GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-19 00:32:34 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #264 from konstruktoid/issue247

Browse source 
skeleton json
This commit is contained in:
Thomas Sjögren 2017-10-23 09:35:21 +02:00 committed by GitHub
commit ad045075eb
10 changed files with 324 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.gitignore vendored
View file

@ -1 +1 @@
*.log *.log*

3
docker-bench-security.sh
View file

@ -72,6 +72,7 @@ if [ "x$ID" != "x0" ]; then
fi fi
logit "Initializing $(date)\n" logit "Initializing $(date)\n"
beginjson "1.3.4" "$(date +%s)"
# Load all the tests from tests/ and run them # Load all the tests from tests/ and run them
main () { main () {
@ -92,6 +93,8 @@ main () {
do do
. ./"$test" . ./"$test"
done done
endjson "$(date +%s)"
} }
main "$@" main "$@"

12
output_lib.sh
View file

@ -28,3 +28,15 @@ note () {
yell () { yell () {
printf "%b\n" "${bldylw}$1${txtrst}\n" printf "%b\n" "${bldylw}$1${txtrst}\n"
} }
beginjson () {
printf "{\n \"dockerbenchsecurity\": \"%s\",\n \"start\": %s," "$1" "$2" | tee "$logger.json" 2>/dev/null 1>&2
}
endjson (){
printf "\n \"end\": %s \n}\n" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2
}
logjson (){
printf "\n \"%s\": \"%s\"," "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
}

51
tests/1_host_configuration.sh
View file

@ -8,15 +8,19 @@ auditrules="/etc/audit/audit.rules"
check_1_1="1.1 - Ensure a separate partition for containers has been created" check_1_1="1.1 - Ensure a separate partition for containers has been created"
if grep /var/lib/docker /etc/fstab >/dev/null 2>&1; then if grep /var/lib/docker /etc/fstab >/dev/null 2>&1; then
pass "$check_1_1" pass "$check_1_1"
logjson "1.1" "PASS"
elif mountpoint -q -- /var/lib/docker >/dev/null 2>&1; then elif mountpoint -q -- /var/lib/docker >/dev/null 2>&1; then
pass "$check_1_1" pass "$check_1_1"
logjson "1.1" "PASS"
else else
warn "$check_1_1" warn "$check_1_1"
logjson "1.1" "WARN"
fi fi
# 1.2 # 1.2
check_1_2="1.2 - Ensure the container host has been Hardened" check_1_2="1.2 - Ensure the container host has been Hardened"
note "$check_1_2" note "$check_1_2"
logjson "1.2" "INFO"
# 1.3 # 1.3
check_1_3="1.3 - Ensure Docker is up to date" check_1_3="1.3 - Ensure Docker is up to date"
@ -28,10 +32,12 @@ if [ $? -eq 11 ]; then
info "$check_1_3" info "$check_1_3"
info " * Using $docker_version, verify is it up to date as deemed necessary" info " * Using $docker_version, verify is it up to date as deemed necessary"
info " * Your operating system vendor may provide support and security maintenance for Docker" info " * Your operating system vendor may provide support and security maintenance for Docker"
logjson "1.3" "INFO"
else else
pass "$check_1_3" pass "$check_1_3"
info " * Using $docker_version which is current" info " * Using $docker_version which is current"
info " * Check with your operating system vendor for support and security maintenance for Docker" info " * Check with your operating system vendor for support and security maintenance for Docker"
logjson "1.3" "PASS"
fi fi
# 1.4 # 1.4
@ -40,6 +46,7 @@ docker_users=$(getent group docker)
info "$check_1_4" info "$check_1_4"
for u in $docker_users; do for u in $docker_users; do
info " * $u" info " * $u"
logjson "1.4" "$u"
done done
# 1.5 # 1.5
@ -48,13 +55,17 @@ file="/usr/bin/docker "
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_5" pass "$check_1_5"
logjson "1.5" "PASS"
else else
warn "$check_1_5" warn "$check_1_5"
logjson "1.5" "WARN"
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_5" pass "$check_1_5"
logjson "1.5" "PASS"
else else
