From 809da21c4a9cca26c68b11dd85d0a077b3f56349 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 10 Oct 2017 13:54:59 +0200 Subject: [PATCH 01/10] skeleton json MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- docker-bench-security.sh | 3 +++ output_lib.sh | 12 ++++++++++++ tests/1_host_configuration.sh | 11 +++++++++++ 3 files changed, 26 insertions(+) diff --git a/docker-bench-security.sh b/docker-bench-security.sh index 9dbe000..08eda32 100755 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -72,6 +72,7 @@ if [ "x$ID" != "x0" ]; then fi logit "Initializing $(date)\n" +beginjson "$(date +%s)" # Load all the tests from tests/ and run them main () { @@ -92,6 +93,8 @@ main () { do . ./"$test" done + + endjson "$(date +%s)" } main "$@" diff --git a/output_lib.sh b/output_lib.sh index 3d31667..6460d40 100644 --- a/output_lib.sh +++ b/output_lib.sh @@ -28,3 +28,15 @@ note () { yell () { printf "%b\n" "${bldylw}$1${txtrst}\n" } + +beginjson () { + printf "{\n \"start\": %s," "$1" | tee "$logger.json" 2>/dev/null 1>&2 +} + +endjson (){ + printf "\n \"end\": %s \n}\n" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2 +} + +logjson (){ + printf "\n \"%s\": \"%s\"," "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2 +} diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index 91c35c3..7c090e9 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -8,15 +8,19 @@ auditrules="/etc/audit/audit.rules" check_1_1="1.1 - Ensure a separate partition for containers has been created" if grep /var/lib/docker /etc/fstab >/dev/null 2>&1; then pass "$check_1_1" + logjson "1.1" "PASS" elif mountpoint -q -- /var/lib/docker >/dev/null 2>&1; then pass "$check_1_1" + logjson "1.1" "PASS" else warn "$check_1_1" + logjson "1.1" "WARN" fi # 1.2 check_1_2="1.2 - Ensure the container host has been Hardened" note "$check_1_2" +logjson "1.2" "INFO" # 1.3 check_1_3="1.3 - Ensure Docker is up to date" @@ -28,10 +32,12 @@ if [ $? -eq 11 ]; then info "$check_1_3" info " * Using $docker_version, verify is it up to date as deemed necessary" info " * Your operating system vendor may provide support and security maintenance for Docker" + logjson "1.3" "INFO" else pass "$check_1_3" info " * Using $docker_version which is current" info " * Check with your operating system vendor for support and security maintenance for Docker" + logjson "1.3" "PASS" fi # 1.4 @@ -40,6 +46,7 @@ docker_users=$(getent group docker) info "$check_1_4" for u in $docker_users; do info " * $u" + logjson "1.4" "$u" done # 1.5 @@ -48,13 +55,17 @@ file="/usr/bin/docker " if command -v auditctl >/dev/null 2>&1; then if auditctl -l | grep "$file" >/dev/null 2>&1; then pass "$check_1_5" + logjson "1.5" "PASS" else warn "$check_1_5" + logjson "1.5" "WARN" fi elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then pass "$check_1_5" + logjson "1.5" "PASS" else warn "$check_1_5" + logjson "1.5" "WARN" fi # 1.6 From 9e3d42c5f557cd38dd9676a91add8f7860b5de6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 10 Oct 2017 14:20:38 +0200 Subject: [PATCH 02/10] ignore all logs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- .gitignore | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitignore b/.gitignore index 397b4a7..e5ebf25 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -*.log +*.log* From a3612c574e291aeb1ca1d4eb11bbe520f384f16d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 10 Oct 2017 14:33:32 +0200 Subject: [PATCH 03/10] check 1.x json log MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/1_host_configuration.sh | 40 +++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index 7c090e9..ef6ac4c 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -75,17 +75,22 @@ if [ -d "$directory" ]; then if command -v auditctl >/dev/null 2>&1; then if auditctl -l | grep $directory >/dev/null 2>&1; then pass "$check_1_6" + logjson "1.6" "PASS" else warn "$check_1_6" + logjson "1.6" "WARN" fi elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then pass "$check_1_6" + logjson "1.6" "PASS" else warn "$check_1_6" + logjson "1.6" "WARN" fi else info "$check_1_6" info " * Directory not found" + logjson "1.6" "INFO" fi # 1.7 @@ -95,17 +100,22 @@ if [ -d "$directory" ]; then if command -v auditctl >/dev/null 2>&1; then if auditctl -l | grep $directory >/dev/null 2>&1; then pass "$check_1_7" + logjson "1.7" "PASS" else warn "$check_1_7" + logjson "1.7" "WARN" fi elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then pass "$check_1_7" + logjson "1.7" "PASS" else warn "$check_1_7" + logjson "1.7" "WARN" fi else info "$check_1_7" info " * Directory not found" + logjson "1.7" "INFO" fi # 1.8 @@ -115,17 +125,22 @@ if [ -f "$file" ]; then if command -v auditctl >/dev/null 2>&1; then if auditctl -l | grep "$file" >/dev/null 2>&1; then pass "$check_1_8" + logjson "1.8" "PASS" else warn "$check_1_8" + logjson "1.8" "WARN" fi elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then pass "$check_1_8" + logjson "1.8" "pass" else warn "$check_1_8" + logjson "1.8" "WARN" fi else info "$check_1_8" info " * File not found" + logjson "1.8" "INFO" fi # 1.9 @@ -135,17 +150,22 @@ if [ -e "$file" ]; then if command -v auditctl >/dev/null 2>&1; then if auditctl -l | grep "$file" >/dev/null 2>&1; then pass "$check_1_9" + logjson "1.9" "PASS" else warn "$check_1_9" + logjson "1.9" "WARN" fi elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then pass "$check_1_9" + logjson "1.9" "PASS" else