $ip in $c"
fail=1
else
warn " * Port being bound to wildcard IP: $ip in $c"
logjson "5.13" "WARN: $ip in $c"
fi
fi
done
@ -336,6 +373,7 @@ else
# We went through all the containers and found no ports bound to 0.0.0.0
if [ $fail -eq 0 ]; then
pass "$check_5_13"
logjson "5.13" "PASS"
fi
# 5.14
@ -350,15 +388,18 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_14"
warn " * MaximumRetryCount is not set to 5: $c"
logjson "5.14" "WARN: $c"
fail=1
else
warn " * MaximumRetryCount is not set to 5: $c"
logjson "5.14" "WARN: $c"
fi
fi
done
# We went through all the containers and they all had MaximumRetryCount=5
if [ $fail -eq 0 ]; then
pass "$check_5_14"
logjson "5.14" "PASS"
fi
# 5.15
@ -373,15 +414,18 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_15"
warn " * Host PID namespace being shared with: $c"
logjson "5.15" "WARN: $c"
fail=1
else
warn " * Host PID namespace being shared with: $c"
logjson "5.15" "WARN: $c"
fi
fi
done
# We went through all the containers and found none with PidMode as host
if [ $fail -eq 0 ]; then
pass "$check_5_15"
logjson "5.15" "PASS"
fi
# 5.16
@ -396,15 +440,18 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_16"
warn " * Host IPC namespace being shared with: $c"
logjson "5.16" "WARN: $c"
fail=1
else
warn " * Host IPC namespace being shared with: $c"
logjson "5.16" "WARN: $c"
fi
fi
done
# We went through all the containers and found none with IPCMode as host
if [ $fail -eq 0 ]; then
pass "$check_5_16"
logjson "5.16" "PASS"
fi
# 5.17
@ -419,15 +466,18 @@ else
if [ $fail -eq 0 ]; then
info "$check_5_17"
info " * Container has devices exposed directly: $c"
logjson "5.17" "INFO: $c"
fail=1
else
info " * Container has devices exposed directly: $c"
logjson "5.17" "INFO: $c"
fi
fi
done
# We went through all the containers and found none with devices
if [ $fail -eq 0 ]; then
pass "$check_5_17"
logjson "5.17" "PASS"
fi
# 5.18
@ -442,15 +492,18 @@ else
if [ $fail -eq 0 ]; then
info "$check_5_18"
info " * Container no default ulimit override: $c"
logjson "5.18" "INFO: $c"
fail=1
else
info " * Container no default ulimit override: $c"
logjson "5.18" "INFO: $c"
fi
fi
done
# We went through all the containers and found none without Ulimits
if [ $fail -eq 0 ]; then
pass "$check_5_18"
logjson "5.18" "PASS"
fi
# 5.19
@ -464,15 +517,18 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_19"
warn " * Mount propagation mode is shared: $c"
logjson "5.19" "WARN: $c"
fail=1
else
warn " * Mount propagation mode is shared: $c"
logjson "5.19" "WARN: $c"
fi
fi
done
# We went through all the containers and found none with shared propagation mode
if [ $fail -eq 0 ]; then
pass "$check_5_19"
logjson "5.19" "PASS"
fi
# 5.20
@ -487,15 +543,18 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_20"
warn " * Host UTS namespace being shared with: $c"
logjson "5.20" "WARN: $c"
fail=1
else
warn " * Host UTS namespace being shared with: $c"
logjson "5.20" "WARN: $c"
fi
fi
done
# We went through all the containers and found none with UTSMode as host
if [ $fail -eq 0 ]; then
pass "$check_5_20"
logjson "5.20" "PASS"
fi
# 5.21
@ -508,24 +567,29 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_21"
warn " * Default seccomp profile disabled: $c"
logjson "5.21" "WARN: $c"
fail=1
else
warn " * Default seccomp profile disabled: $c"
logjson "5.21" "WARN: $c"
fi
fi
done
# We went through all the containers and found none with default secomp profile disabled
if [ $fail -eq 0 ]; then
pass "$check_5_21"
logjson "5.21" "PASS"
fi