warn "$check_1_5" warn "$check_1_5"
logjson "1.5" "WARN"
fi fi
# 1.6 # 1.6
@ -64,17 +75,22 @@ if [ -d "$directory" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $directory >/dev/null 2>&1; then if auditctl -l | grep $directory >/dev/null 2>&1; then
pass "$check_1_6" pass "$check_1_6"
logjson "1.6" "PASS"
else else
warn "$check_1_6" warn "$check_1_6"
logjson "1.6" "WARN"
fi fi
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_6" pass "$check_1_6"
logjson "1.6" "PASS"
else else
warn "$check_1_6" warn "$check_1_6"
logjson "1.6" "WARN"
fi fi
else else
info "$check_1_6" info "$check_1_6"
info " * Directory not found" info " * Directory not found"
logjson "1.6" "INFO"
fi fi
# 1.7 # 1.7
@ -84,17 +100,22 @@ if [ -d "$directory" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $directory >/dev/null 2>&1; then if auditctl -l | grep $directory >/dev/null 2>&1; then
pass "$check_1_7" pass "$check_1_7"
logjson "1.7" "PASS"
else else
warn "$check_1_7" warn "$check_1_7"
logjson "1.7" "WARN"
fi fi
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_7" pass "$check_1_7"
logjson "1.7" "PASS"
else else
warn "$check_1_7" warn "$check_1_7"
logjson "1.7" "WARN"
fi fi
else else
info "$check_1_7" info "$check_1_7"
info " * Directory not found" info " * Directory not found"
logjson "1.7" "INFO"
fi fi
# 1.8 # 1.8
@ -104,17 +125,22 @@ if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_8" pass "$check_1_8"
logjson "1.8" "PASS"
else else
warn "$check_1_8" warn "$check_1_8"
logjson "1.8" "WARN"
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_8" pass "$check_1_8"
logjson "1.8" "pass"
else else
warn "$check_1_8" warn "$check_1_8"
logjson "1.8" "WARN"
fi fi
else else
info "$check_1_8" info "$check_1_8"
info " * File not found" info " * File not found"
logjson "1.8" "INFO"
fi fi
# 1.9 # 1.9
@ -124,17 +150,22 @@ if [ -e "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_9" pass "$check_1_9"
logjson "1.9" "PASS"
else else
warn "$check_1_9" warn "$check_1_9"
logjson "1.9" "WARN"
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_9" pass "$check_1_9"
logjson "1.9" "PASS"
else else
warn "$check_1_9" warn "$check_1_9"
logjson "1.9" "WARN"
fi fi
else else
info "$check_1_9" info "$check_1_9"
info " * File not found" info " * File not found"
logjson "1.9" "INFO"
fi fi
# 1.10 # 1.10
@ -144,17 +175,22 @@ if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_10" pass "$check_1_10"
logjson "1.10" "PASS"
else else
warn "$check_1_10" warn "$check_1_10"
logjson "1.10" "WARN"
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_10" pass "$check_1_10"
logjson "1.10" "PASS"
else else
warn "$check_1_10" warn "$check_1_10"
logjson "1.10" "WARN"
fi fi
else else
info "$check_1_10" info "$check_1_10"
info " * File not found" info " * File not found"
logjson "1.10" "INFO"
fi fi
# 1.11 # 1.11
@ -164,17 +200,22 @@ if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_11" pass "$check_1_11"
logjson "1.11" "PASS"
else else
warn "$check_1_11" warn "$check_1_11"
logjson "1.11" "WARN"
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_11" pass "$check_1_11"
logjson "1.11" "PASS"
else else
warn "$check_1_11" warn "$check_1_11"
logjson "1.11" "WARN"
fi fi
else else
info "$check_1_11" info "$check_1_11"
info " * File not found" info " * File not found"
logjson "1.11" "INFO"
fi fi
# 1.12 # 1.12
@ -184,17 +225,22 @@ if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_12" pass "$check_1_12"
logjson "1.12" "PASS"
else else
warn "$check_1_12" warn "$check_1_12"
logjson "1.12" "WARN"
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_12" pass "$check_1_12"
logjson "1.12" "PASS"
else else