warn "$check_1_9" + logjson "1.9" "WARN" fi else info "$check_1_9" info " * File not found" + logjson "1.9" "INFO" fi # 1.10 @@ -155,17 +175,22 @@ if [ -f "$file" ]; then if command -v auditctl >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then pass "$check_1_10" + logjson "1.10" "PASS" else warn "$check_1_10" + logjson "1.10" "WARN" fi elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then pass "$check_1_10" + logjson "1.10" "PASS" else warn "$check_1_10" + logjson "1.10" "WARN" fi else info "$check_1_10" info " * File not found" + logjson "1.10" "INFO" fi # 1.11 @@ -175,17 +200,22 @@ if [ -f "$file" ]; then if command -v auditctl >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then pass "$check_1_11" + logjson "1.11" "PASS" else warn "$check_1_11" + logjson "1.11" "WARN" fi elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then pass "$check_1_11" + logjson "1.11" "PASS" else warn "$check_1_11" + logjson "1.11" "WARN" fi else info "$check_1_11" info " * File not found" + logjson "1.11" "INFO" fi # 1.12 @@ -195,17 +225,22 @@ if [ -f "$file" ]; then if command -v auditctl >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then pass "$check_1_12" + logjson "1.12" "PASS" else warn "$check_1_12" + logjson "1.12" "WARN" fi elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then pass "$check_1_12" + logjson "1.12" "PASS" else warn "$check_1_12" + logjson "1.12" "WARN" fi else info "$check_1_12" info " * File not found" + logjson "1.12" "INFO" fi # 1.13 @@ -215,15 +250,20 @@ if [ -f "$file" ]; then if command -v auditctl >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then pass "$check_1_13" + logjson "1.13" "PASS" else warn "$check_1_13" + logjson "1.13" "WARN" fi elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then pass "$check_1_13" + logjson "1.13" "PASS" else warn "$check_1_13" + logjson "1.13" "WARN" fi else info "$check_1_13" info " * File not found" + logjson "1.13" "INFO" fi From 78b1f5dc8626609728f8acb6590c0ee7ce638db9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 10 Oct 2017 14:46:08 +0200 Subject: [PATCH 04/10] check 2.x json log MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/2_docker_daemon_configuration.sh | 59 ++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/tests/2_docker_daemon_configuration.sh b/tests/2_docker_daemon_configuration.sh index 7a54387..2eafc88 100644 --- a/tests/2_docker_daemon_configuration.sh +++ b/tests/2_docker_daemon_configuration.sh @@ -7,10 +7,13 @@ info "2 - Docker daemon configuration" check_2_1="2.1 - Ensure network traffic is restricted between containers on the default bridge" if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then pass "$check_2_1" + logjson "2.1" "PASS" elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then pass "$check_2_1" + logjson "2.1" "PASS" else warn "$check_2_1" + logjson "2.1" "WARN" fi # 2.2 @@ -18,51 +21,66 @@ check_2_2="2.2 - Ensure the logging level is set to 'info'" if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then pass "$check_2_2" + logjson "2.2" "PASS" elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then pass "$check_2_2" + logjson "2.2" "PASS" else warn "$check_2_2" + logjson "2.2" "WARN" fi elif get_docker_effective_command_line_args '-l'; then if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then pass "$check_2_2" + logjson "2.2" "PASS" else warn "$check_2_2" + logjson "2.2" "WARN" fi else pass "$check_2_2" + logjson "2.2" "PASS" fi # 2.3 check_2_3="2.3 - Ensure Docker is allowed to make changes to iptables" if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then warn "$check_2_3" + logjson "2.3" "WARN" elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then warn "$check_2_3" + logjson "2.3" "WARN" else pass "$check_2_3" + logjson "2.3" "PASS" fi # 2.4 check_2_4="2.4 - Ensure insecure registries are not used" if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then warn "$check_2_4" + logjson "2.4" "WARN" elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then pass "$check_2_4" + logjson "2.4" "PASS" else warn "$check_2_4" + logjson "2.4" "WARN" fi else pass "$check_2_4" + logjson "2.4" "PASS" fi # 2.5 check_2_5="2.5 - Ensure aufs storage driver is not used" if docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1; then warn "$check_2_5" + logjson "2.5" "WARN" else pass "$check_2_5" + logjson "2.5" "PASS" fi # 2.6 @@ -73,30 +91,37 @@ if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then if get_docker_configuration_file_args 'tlsverify' | grep 'true' >/dev/null 2>&1; then pass "$check_2_6" + logjson "2.6" "PASS" else warn "$check_2_6" warn " * Docker daemon currently listening on TCP with TLS, but no verification" + logjson "2.6" "WARN" fi fi else warn "$check_2_6" warn " * Docker daemon currently listening on TCP without TLS" + logjson "2.6" "WARN" fi elif get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1; then if get_docker_cumulative_command_line_args '--tlskey' | grep 'tlskey=' >/dev/null 2>&1; then if get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify' >/dev/null 2>&1; then pass "$check_2_6" + logjson "2.6" "PASS" else warn "$check_2_6" warn " * Docker daemon currently listening on TCP with TLS, but no verification" + logjson "2.6" "WARN" fi else warn "$check_2_6" warn " * Docker daemon currently listening on TCP without TLS" + logjson "2.6" "WARN" fi else info "$check_2_6" info " * Docker daemon not listening