# 5.22
check_5_22="5.22 - Ensure docker exec commands are not used with privileged option"
note "$check_5_22"
logjson "5.22" "NOTE"
# 5.23
check_5_23="5.23 - Ensure docker exec commands are not used with user option"
note "$check_5_23"
logjson "5.23" "NOTE"
# 5.24
check_5_24="5.24 - Ensure cgroup usage is confirmed"
@ -539,15 +603,18 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_24"
warn " * Confirm cgroup usage: $c"
logjson "5.24" "WARN: $c"
fail=1
else
warn " * Confirm cgroup usage: $c"
logjson "5.24" "WARN: $c"
fi
fi
done
# We went through all the containers and found none with UTSMode as host
if [ $fail -eq 0 ]; then
pass "$check_5_24"
logjson "5.24" "PASS"
fi
# 5.25
@ -560,15 +627,18 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_25"
warn " * Privileges not restricted: $c"
logjson "5.25" "WARN: $c"
fail=1
else
warn " * Privileges not restricted: $c"
logjson "5.25" "WARN: $c"
fi
fi
done
# We went through all the containers and found none with capability to acquire additional privileges
if [ $fail -eq 0 ]; then
pass "$check_5_25"
logjson "5.25" "PASS"
fi
# 5.26
@ -580,19 +650,23 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_26"
warn " * Health check not set: $c"
logjson "5.26" "WARN: $c"
fail=1
else
warn " * Health check not set: $c"
logjson "5.26" "WARN: $c"
fi
fi
done
if [ $fail -eq 0 ]; then
pass "$check_5_26"
logjson "5.26" "PASS"
fi
# 5.27
check_5_27="5.27 - Ensure docker commands always get the latest version of the image"
info "$check_5_27"
logjson "5.27" "INFO"
# 5.28
check_5_28="5.28 - Ensure PIDs cgroup limit is used"
@ -606,15 +680,18 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_28"
warn " * PIDs limit not set: $c"
logjson "5.28" "WARN: $c"
fail=1
else
warn " * PIDs limit not set: $c"
logjson "5.28" "WARN: $c"
fi
fi
done
# We went through all the containers and found all with PIDs limit
if [ $fail -eq 0 ]; then
pass "$check_5_28"
logjson "5.28" "PASS"
fi
# 5.29
@ -629,11 +706,13 @@ else
if [ -n "$docker0Containers" ]; then
if [ $fail -eq 0 ]; then
info "$check_5_29"
logjson "5.29" "INFO"
fail=1
fi
for c in $docker0Containers; do
cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g')
info " * Container in docker0 network: $cName"
logjson "5.29" "INFO: $c"
done
fi
fi
@ -641,6 +720,7 @@ else
# We went through all the containers and found none in docker0 network
if [ $fail -eq 0 ]; then
pass "$check_5_29"
logjson "5.29" "PASS"
fi
# 5.30
@ -653,15 +733,18 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_30"
warn " * Namespace shared: $c"
logjson "5.30" "WARN: $c"
fail=1
else
warn " * Namespace shared: $c"
logjson "5.30" "WARN: $c"
fi
fi
done
# We went through all the containers and found none with host's user namespace shared
if [ $fail -eq 0 ]; then
pass "$check_5_30"
logjson "5.30" "PASS"
fi
# 5.31
@ -674,14 +757,17 @@ else
if [ $fail -eq 0 ]; then
warn "$check_5_31"
warn " * Docker socket shared: $c"
logjson "5.31" "WARN: $c"
fail=1
else
warn " * Docker socket shared: $c"
logjson "5.31" "WARN: $c"
fi
fi
done
# We went through all the containers and found none with docker.sock shared
if [ $fail -eq 0 ]; then
pass "$check_5_31"
logjson "5.31" "PASS"
fi
fi

3
tests/6_docker_security_operations.sh
View file

@ -19,6 +19,7 @@ done
if [ "$active_images" -lt "$((images / 2))" ]; then
info " * Only $active_images out of $images are in use"
logjson "6.1" "INFO: $active_images"
fi
# 6.2
@ -29,7 +30,9 @@ diff="$((total_containers - running_containers))"
if [ "$diff" -gt 25 ]; then
info "$check_6_2"