warn "$check_1_12" warn "$check_1_12"
logjson "1.12" "WARN"
fi fi
else else
info "$check_1_12" info "$check_1_12"
info " * File not found" info " * File not found"
logjson "1.12" "INFO"
fi fi
# 1.13 # 1.13
@ -204,15 +250,20 @@ if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_13" pass "$check_1_13"
logjson "1.13" "PASS"
else else
warn "$check_1_13" warn "$check_1_13"
logjson "1.13" "WARN"
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_13" pass "$check_1_13"
logjson "1.13" "PASS"
else else
warn "$check_1_13" warn "$check_1_13"
logjson "1.13" "WARN"
fi fi
else else
info "$check_1_13" info "$check_1_13"
info " * File not found" info " * File not found"
logjson "1.13" "INFO"
fi fi

59
tests/2_docker_daemon_configuration.sh
View file

@ -7,10 +7,13 @@ info "2 - Docker daemon configuration"
check_2_1="2.1 - Ensure network traffic is restricted between containers on the default bridge" check_2_1="2.1 - Ensure network traffic is restricted between containers on the default bridge"
if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then
pass "$check_2_1" pass "$check_2_1"
logjson "2.1" "PASS"
elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then
pass "$check_2_1" pass "$check_2_1"
logjson "2.1" "PASS"
else else
warn "$check_2_1" warn "$check_2_1"
logjson "2.1" "WARN"
fi fi
# 2.2 # 2.2
@ -18,51 +21,66 @@ check_2_2="2.2 - Ensure the logging level is set to 'info'"
if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then
if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then
pass "$check_2_2" pass "$check_2_2"
logjson "2.2" "PASS"
elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then
pass "$check_2_2" pass "$check_2_2"
logjson "2.2" "PASS"
else else
warn "$check_2_2" warn "$check_2_2"
logjson "2.2" "WARN"
fi fi
elif get_docker_effective_command_line_args '-l'; then elif get_docker_effective_command_line_args '-l'; then
if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then
pass "$check_2_2" pass "$check_2_2"
logjson "2.2" "PASS"
else else
warn "$check_2_2" warn "$check_2_2"
logjson "2.2" "WARN"
fi fi
else else
pass "$check_2_2" pass "$check_2_2"
logjson "2.2" "PASS"
fi fi
# 2.3 # 2.3
check_2_3="2.3 - Ensure Docker is allowed to make changes to iptables" check_2_3="2.3 - Ensure Docker is allowed to make changes to iptables"
if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then
warn "$check_2_3" warn "$check_2_3"
logjson "2.3" "WARN"
elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then
warn "$check_2_3" warn "$check_2_3"
logjson "2.3" "WARN"
else else
pass "$check_2_3" pass "$check_2_3"
logjson "2.3" "PASS"
fi fi
# 2.4 # 2.4
check_2_4="2.4 - Ensure insecure registries are not used" check_2_4="2.4 - Ensure insecure registries are not used"
if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then
warn "$check_2_4" warn "$check_2_4"
logjson "2.4" "WARN"
elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then
pass "$check_2_4" pass "$check_2_4"
logjson "2.4" "PASS"
else else
warn "$check_2_4" warn "$check_2_4"
logjson "2.4" "WARN"
fi fi
else else
pass "$check_2_4" pass "$check_2_4"
logjson "2.4" "PASS"
fi fi
# 2.5 # 2.5
check_2_5="2.5 - Ensure aufs storage driver is not used" check_2_5="2.5 - Ensure aufs storage driver is not used"
if docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1; then
warn "$check_2_5" warn "$check_2_5"
logjson "2.5" "WARN"
else else
pass "$check_2_5" pass "$check_2_5"
logjson "2.5" "PASS"
fi fi
# 2.6 # 2.6
@ -73,30 +91,37 @@ if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then
if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then