on TCP" + logjson "2.6" "INFO" fi @@ -104,21 +129,27 @@ fi check_2_7="2.7 - Ensure the default ulimit is configured appropriately" if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then pass "$check_2_7" + logjson "2.7" "PASS" elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then pass "$check_2_7" + logjson "2.7" "PASS" else info "$check_2_7" info " * Default ulimit doesn't appear to be set" + logjson "2.7" "INFO" fi # 2.8 check_2_8="2.8 - Enable user namespace support" if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then pass "$check_2_8" + logjson "2.8" "PASS" elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then pass "$check_2_8" + logjson "2.8" "PASS" else warn "$check_2_8" + logjson "2.8" "WARN" fi # 2.9 @@ -126,62 +157,80 @@ check_2_9="2.9 - Ensure the default cgroup usage has been confirmed" if get_docker_configuration_file_args 'cgroup-parent' | grep -v '""'; then warn "$check_2_9" info " * Confirm cgroup usage" + logjson "2.9" "INFO" elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then warn "$check_2_9" info " * Confirm cgroup usage" + logjson "2.9" "INFO" else pass "$check_2_9" + logjson "2.9" "PASS" fi # 2.10 check_2_10="2.10 - Ensure base device size is not changed until needed" if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then warn "$check_2_10" + logjson "2.10" "WARN" elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then warn "$check_2_10" + logjson "2.10" "WARN" else pass "$check_2_10" + logjson "2.10" "PASS" fi # 2.11 check_2_11="2.11 - Ensure that authorization for Docker client commands is enabled" if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then pass "$check_2_11" + logjson "2.11" "PASS" elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then pass "$check_2_11" + logjson "2.11" "PASS" else warn "$check_2_11" + logjson "2.11" "WARN" fi # 2.12 check_2_12="2.12 - Ensure centralized and remote logging is configured" if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then warn "$check_2_12" + logjson "2.12" "WARN" else pass "$check_2_12" + logjson "2.12" "PASS" fi # 2.13 check_2_13="2.13 - Ensure operations on legacy registry (v1) are Disabled" if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then pass "$check_2_13" + logjson "2.13" "PASS" elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then pass "$check_2_13" + logjson "2.13" "PASS" else warn "$check_2_13" + logjson "2.13" "WARN" fi # 2.14 check_2_14="2.14 - Ensure live restore is Enabled" if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then pass "$check_2_14" + logjson "2.14" "PASS" else if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then pass "$check_2_14 (Incompatible with swarm mode)" + logjson "2.14" "PASS" elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then pass "$check_2_14" + logjson "2.14" "PASS" else warn "$check_2_14" + logjson "2.14" "WARN" fi fi @@ -189,34 +238,44 @@ fi check_2_15="2.15 - Ensure Userland Proxy is Disabled" if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then pass "$check_2_15" + logjson "2.15" "PASS" elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then pass "$check_2_15" + logjson "2.15" "PASS" else warn "$check_2_15" + logjson "2.15" "WARN" fi # 2.16 check_2_16="2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed" if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then pass "$check_2_16" + logjson "2.16" "PASS" else info "$check_2_16" + logjson "2.16" "INFO" fi # 2.17 check_2_17="2.17 - Ensure experimental features are avoided in production" if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then pass "$check_2_17" + logjson "2.17" "PASS" else warn "$check_2_17" + logjson "2.17" "WARN" fi # 2.18 check_2_18="2.18 - Ensure containers are restricted from acquiring new privileges" if get_docker_effective_command_line_args '--no-new-privileges' >/dev/null 2>&1; then pass "$check_2_18" + logjson "2.18" "PASS" elif get_docker_configuration_file_args 'no-new-privileges' >/dev/null 2>&1; then pass "$check_2_18" + logjson "2.18" "PASS" else warn "$check_2_18" + logjson "2.18" "WARN" fi From 7a1b813cdc4a1e9e3f58f683b5ca8d05c509bb67 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 13 Oct 2017 09:52:55 +0200 Subject: [PATCH 05/10] check 3.x json log MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/3_docker_daemon_configuration_files.sh | 60 ++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/tests/3_docker_daemon_configuration_files.sh b/tests/3_docker_daemon_configuration_files.sh index 9995ef0..a016d76 100644 --- a/tests/3_docker_daemon_configuration_files.sh +++ b/tests/3_docker_daemon_configuration_files.sh @@ -9,13 +9,16 @@ file="$(get_systemd_service_file docker.service)" if [ -f "$file" ]; then if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_1" + logjson "3.1" "PASS" else warn "$check_3_1" warn " * Wrong ownership for $file" + logjson "3.1" "WARN" fi else info "$check_3_1" info " * File not found" + logjson "3.1" "INFO" fi # 3.2 @@ -24,13 +27,16 @@ file="$(get_systemd_service_file docker.service)" if [ -f "$file" ]; then if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then pass "$check_3_2" + logjson "3.2" "PASS" else warn "$check_3_2" warn " * Wrong permissions for $file" + logjson "3.2" "WARN" fi else info "$check_3_2" info " * File not found" + logjson "3.2" "INFO" fi # 3.3 @@ -39,13 +45,16 @@ file="$(get_systemd_service_file docker.socket)" if [ -f "$file" ]; then