info " * There are currently a total of $total_containers containers, with only $running_containers of them currently running"
logjson "6.2" "INFO: $running_containers"
else
info "$check_6_2"
info " * There are currently a total of $total_containers containers, with $running_containers of them currently running"
logjson "6.2" "INFO: $running_containers"
fi

33
tests/7_docker_swarm_configuration.sh
View file

@ -7,8 +7,10 @@ info "7 - Docker Swarm Configuration"
check_7_1="7.1 - Ensure swarm mode is not Enabled, if not needed"
if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
pass "$check_7_1"
logjson "7.1" "PASS"
else
warn "$check_7_1"
logjson "7.1" "WARN"
fi
# 7.2
@ -17,11 +19,14 @@ if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
managernodes=$(docker node ls | grep -c "Leader")
if [ "$managernodes" -le 1 ]; then
pass "$check_7_2"
logjson "7.2" "PASS"
else
warn "$check_7_2"
logjson "7.2" "WARN"
fi
else
pass "$check_7_2 (Swarm mode not enabled)"
logjson "7.2" "PASS"
fi
# 7.3
@ -30,11 +35,14 @@ if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
netstat -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1
if [ $? -eq 1 ]; then
pass "$check_7_3"
logjson "7.3" "PASS"
else
warn "$check_7_3"
logjson "7.3" "WARN"
fi
else
pass "$check_7_3 (Swarm mode not enabled)"
logjson "7.3" "PASS"
fi
# 7.4
@ -47,10 +55,12 @@ if docker network ls --filter driver=overlay --quiet | \
if docker network inspect --format '{{.Name}} {{ .Options }}' "$encnet" | \
grep -v 'encrypted:' 2>/dev/null 1>&2; then
warn " * Unencrypted overlay network: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
logjson "7.4" "WARN: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
fi
done
else
pass "$check_7_4"
logjson "7.4" "PASS"
fi
# 7.5
@ -58,11 +68,14 @@ check_7_5="7.5 - Ensure Docker's secret management commands are used for managi
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then
pass "$check_7_5"
logjson "7.5" "PASS"
else
info "$check_7_5"
logjson "7.5" "INFO"
fi
else
pass "$check_7_5 (Swarm mode not enabled)"
logjson "7.5" "PASS"
fi
# 7.6
@ -70,19 +83,24 @@ check_7_6="7.6 - Ensure swarm manager is run in auto-lock mode"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then
warn "$check_7_6"
logjson "7.6" "WARN"
else
pass "$check_7_6"
logjson "7.6" "PASS"
fi
else
pass "$check_7_6 (Swarm mode not enabled)"
logjson "7.6" "PASS"
fi
# 7.7
check_7_7="7.7 - Ensure swarm manager auto-lock key is rotated periodically"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
note "$check_7_7"
logjson "7.7" "NOTE"
else
pass "$check_7_7 (Swarm mode not enabled)"
logjson "7.7" "PASS"
fi
# 7.8
@ -90,25 +108,32 @@ check_7_8="7.8 - Ensure node certificates are rotated as appropriate"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then
pass "$check_7_8"
logjson "7.8" "PASS"
else
info "$check_7_8"
logjson "7.8" "INFO"
fi
else
pass "$check_7_8 (Swarm mode not enabled)"
logjson "7.8" "PASS"
fi
# 7.9
check_7_9="7.9 - Ensure CA certificates are rotated as appropriate"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
info "$check_7_9"
info "$check_7_9"
logjson "7.9" "INFO"
else
pass "$check_7_9 (Swarm mode not enabled)"
pass "$check_7_9 (Swarm mode not enabled)"
logjson "7.9" "PASS"
fi
# 7.10
check_7_10="7.10 - Ensure management plane traffic has been separated from data plane traffic"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
info "$check_7_10"
info "$check_7_10"
logjson "7.10" "INFO"
else
pass "$check_7_10 (Swarm mode not enabled)"
pass "$check_7_10 (Swarm mode not enabled)"
logjson "7.10" "PASS"
fi