if get_docker_configuration_file_args 'tlsverify' | grep 'true' >/dev/null 2>&1; then if get_docker_configuration_file_args 'tlsverify' | grep 'true' >/dev/null 2>&1; then
pass "$check_2_6" pass "$check_2_6"
logjson "2.6" "PASS"
else else
warn "$check_2_6" warn "$check_2_6"
warn " * Docker daemon currently listening on TCP with TLS, but no verification" warn " * Docker daemon currently listening on TCP with TLS, but no verification"
logjson "2.6" "WARN"
fi fi
fi fi
else else
warn "$check_2_6" warn "$check_2_6"
warn " * Docker daemon currently listening on TCP without TLS" warn " * Docker daemon currently listening on TCP without TLS"
logjson "2.6" "WARN"
fi fi
elif get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1; then elif get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1; then
if get_docker_cumulative_command_line_args '--tlskey' | grep 'tlskey=' >/dev/null 2>&1; then if get_docker_cumulative_command_line_args '--tlskey' | grep 'tlskey=' >/dev/null 2>&1; then
if get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify' >/dev/null 2>&1; then if get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify' >/dev/null 2>&1; then
pass "$check_2_6" pass "$check_2_6"
logjson "2.6" "PASS"
else else
warn "$check_2_6" warn "$check_2_6"
warn " * Docker daemon currently listening on TCP with TLS, but no verification" warn " * Docker daemon currently listening on TCP with TLS, but no verification"
logjson "2.6" "WARN"
fi fi
else else
warn "$check_2_6" warn "$check_2_6"
warn " * Docker daemon currently listening on TCP without TLS" warn " * Docker daemon currently listening on TCP without TLS"
logjson "2.6" "WARN"
fi fi
else else
info "$check_2_6" info "$check_2_6"
info " * Docker daemon not listening on TCP" info " * Docker daemon not listening on TCP"
logjson "2.6" "INFO"
fi fi
@ -104,21 +129,27 @@ fi
check_2_7="2.7 - Ensure the default ulimit is configured appropriately" check_2_7="2.7 - Ensure the default ulimit is configured appropriately"
if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then
pass "$check_2_7" pass "$check_2_7"
logjson "2.7" "PASS"
elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
pass "$check_2_7" pass "$check_2_7"
logjson "2.7" "PASS"
else else
info "$check_2_7" info "$check_2_7"
info " * Default ulimit doesn't appear to be set" info " * Default ulimit doesn't appear to be set"
logjson "2.7" "INFO"
fi fi
# 2.8 # 2.8
check_2_8="2.8 - Enable user namespace support" check_2_8="2.8 - Enable user namespace support"
if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then
pass "$check_2_8" pass "$check_2_8"
logjson "2.8" "PASS"
elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
pass "$check_2_8" pass "$check_2_8"
logjson "2.8" "PASS"
else else
warn "$check_2_8" warn "$check_2_8"
logjson "2.8" "WARN"
fi fi
# 2.9 # 2.9
@ -126,62 +157,80 @@ check_2_9="2.9 - Ensure the default cgroup usage has been confirmed"
if get_docker_configuration_file_args 'cgroup-parent' | grep -v '""'; then if get_docker_configuration_file_args 'cgroup-parent' | grep -v '""'; then
warn "$check_2_9" warn "$check_2_9"
info " * Confirm cgroup usage" info " * Confirm cgroup usage"
logjson "2.9" "INFO"
elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
warn "$check_2_9" warn "$check_2_9"
info " * Confirm cgroup usage" info " * Confirm cgroup usage"
logjson "2.9" "INFO"
else else
pass "$check_2_9" pass "$check_2_9"
logjson "2.9" "PASS"
fi fi
# 2.10 # 2.10
check_2_10="2.10 - Ensure base device size is not changed until needed" check_2_10="2.10 - Ensure base device size is not changed until needed"
if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then
warn "$check_2_10" warn "$check_2_10"
logjson "2.10" "WARN"
elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
warn "$check_2_10" warn "$check_2_10"
logjson "2.10" "WARN"
else else
pass "$check_2_10" pass "$check_2_10"
logjson "2.10" "PASS"
fi fi
# 2.11 # 2.11
check_2_11="2.11 - Ensure that authorization for Docker client commands is enabled" check_2_11="2.11 - Ensure that authorization for Docker client commands is enabled"
if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then
pass "$check_2_11" pass "$check_2_11"
logjson "2.11" "PASS"
elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
pass "$check_2_11" pass "$check_2_11"
logjson "2.11" "PASS"
else else
warn "$check_2_11" warn "$check_2_11"
logjson "2.11" "WARN"
fi fi
# 2.12 # 2.12
check_2_12="2.12 - Ensure centralized and remote logging is configured" check_2_12="2.12 - Ensure centralized and remote logging is configured"
if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then
warn "$check_2_12" warn "$check_2_12"
logjson "2.12" "WARN"
else else
pass "$check_2_12" pass "$check_2_12"
logjson "2.12" "PASS"
fi fi
# 2.13 # 2.13
check_2_13="2.13 - Ensure operations on legacy registry (v1) are Disabled" check_2_13="2.13 - Ensure operations on legacy registry (v1) are Disabled"
if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then
pass "$check_2_13" pass "$check_2_13"
logjson "2.13" "PASS"
elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then
pass "$check_2_13" pass "$check_2_13"
logjson "2.13" "PASS"
else else
warn "$check_2_13" warn "$check_2_13"
logjson "2.13" "WARN"
fi fi
# 2.14 # 2.14
check_2_14="2.14 - Ensure live restore is Enabled" check_2_14="2.14 - Ensure live restore is Enabled"
if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then
pass "$check_2_14" pass "$check_2_14"
logjson "2.14" "PASS"
else else
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
pass "$check_2_14 (Incompatible with swarm mode)" pass "$check_2_14 (Incompatible with swarm mode)"
logjson "2.14" "PASS"
elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then
pass "$check_2_14" pass "$check_2_14"
logjson "2.14" "PASS"
else else
warn "$check_2_14" warn "$check_2_14"
logjson "2.14" "WARN"
fi fi
fi fi
@ -189,34 +238,44 @@ fi
check_2_15="2.15 - Ensure Userland Proxy is Disabled" check_2_15="2.15 - Ensure Userland Proxy is Disabled"
if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then
pass "$check_2_15" pass "$check_2_15"
logjson "2.15" "PASS"
elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
pass "$check_2_15" pass "$check_2_15"
logjson "2.15" "PASS"
else else
warn "$check_2_15" warn "$check_2_15"
logjson "2.15" "WARN"
fi fi
# 2.16 # 2.16
check_2_16="2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed" check_2_16="2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed"
if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then
pass "$check_2_16" pass "$check_2_16"
logjson "2.16" "PASS"
else else
info "$check_2_16" info "$check_2_16"
logjson "2.16" "INFO"
fi fi
# 2.17 # 2.17
check_2_17="2.17 - Ensure experimental features are avoided in production" check_2_17="2.17 - Ensure experimental features are avoided in production"
if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then
pass "$check_2_17" pass "$check_2_17"
logjson "2.17" "PASS"
else else
warn "$check_2_17" warn "$check_2_17"
logjson "2.17" "WARN"
fi fi
# 2.18 # 2.18
check_2_18="2.18 - Ensure containers are restricted from acquiring new privileges" check_2_18="2.18 - Ensure containers are restricted from acquiring new privileges"
if get_docker_effective_command_line_args '--no-new-privileges' >/dev/null 2>&1; then if get_docker_effective_command_line_args '--no-new-privileges' >/dev/null 2>&1; then