if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_3" + logjson "3.3" "PASS" else warn "$check_3_3" warn " * Wrong ownership for $file" + logjson "3.3" "WARN" fi else info "$check_3_3" info " * File not found" + logjson "3.3" "INFO" fi # 3.4 @@ -54,13 +63,16 @@ file="$(get_systemd_service_file docker.socket)" if [ -f "$file" ]; then if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then pass "$check_3_4" + logjson "3.4" "PASS" else warn "$check_3_4" warn " * Wrong permissions for $file" + logjson "3.4" "WARN" fi else info "$check_3_4" info " * File not found" + logjson "3.4" "INFO" fi # 3.5 @@ -69,13 +81,16 @@ directory="/etc/docker" if [ -d "$directory" ]; then if [ "$(stat -c %u%g $directory)" -eq 00 ]; then pass "$check_3_5" + logjson "3.5" "PASS" else warn "$check_3_5" warn " * Wrong ownership for $directory" + logjson "3.5" "WARN" fi else info "$check_3_5" info " * Directory not found" + logjson "3.5" "INFO" fi # 3.6 @@ -84,13 +99,16 @@ directory="/etc/docker" if [ -d "$directory" ]; then if [ "$(stat -c %a $directory)" -eq 755 -o "$(stat -c %a $directory)" -eq 700 ]; then pass "$check_3_6" + logjson "3.6" "PASS" else warn "$check_3_6" warn " * Wrong permissions for $directory" + logjson "3.6" "WARN" fi else info "$check_3_6" info " * Directory not found" + logjson "3.6" "INFO" fi # 3.7 @@ -107,12 +125,15 @@ if [ -d "$directory" ]; then if [ $fail -eq 1 ]; then warn "$check_3_7" warn " * Wrong ownership for $directory" + logjson "3.7" "WARN" else pass "$check_3_7" + logjson "3.7" "PASS" fi else info "$check_3_7" info " * Directory not found" + logjson "3.7" "INFO" fi # 3.8 @@ -129,12 +150,15 @@ if [ -d "$directory" ]; then if [ $fail -eq 1 ]; then warn "$check_3_8" warn " * Wrong permissions for $directory" + logjson "3.8" "WARN" else pass "$check_3_8" + logjson "3.8" "PASS" fi else info "$check_3_8" info " * Directory not found" + logjson "3.8" "INFO" fi # 3.9 @@ -147,13 +171,16 @@ fi if [ -f "$tlscacert" ]; then if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then pass "$check_3_9" + logjson "3.9" "PASS" else warn "$check_3_9" warn " * Wrong ownership for $tlscacert" + logjson "3.9" "WARN" fi else info "$check_3_9" info " * No TLS CA certificate found" + logjson "3.9" "INFO" fi # 3.10 @@ -166,13 +193,16 @@ fi if [ -f "$tlscacert" ]; then if [ "$(stat -c %a $tlscacert)" -eq 444 -o "$(stat -c %a $tlscacert)" -eq 400 ]; then pass "$check_3_10" + logjson "3.10" "PASS" else warn "$check_3_10" warn " * Wrong permissions for $tlscacert" + logjson "3.10" "WARN" fi else info "$check_3_10" info " * No TLS CA certificate found" + logjson "3.10" "INFO" fi # 3.11 @@ -185,13 +215,16 @@ fi if [ -f "$tlscert" ]; then if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then pass "$check_3_11" + logjson "3.11" "PASS" else warn "$check_3_11" warn " * Wrong ownership for $tlscert" + logjson "3.11" "WARN" fi else info "$check_3_11" info " * No TLS Server certificate found" + logjson "3.11" "INFO" fi # 3.12 @@ -204,13 +237,16 @@ fi if [ -f "$tlscert" ]; then if [ "$(stat -c %a $tlscert)" -eq 444 -o "$(stat -c %a $tlscert)" -eq 400 ]; then pass "$check_3_12" + logjson "3.12" "PASS" else warn "$check_3_12" warn " * Wrong permissions for $tlscert" + logjson "3.12" "WARN" fi else info "$check_3_12" info " * No TLS Server certificate found" + logjson "3.12" "INFO" fi # 3.13 @@ -223,13 +259,16 @@ fi if [ -f "$tlskey" ]; then if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then pass "$check_3_13" + logjson "3.13" "PASS" else warn "$check_3_13" warn " * Wrong ownership for $tlskey" + logjson "3.13" "WARN" fi else info "$check_3_13" info " * No TLS Key found" + logjson "3.13" "INFO" fi # 3.14 @@ -242,13 +281,16 @@ fi if [ -f "$tlskey" ]; then if [ "$(stat -c %a $tlskey)" -eq 400 ]; then pass "$check_3_14" + logjson "3.14" "PASS" else warn "$check_3_14" warn " * Wrong permissions for $tlskey" + logjson "3.14" "WARN" fi else info "$check_3_14" info " * No TLS Key found" + logjson "3.14" "INFO" fi # 3.15 @@ -257,13 +299,16 @@ file="/var/run/docker.sock" if [ -S "$file" ]; then if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then pass "$check_3_15" + logjson "3.15" "PASS" else warn "$check_3_15" warn " * Wrong ownership for $file" + logjson "3.15" "WARN" fi else info "$check_3_15" info " * File not found" + logjson "3.15" "INFO" fi # 3.16 @@ -272,13 +317,16 @@ file="/var/run/docker.sock" if [ -S "$file" ]; then if [ "$(stat -c %a $file)" -eq 660 -o "$(stat -c %a $file)" -eq 600 ]; then pass "$check_3_16" + logjson "3.16" "PASS" else warn "$check_3_16" warn " * Wrong permissions for $file" + logjson "3.16" "WARN" fi else info "$check_3_16" info " * File not found" + logjson "3.16" "INFO" fi # 3.17 @@ -287,13 +335,16 @@ file="/etc/docker/daemon.json" if [ -f "$file" ]; then if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then pass "$check_3_17" + logjson "3.17" "PASS" else warn "$check_3_17" warn " * Wrong ownership for $file" + logjson "3.17" "WARN" fi else info "$check_3_17" info " * File not found" + logjson "3.17" "INFO" fi # 3.18 @@ -302,13 +353,16 @@ file="/etc/docker/daemon.json" if [ -f "$file" ]; then if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then pass "$check_3_18" + logjson "3.18" "PASS" else warn "$check_3_18" warn " * Wrong permissions for $file" + logjson "3.18" "WARN" fi else info "$check_3_18" info " * File not found" + logjson "3.18" "INFO" fi # 3.19 @@ -317,13 +371,16 @@ file="/etc/default/docker" if [ -f "$file" ]; then if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then pass "$check_3_19" + logjson "3.19" "PASS" else warn "$check_3_19" warn " * Wrong ownership for $file" + logjson "3.19" "WARN" fi else info "$check_3_19" info " * File not found" + logjson "3.19" "INFO" fi # 3.20 @@ -332,11 +389,14 @@ file="/etc/default/docker" if [ -f "$file" ]; then if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then pass "$check_3_20" + logjson "3.20" "PASS" else warn "$check_3_20" warn " * Wrong permissions for $file" + logjson "3.20" "WARN" fi else info "$check_3_20" info " * File not found" + logjson "3.20" "INFO" fi From b8fac4a7d2398570446cb683c0f2af21646953e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 13 Oct 2017 10:02:48 +0200 Subject: [PATCH 06/10] check 4.x json log MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/4_container_images.sh | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tests/4_container_images.sh b/tests/4_container_images.sh index 6867844..0861bd2 100644 --- a/tests/4_container_images.sh +++ b/tests/4_container_images.sh @@ -10,6 +10,7 @@ check_4_1="4.1 - Ensure a user for the container has been created" if [ -z "$containers" ]; then info "$check_4_1" info " * No containers running" + logjson "4.1" "INFO" else # We have some containers running, set failure flag to 0. Check for Users. fail=0 @@ -24,15 +25,18 @@ else if [ $fail -eq 0 ]; then warn "$check_4_1" warn " * Running as root: $c" + logjson "4.1" "WARN: $c" fail=1 else warn " * Running as root: $c" + logjson "4.1" "WARN: $c" fi fi done # We went through all the containers and found none running as root if [ $fail -eq 0 ]; then pass "$check_4_1" + logjson "4.1" "PASS" fi fi # Make the loop separator go back to space @@ -43,21 +47,26 @@ images=$(docker images -q) # 4.2 check_4_2="4.2 - Ensure that containers use trusted base images" note "$check_4_2" +logjson "4.2" "NOTE" # 4.3 check_4_3="4.3 - Ensure unnecessary packages are not installed in the container" note "$check_4_3" +logjson "4.3" "NOTE" # 4.4 check_4_4="4.4 - Ensure images are scanned and rebuilt to include security patches" note "$check_4_4" +logjson "4.4" "NOTE" # 4.5 check_4_5="4.5 - Ensure Content trust for Docker is Enabled" if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then pass "$check_4_5" + logjson "4.5" "PASS" else warn "$check_4_5" + logjson "4.5" "WARN" fi # 4.6 @@ -68,15 +77,18 @@ for img in $images; do if [ $fail -eq 0 ]; then fail=1 warn "$check_4_6" + logjson "4.6" "WARN" fi imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) if ! [ "$imgName" = '[]' ]; then warn " * No Healthcheck found: $imgName" + logjson "4.6" "WARN: $imgName" fi fi done if [ $fail -eq 0 ]; then pass "$check_4_6" + logjson "4.6" "PASS" fi # 4.7 @@ -87,6 +99,7 @@ for img in $images; do if [ $fail -eq 0 ]; then fail=1 info "$check_4_7" + logjson "4.7" "INFO" fi imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) if ! [ "$imgName" = '[]' ]; then @@ -96,11 +109,13 @@ for img in $images; do done if [ $fail -eq 0 ]; then pass "$check_4_7" + logjson "4.7" "PASS" fi # 4.8 check_4_8="4.8 - Ensure setuid and setgid permissions are removed in the images" note "$check_4_8" +logjson "4.8" "NOTE" # 4.9 check_4_9="4.9 - Ensure COPY is used instead of ADD in Dockerfile" @@ -111,21 +126,26 @@ for img in $images; do if [ $fail -eq 0 ]; then fail=1 info "$check_4_9" + logjson "4.9" "INFO" fi imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) if ! [ "$imgName" = '[]' ]; then info " * ADD in image history: $imgName" + logjson "4.9" "INFO: $imgName" fi fi done if [ $fail -eq 0 ]; then pass "$check_4_9" + logjson "4.9" "PASS" fi # 4.10 check_4_10="4.10 - Ensure secrets are not stored in Dockerfiles" note "$check_4_10" +logjson "4.10" "NOTE" # 4.11 check_4_11="4.11 - Ensure verified packages are only Installed" note "$check_4_11" +logjson "4.11" "NOTE" From be4dd69f3f491a937133e3ef5ab774d290dba203 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 13 Oct 2017 10:25:23 +0200 Subject: [PATCH 07/10] check 5.x json log MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/5_container_runtime.sh | 86 ++++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh index f7565d3..61658a7 100644 --- a/tests/5_container_runtime.sh +++ b/tests/5_container_runtime.sh @@ -22,15 +22,18 @@ else if [ $fail -eq 0 ]; then warn "$check_5_1" warn " * No AppArmorProfile Found: $c" + logjson "5.1" "WARN: $c" fail=1 else warn " * No AppArmorProfile Found: $c" + logjson "5.1" "WARN: $c" fi fi done # We went through all the containers and found none without AppArmor if [ $fail -eq 0 ]; then pass "$check_5_1" + logjson "5.1" "PASS" fi # 5.2 @@ -45,15 +48,18 @@ else if [ $fail -eq 0 ]; then warn "$check_5_2" warn " * No SecurityOptions Found: $c" + logjson "5.2" "WARN: $c" fail=1 else warn " * No SecurityOptions Found: $c" + logjson "5.2" "WARN: $c" fi fi done # We went through all the containers and found none without SELinux if [ $fail -eq 0 ]; then pass "$check_5_2" + logjson "5.2" "PASS" fi # 5.3 @@ -71,15 +77,18 @@ else if [ $fail -eq 0 ]; then warn "$check_5_3" warn " * Capabilities added: $caps to $c" + logjson "5.3" "WARN: $c" fail=1 else warn " * Capabilities added: $caps to $c" + logjson "5.3" "WARN: $c" fi fi done # We went through all the containers and found none with extra capabilities if [ $fail -eq 0 ]; then pass "$check_5_3" + logjson "5.3" "PASS" fi # 5.4 @@ -94,15 +103,18 @@ else if [ $fail -eq 0 ]; then warn "$check_5_4" warn " * Container running in Privileged mode: $c" + logjson "5.4" "WARN: $c" fail=1 else warn " * Container running in Privileged mode: $c" + logjson "5.4" "WARN: $c" fi fi done # We went through all the containers and found no privileged containers if [ $fail -eq 0 ]; then pass "$check_5_4" + logjson "5.4" "PASS" fi # 5.5 @@ -136,9 +148,11 @@ else if [ $fail -eq 0 ]; then warn "$check_5_5" warn " * Sensitive directory $v mounted in: $c" + logjson "5.5" "WARN: $v in $c" fail=1 else warn " * Sensitive directory $v mounted in: $c" + logjson "5.5" "WARN: $v in $c" fi fi done @@ -146,6 +160,7 @@ else # We went through all the containers and found none with sensitive mounts if [ $fail -eq 0 ]; then pass "$check_5_5" + logjson "5.5" "PASS" fi # 5.6 @@ -161,10 +176,12 @@ else if [ $fail -eq 0 ]; then warn "$check_5_6" warn " * Container running sshd: $c" + logjson "5.6" "WARN: $c" fail=1 printcheck=1 else warn " * Container running sshd: $c" + logjson "5.6" "WARN: $c" fi fi @@ -172,9 +189,11 @@ else if [ $? -eq 255 ]; then if [ $printcheck -eq 0 ]; then warn "$check_5_6" + logjson "5.6" "WARN" printcheck=1 fi warn " * Docker exec fails: $c" + logjson "5.6" "WARN: $c" fail=1 fi @@ -199,9 +218,11 @@ else if [ $fail -eq 0 ]; then warn "$check_5_7" warn " * Privileged Port in use: $port in $c" + logjson "5.7" "WARN: $port in $c" fail=1 else warn " * Privileged Port in use: $port in $c" + logjson "5.7" "WARN: $port in $c" fi fi done @@ -209,11 +230,13 @@ else # We went through all the containers and found no privileged ports if [ $fail -eq 0 ]; then pass "$check_5_7" + logjson "5.7" "PASS" fi # 5.8 check_5_8="5.8 - Ensure only needed ports are open on the container" note "$check_5_8" + logjson "5.8" "NOTE" # 5.9 check_5_9="5.9 - Ensure the host's network namespace is not shared" @@ -227,15 +250,18 @@ else if [ $fail -eq 0 ]; then warn "$check_5_9" warn " * Container running with networking mode 'host': $c" + logjson "5.9" "WARN: $c" fail=1 else warn " * Container running with networking mode 'host': $c" + logjson "5.9" "WARN: $c" fi fi done # We went through all the containers and found no Network Mode host if [ $fail -eq 0 ]; then pass "$check_5_9" + logjson "5.9" "PASS" fi # 5.10 @@ -254,15 +280,18 @@ else if [ $fail -eq 0 ]; then warn "$check_5_10" warn " * Container running without memory restrictions: $c" + logjson "5.10" "WARN: $c" fail=1 else warn " * Container running without memory restrictions: $c" + logjson "5.10" "WARN: $c" fi fi done # We went through all the containers and found no lack of Memory restrictions if [ $fail -eq 0 ]; then pass "$check_5_10" + logjson "5.10" "PASS" fi # 5.11 @@ -281,15 +310,18 @@ else if [ $fail -eq 0 ]; then warn "$check_5_11" warn " * Container running without CPU restrictions: $c" + logjson "5.11" "WARN: $c" fail=1 else warn " * Container running without CPU restrictions: $c" + logjson "5.11" "WARN: $c" fi fi done # We went through all the containers and found no lack of CPUShare restrictions if [ $fail -eq 0 ]; then pass "$check_5_11" + logjson "5.11" "PASS" fi # 5.12 @@ -304,15 +336,18 @@ else if [ $fail -eq 0 ]; then warn "$check_5_12" warn " * Container running with root FS mounted R/W: $c" + logjson "5.12" "WARN: $c" fail=1 else warn " * Container running with root FS mounted R/W: $c" + logjson "5.12" "WARN: $c" fi fi done # We went through all the containers and found no R/W FS mounts if [ $fail -eq 0 ]; then pass "$check_5_12" + logjson "5.12" "PASS" fi # 5.13 @@ -326,9 +361,11 @@ else if [ $fail -eq 0 ]; then warn "$check_5_13" warn " * Port being bound to wildcard IP: $ip in $c" + logjson "5.13" "WARN: $ip in $c" fail=1 else warn " * Port being bound to wildcard IP: $ip in $c" + logjson "5.13" "WARN: $ip in $c" fi fi done @@ -336,6 +373,7 @@ else # We went through all the containers and found no ports bound to 0.0.0.0 if [ $fail -eq 0 ]; then pass "$check_5_13" + logjson "5.13" "PASS" fi # 5.14 @@ -350,15 +388,18 @@ else if [ $fail -eq 0 ]; then warn "$check_5_14" warn " * MaximumRetryCount is not set to 5: $c" + logjson "5.14" "WARN: $c" fail=1 else warn " * MaximumRetryCount is not set to 5: $c" + logjson "5.14" "WARN: $c" fi fi done # We went through all the containers and they all had MaximumRetryCount=5 if [ $fail -eq 0 ]; then pass "$check_5_14" + logjson "5.14" "PASS" fi # 5.15 @@ -373,15 +414,18 @@ else if [ $fail -eq 0 ]; then warn "$check_5_15" warn " * Host PID namespace being shared with: $c" + logjson "5.15" "WARN: $c" fail=1 else warn " * Host PID namespace being shared with: $c" + logjson "5.15" "WARN: $c" fi fi done # We went through all the containers and found none with PidMode as host if [ $fail -eq 0 ]; then pass "$check_5_15" + logjson "5.15" "PASS" fi # 5.16 @@ -396,15 +440,18 @@ else if [ $fail -eq 0 ]; then warn "$check_5_16" warn " * Host IPC namespace being shared with: $c" + logjson "5.16" "WARN: $c" fail=1 else warn " * Host IPC namespace being shared with: $c" + logjson "5.16" "WARN: $c" fi fi done # We went through all the containers and found none with IPCMode as host if [ $fail -eq 0 ]; then pass "$check_5_16" + logjson "5.16" "PASS" fi # 5.17 @@ -419,15 +466,18 @@ else if [ $fail -eq 0 ]; then info "$check_5_17" info " * Container has devices exposed directly: $c" + logjson "5.17" "INFO: $c" fail=1 else info " * Container has devices exposed directly: $c" + logjson "5.17" "INFO: $c" fi fi done # We went through all