pass "$check_2_18" pass "$check_2_18"
logjson "2.18" "PASS"
elif get_docker_configuration_file_args 'no-new-privileges' >/dev/null 2>&1; then elif get_docker_configuration_file_args 'no-new-privileges' >/dev/null 2>&1; then
pass "$check_2_18" pass "$check_2_18"
logjson "2.18" "PASS"
else else
warn "$check_2_18" warn "$check_2_18"
logjson "2.18" "WARN"
fi fi

60
tests/3_docker_daemon_configuration_files.sh
View file

@ -9,13 +9,16 @@ file="$(get_systemd_service_file docker.service)"
if [ -f "$file" ]; then if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_1" pass "$check_3_1"
logjson "3.1" "PASS"
else else
warn "$check_3_1" warn "$check_3_1"
warn " * Wrong ownership for $file" warn " * Wrong ownership for $file"
logjson "3.1" "WARN"
fi fi
else else
info "$check_3_1" info "$check_3_1"
info " * File not found" info " * File not found"
logjson "3.1" "INFO"
fi fi
# 3.2 # 3.2
@ -24,13 +27,16 @@ file="$(get_systemd_service_file docker.service)"
if [ -f "$file" ]; then if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_2" pass "$check_3_2"
logjson "3.2" "PASS"
else else
warn "$check_3_2" warn "$check_3_2"
warn " * Wrong permissions for $file" warn " * Wrong permissions for $file"
logjson "3.2" "WARN"
fi fi
else else
info "$check_3_2" info "$check_3_2"
info " * File not found" info " * File not found"
logjson "3.2" "INFO"
fi fi
# 3.3 # 3.3
@ -39,13 +45,16 @@ file="$(get_systemd_service_file docker.socket)"
if [ -f "$file" ]; then if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_3" pass "$check_3_3"
logjson "3.3" "PASS"
else else
warn "$check_3_3" warn "$check_3_3"
warn " * Wrong ownership for $file" warn " * Wrong ownership for $file"
logjson "3.3" "WARN"
fi fi
else else
info "$check_3_3" info "$check_3_3"
info " * File not found" info " * File not found"
logjson "3.3" "INFO"
fi fi
# 3.4 # 3.4
@ -54,13 +63,16 @@ file="$(get_systemd_service_file docker.socket)"
if [ -f "$file" ]; then if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_4" pass "$check_3_4"
logjson "3.4" "PASS"
else else
warn "$check_3_4" warn "$check_3_4"
warn " * Wrong permissions for $file" warn " * Wrong permissions for $file"
logjson "3.4" "WARN"
fi fi
else else
info "$check_3_4" info "$check_3_4"
info " * File not found" info " * File not found"
logjson "3.4" "INFO"
fi fi
# 3.5 # 3.5
@ -69,13 +81,16 @@ directory="/etc/docker"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
if [ "$(stat -c %u%g $directory)" -eq 00 ]; then if [ "$(stat -c %u%g $directory)" -eq 00 ]; then
pass "$check_3_5" pass "$check_3_5"
logjson "3.5" "PASS"
else else
warn "$check_3_5" warn "$check_3_5"
warn " * Wrong ownership for $directory" warn " * Wrong ownership for $directory"
logjson "3.5" "WARN"
fi fi
else else
info "$check_3_5" info "$check_3_5"
info " * Directory not found" info " * Directory not found"
logjson "3.5" "INFO"
fi fi
# 3.6 # 3.6
@ -84,13 +99,16 @@ directory="/etc/docker"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
if [ "$(stat -c %a $directory)" -eq 755 -o "$(stat -c %a $directory)" -eq 700 ]; then if [ "$(stat -c %a $directory)" -eq 755 -o "$(stat -c %a $directory)" -eq 700 ]; then
pass "$check_3_6" pass "$check_3_6"
logjson "3.6" "PASS"
else else
warn "$check_3_6" warn "$check_3_6"
warn " * Wrong permissions for $directory" warn " * Wrong permissions for $directory"
logjson "3.6" "WARN"
fi fi
else else
info "$check_3_6" info "$check_3_6"
info " * Directory not found" info " * Directory not found"
logjson "3.6" "INFO"
fi fi
# 3.7 # 3.7
@ -107,12 +125,15 @@ if [ -d "$directory" ]; then
if [ $fail -eq 1 ]; then if [ $fail -eq 1 ]; then
warn "$check_3_7" warn "$check_3_7"
warn " * Wrong ownership for $directory" warn " * Wrong ownership for $directory"
logjson "3.7" "WARN"
else else
pass "$check_3_7" pass "$check_3_7"
logjson "3.7" "PASS"
fi fi
else else
info "$check_3_7" info "$check_3_7"
info " * Directory not found" info " * Directory not found"
logjson "3.7" "INFO"
fi fi
# 3.8 # 3.8
@ -129,12 +150,15 @@ if [ -d "$directory" ]; then
if [ $fail -eq 1 ]; then if [ $fail -eq 1 ]; then
warn "$check_3_8" warn "$check_3_8"
warn " * Wrong permissions for $directory" warn " * Wrong permissions for $directory"
logjson "3.8" "WARN"
else else
pass "$check_3_8" pass "$check_3_8"
logjson "3.8" "PASS"
fi fi
else else
info "$check_3_8" info "$check_3_8"
info " * Directory not found" info " * Directory not found"
logjson "3.8" "INFO"
fi fi
# 3.9 # 3.9
@ -147,13 +171,16 @@ fi
if [ -f "$tlscacert" ]; then if [ -f "$tlscacert" ]; then
if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
pass "$check_3_9" pass "$check_3_9"
logjson "3.9" "PASS"
else else
warn "$check_3_9" warn "$check_3_9"
warn " * Wrong ownership for $tlscacert" warn " * Wrong ownership for $tlscacert"
logjson "3.9" "WARN"
fi fi
else else
info "$check_3_9" info "$check_3_9"
info " * No TLS CA certificate found" info " * No TLS CA certificate found"
logjson "3.9" "INFO"
fi fi
# 3.10 # 3.10
@ -166,13 +193,16 @@ fi
if [ -f "$tlscacert" ]; then if [ -f "$tlscacert" ]; then
if [ "$(stat -c %a $tlscacert)" -eq 444 -o "$(stat -c %a $tlscacert)" -eq 400 ]; then if [ "$(stat -c %a $tlscacert)" -eq 444 -o "$(stat -c %a $tlscacert)" -eq 400 ]; then
pass "$check_3_10" pass "$check_3_10"
logjson "3.10" "PASS"
else else
warn "$check_3_10" warn "$check_3_10"
warn " * Wrong permissions for $tlscacert" warn " * Wrong permissions for $tlscacert"
logjson "3.10" "WARN"
fi fi
else else
info "$check_3_10" info "$check_3_10"
info " * No TLS CA certificate found" info " * No TLS CA certificate found"
logjson "3.10" "INFO"
fi fi
# 3.11 # 3.11
@ -185,13 +215,16 @@ fi
if [ -f "$tlscert" ]; then if [ -f "$tlscert" ]; then
if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
pass "$check_3_11" pass "$check_3_11"
logjson "3.11" "PASS"
else else
warn "$check_3_11" warn "$check_3_11"
warn " * Wrong ownership for $tlscert" warn " * Wrong ownership for $tlscert"
logjson "3.11" "WARN"
fi fi
else else
info "$check_3_11" info "$check_3_11"
info " * No TLS Server certificate found" info " * No TLS Server certificate found"
logjson "3.11" "INFO"
fi fi
# 3.12 # 3.12
@ -204,13 +237,16 @@ fi
if [ -f "$tlscert" ]; then if [ -f "$tlscert" ]; then
if [ "$(stat -c %a $tlscert)" -eq 444 -o "$(stat -c %a $tlscert)" -eq 400 ]; then if [ "$(stat -c %a $tlscert)" -eq 444 -o "$(stat -c %a $tlscert)" -eq 400 ]; then
pass "$check_3_12" pass "$check_3_12"
logjson "3.12" "PASS"
else else
warn "$check_3_12" warn "$check_3_12"
warn " * Wrong permissions for $tlscert" warn " * Wrong permissions for $tlscert"
logjson "3.12" "WARN"
fi fi
else else
info "$check_3_12" info "$check_3_12"
info " * No TLS Server certificate found" info " * No TLS Server certificate found"
logjson "3.12" "INFO"
fi fi
# 3.13 # 3.13
@ -223,13 +259,16 @@ fi
if [ -f "$tlskey" ]; then if [ -f "$tlskey" ]; then
if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
pass "$check_3_13" pass "$check_3_13"
logjson "3.13" "PASS"
else else
warn "$check_3_13" warn "$check_3_13"
warn " * Wrong ownership for $tlskey" warn " * Wrong ownership for $tlskey"
logjson "3.13" "WARN"
fi fi
else else
info "$check_3_13" info "$check_3_13"
info " * No TLS Key found" info " * No TLS Key found"
logjson "3.13" "INFO"
fi fi
# 3.14 # 3.14
@ -242,13 +281,16 @@ fi
if [ -f "$tlskey" ]; then if [ -f "$tlskey" ]; then