the containers and found none with devices if [ $fail -eq 0 ]; then pass "$check_5_17" + logjson "5.17" "PASS" fi # 5.18 @@ -442,15 +492,18 @@ else if [ $fail -eq 0 ]; then info "$check_5_18" info " * Container no default ulimit override: $c" + logjson "5.18" "INFO: $c" fail=1 else info " * Container no default ulimit override: $c" + logjson "5.18" "INFO: $c" fi fi done # We went through all the containers and found none without Ulimits if [ $fail -eq 0 ]; then pass "$check_5_18" + logjson "5.18" "PASS" fi # 5.19 @@ -464,15 +517,18 @@ else if [ $fail -eq 0 ]; then warn "$check_5_19" warn " * Mount propagation mode is shared: $c" + logjson "5.19" "WARN: $c" fail=1 else warn " * Mount propagation mode is shared: $c" + logjson "5.19" "WARN: $c" fi fi done # We went through all the containers and found none with shared propagation mode if [ $fail -eq 0 ]; then pass "$check_5_19" + logjson "5.19" "PASS" fi # 5.20 @@ -487,15 +543,18 @@ else if [ $fail -eq 0 ]; then warn "$check_5_20" warn " * Host UTS namespace being shared with: $c" + logjson "5.20" "WARN: $c" fail=1 else warn " * Host UTS namespace being shared with: $c" + logjson "5.20" "WARN: $c" fi fi done # We went through all the containers and found none with UTSMode as host if [ $fail -eq 0 ]; then pass "$check_5_20" + logjson "5.20" "PASS" fi # 5.21 @@ -508,24 +567,29 @@ else if [ $fail -eq 0 ]; then warn "$check_5_21" warn " * Default seccomp profile disabled: $c" + logjson "5.21" "WARN: $c" fail=1 else warn " * Default seccomp profile disabled: $c" + logjson "5.21" "WARN: $c" fi fi done # We went through all the containers and found none with default secomp profile disabled if [ $fail -eq 0 ]; then pass "$check_5_21" + logjson "5.21" "PASS" fi # 5.22 check_5_22="5.22 - Ensure docker exec commands are not used with privileged option" note "$check_5_22" + logjson "5.22" "NOTE" # 5.23 check_5_23="5.23 - Ensure docker exec commands are not used with user option" note "$check_5_23" + logjson "5.23" "NOTE" # 5.24 check_5_24="5.24 - Ensure cgroup usage is confirmed" @@ -539,15 +603,18 @@ else if [ $fail -eq 0 ]; then warn "$check_5_24" warn " * Confirm cgroup usage: $c" + logjson "5.24" "WARN: $c" fail=1 else warn " * Confirm cgroup usage: $c" + logjson "5.24" "WARN: $c" fi fi done # We went through all the containers and found none with UTSMode as host if [ $fail -eq 0 ]; then pass "$check_5_24" + logjson "5.24" "PASS" fi # 5.25 @@ -560,15 +627,18 @@ else if [ $fail -eq 0 ]; then warn "$check_5_25" warn " * Privileges not restricted: $c" + logjson "5.25" "WARN: $c" fail=1 else warn " * Privileges not restricted: $c" + logjson "5.25" "WARN: $c" fi fi done # We went through all the containers and found none with capability to acquire additional privileges if [ $fail -eq 0 ]; then pass "$check_5_25" + logjson "5.25" "PASS" fi # 5.26 @@ -580,19 +650,23 @@ else if [ $fail -eq 0 ]; then warn "$check_5_26" warn " * Health check not set: $c" + logjson "5.26" "WARN: $c" fail=1 else warn " * Health check not set: $c" + logjson "5.26" "WARN: $c" fi fi done if [ $fail -eq 0 ]; then pass "$check_5_26" + logjson "5.26" "PASS" fi # 5.27 check_5_27="5.27 - Ensure docker commands always get the latest version of the image" info "$check_5_27" + logjson "5.27" "INFO" # 5.28 check_5_28="5.28 - Ensure PIDs cgroup limit is used" @@ -606,15 +680,18 @@ else if [ $fail -eq 0 ]; then warn "$check_5_28" warn " * PIDs limit not set: $c" + logjson "5.28" "WARN: $c" fail=1 else warn " * PIDs limit not set: $c" + logjson "5.28" "WARN: $c" fi fi done # We went through all the containers and found all with PIDs limit if [ $fail -eq 0 ]; then pass "$check_5_28" + logjson "5.28" "PASS" fi # 5.29 @@ -629,11 +706,13 @@ else if [ -n "$docker0Containers" ]; then if [ $fail -eq 0 ]; then info "$check_5_29" + logjson "5.29" "INFO" fail=1 fi for c in $docker0Containers; do cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g') info " * Container in docker0 network: $cName" + logjson "5.29" "INFO: $c" done fi fi @@ -641,6 +720,7 @@ else # We went through all the containers and found none in docker0 network if [ $fail -eq 0 ]; then pass "$check_5_29" + logjson "5.29" "PASS" fi # 5.30 @@ -653,15 +733,18 @@ else if [ $fail -eq 0 ]; then warn "$check_5_30" warn " * Namespace shared: $c" + logjson "5.30" "WARN: $c" fail=1 else warn " * Namespace shared: $c" + logjson "5.30" "WARN: $c" fi fi done # We went through all the containers and found none with host's user namespace shared if [ $fail -eq 0 ]; then pass "$check_5_30" + logjson "5.30" "PASS" fi # 5.31 @@ -674,14 +757,17 @@ else if [ $fail -eq 0 ]; then warn "$check_5_31" warn " * Docker socket shared: $c" + logjson "5.31" "WARN: $c" fail=1 else warn " * Docker socket shared: $c" + logjson "5.31" "WARN: $c" fi fi done # We went through all the containers and found none with docker.sock shared if [ $fail -eq 0 ]; then pass "$check_5_31" + logjson "5.31" "PASS" fi fi From e1adab029d64bf0470156fc7b97504e5431c6638 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 13 Oct 2017 10:28:42 +0200 Subject: [PATCH 08/10] check 6.x json log MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/6_docker_security_operations.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/6_docker_security_operations.sh b/tests/6_docker_security_operations.sh index adc2c8e..52979e7 100644 --- a/tests/6_docker_security_operations.sh +++ b/tests/6_docker_security_operations.sh @@ -19,6 +19,7 @@ done if [ "$active_images" -lt "$((images / 2))" ]; then info " * Only $active_images out of $images are in use" + logjson "6.1" "INFO: $active_images" fi # 6.2 @@ -29,7 +30,9 @@ diff="$((total_containers - running_containers))" if [ "$diff" -gt 25 ]; then info "$check_6_2" info " * There are currently a total of $total_containers containers, with only $running_containers of them currently running" + logjson "6.2" "INFO: $running_containers" else info "$check_6_2" info " * There are currently a total of $total_containers containers, with $running_containers of them currently running" + logjson "6.2" "INFO: $running_containers" fi From fa9b227a7b13f90e57815557fa58f3af8c1fd834 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 13 Oct 2017 10:38:31 +0200 Subject: [PATCH 09/10] check 7.x json log MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/7_docker_swarm_configuration.sh | 33 +++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/tests/7_docker_swarm_configuration.sh b/tests/7_docker_swarm_configuration.sh index 5b240aa..a3a80c7 100644 --- a/tests/7_docker_swarm_configuration.sh +++ b/tests/7_docker_swarm_configuration.sh @@ -7,8 +7,10 @@ info "7 - Docker Swarm Configuration" check_7_1="7.1 - Ensure swarm mode is not Enabled, if not needed" if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then pass "$check_7_1" + logjson "7.1" "PASS" else warn "$check_7_1" + logjson "7.1" "WARN" fi # 7.2 @@ -17,11 +19,14 @@ if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then managernodes=$(docker node ls | grep -c "Leader") if [ "$managernodes" -le 1 ]; then pass "$check_7_2" + logjson "7.2" "PASS" else warn "$check_7_2" + logjson "7.2" "WARN" fi else pass "$check_7_2 (Swarm mode not enabled)" + logjson "7.2" "PASS" fi # 7.3 @@ -30,11 +35,14 @@ if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then netstat -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1 if [ $? -eq 1 ]; then pass "$check_7_3" + logjson "7.3" "PASS" else warn "$check_7_3" + logjson "7.3" "WARN" fi else pass "$check_7_3 (Swarm mode not enabled)" + logjson "7.3" "PASS" fi # 7.4 @@ -47,10 +55,12 @@ if docker network ls --filter driver=overlay --quiet | \ if docker network inspect --format '{{.Name}} {{ .Options }}' "$encnet" | \ grep -v 'encrypted:' 2>/dev/null 1>&2; then warn " * Unencrypted overlay network: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")" + logjson "7.4" "WARN: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")" fi done else pass "$check_7_4" + logjson "7.4" "PASS" fi # 7.5 @@ -58,11 +68,14 @@ check_7_5="7.5 - Ensure Docker's secret management commands are used for managi if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then pass "$check_7_5" + logjson "7.5" "PASS" else info "$check_7_5" + logjson "7.5" "INFO" fi else pass "$check_7_5 (Swarm mode not enabled)" + logjson "7.5" "PASS" fi # 7.6 @@ -70,19 +83,24 @@ check_7_6="7.6 - Ensure swarm manager is run in auto-lock mode" if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then warn "$check_7_6" + logjson "7.6" "WARN" else pass "$check_7_6" + logjson "7.6" "PASS" fi else pass "$check_7_6 (Swarm mode not enabled)" + logjson "7.6" "PASS" fi # 7.7 check_7_7="7.7 - Ensure swarm manager auto-lock key is rotated periodically" if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then note "$check_7_7" + logjson "7.7" "NOTE" else pass "$check_7_7 (Swarm mode not enabled)" + logjson "7.7" "PASS" fi # 7.8 @@ -90,25 +108,32 @@ check_7_8="7.8 - Ensure node certificates are rotated as appropriate" if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then pass "$check_7_8" + logjson "7.8" "PASS" else info "$check_7_8" + logjson "7.8" "INFO" fi else pass "$check_7_8 (Swarm mode not enabled)" + logjson "7.8" "PASS" fi # 7.9 check_7_9="7.9 - Ensure CA certificates are rotated as appropriate" if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then - info "$check_7_9" + info "$check_7_9" + logjson "7.9" "INFO" else - pass "$check_7_9 (Swarm mode not enabled)" + pass "$check_7_9 (Swarm mode not enabled)" + logjson "7.9" "PASS" fi # 7.10 check_7_10="7.10 - Ensure management plane traffic has been separated from data plane traffic" if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then - info "$check_7_10" + info "$check_7_10" + logjson "7.10" "INFO" else - pass "$check_7_10 (Swarm mode not enabled)" + pass "$check_7_10 (Swarm mode not enabled)" + logjson "7.10" "PASS" fi From 4bbfc5465e29b925d308187ef09d1f95baf55227 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Fri, 13 Oct 2017 11:37:54 +0200 Subject: [PATCH 10/10] mention dvs version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- docker-bench-security.sh | 2 +- output_lib.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docker-bench-security.sh b/docker-bench-security.sh index 08eda32..ce4de2c 100755 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -72,7 +72,7 @@ if [ "x$ID" != "x0" ]; then fi logit "Initializing $(date)\n" -beginjson "$(date +%s)" +beginjson "1.3.4" "$(date +%s)" # Load all the tests from tests/ and run them main () { diff --git a/output_lib.sh b/output_lib.sh index 6460d40..5ead4b7 100644 --- a/output_lib.sh +++ b/output_lib.sh @@ -30,7 +30,7 @@ yell () { } beginjson () { - printf "{\n \"start\": %s," "$1" | tee "$logger.json" 2>/dev/null 1>&2 + printf "{\n \"dockerbenchsecurity\": \"%s\",\n \"start\": %s," "$1" "$2" | tee "$logger.json" 2>/dev/null 1>&2 } endjson (){