if [ "$(stat -c %a $tlskey)" -eq 400 ]; then if [ "$(stat -c %a $tlskey)" -eq 400 ]; then
pass "$check_3_14" pass "$check_3_14"
logjson "3.14" "PASS"
else else
warn "$check_3_14" warn "$check_3_14"
warn " * Wrong permissions for $tlskey" warn " * Wrong permissions for $tlskey"
logjson "3.14" "WARN"
fi fi
else else
info "$check_3_14" info "$check_3_14"
info " * No TLS Key found" info " * No TLS Key found"
logjson "3.14" "INFO"
fi fi
# 3.15 # 3.15
@ -257,13 +299,16 @@ file="/var/run/docker.sock"
if [ -S "$file" ]; then if [ -S "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then
pass "$check_3_15" pass "$check_3_15"
logjson "3.15" "PASS"
else else
warn "$check_3_15" warn "$check_3_15"
warn " * Wrong ownership for $file" warn " * Wrong ownership for $file"
logjson "3.15" "WARN"
fi fi
else else
info "$check_3_15" info "$check_3_15"
info " * File not found" info " * File not found"
logjson "3.15" "INFO"
fi fi
# 3.16 # 3.16
@ -272,13 +317,16 @@ file="/var/run/docker.sock"
if [ -S "$file" ]; then if [ -S "$file" ]; then
if [ "$(stat -c %a $file)" -eq 660 -o "$(stat -c %a $file)" -eq 600 ]; then if [ "$(stat -c %a $file)" -eq 660 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_16" pass "$check_3_16"
logjson "3.16" "PASS"
else else
warn "$check_3_16" warn "$check_3_16"
warn " * Wrong permissions for $file" warn " * Wrong permissions for $file"
logjson "3.16" "WARN"
fi fi
else else
info "$check_3_16" info "$check_3_16"
info " * File not found" info " * File not found"
logjson "3.16" "INFO"
fi fi
# 3.17 # 3.17
@ -287,13 +335,16 @@ file="/etc/docker/daemon.json"
if [ -f "$file" ]; then if [ -f "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass "$check_3_17" pass "$check_3_17"
logjson "3.17" "PASS"
else else
warn "$check_3_17" warn "$check_3_17"
warn " * Wrong ownership for $file" warn " * Wrong ownership for $file"
logjson "3.17" "WARN"
fi fi
else else
info "$check_3_17" info "$check_3_17"
info " * File not found" info " * File not found"
logjson "3.17" "INFO"
fi fi
# 3.18 # 3.18
@ -302,13 +353,16 @@ file="/etc/docker/daemon.json"
if [ -f "$file" ]; then if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_18" pass "$check_3_18"
logjson "3.18" "PASS"
else else
warn "$check_3_18" warn "$check_3_18"
warn " * Wrong permissions for $file" warn " * Wrong permissions for $file"
logjson "3.18" "WARN"
fi fi
else else
info "$check_3_18" info "$check_3_18"
info " * File not found" info " * File not found"
logjson "3.18" "INFO"
fi fi
# 3.19 # 3.19
@ -317,13 +371,16 @@ file="/etc/default/docker"
if [ -f "$file" ]; then if [ -f "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass "$check_3_19" pass "$check_3_19"
logjson "3.19" "PASS"
else else
warn "$check_3_19" warn "$check_3_19"
warn " * Wrong ownership for $file" warn " * Wrong ownership for $file"
logjson "3.19" "WARN"
fi fi
else else
info "$check_3_19" info "$check_3_19"
info " * File not found" info " * File not found"
logjson "3.19" "INFO"
fi fi
# 3.20 # 3.20
@ -332,11 +389,14 @@ file="/etc/default/docker"
if [ -f "$file" ]; then if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_20" pass "$check_3_20"
logjson "3.20" "PASS"
else else
warn "$check_3_20" warn "$check_3_20"
warn " * Wrong permissions for $file" warn " * Wrong permissions for $file"
logjson "3.20" "WARN"
fi fi
else else
info "$check_3_20" info "$check_3_20"
info " * File not found" info " * File not found"
logjson "3.20" "INFO"
fi fi

20
tests/4_container_images.sh
View file

@ -10,6 +10,7 @@ check_4_1="4.1 - Ensure a user for the container has been created"
if [ -z "$containers" ]; then if [ -z "$containers" ]; then
info "$check_4_1" info "$check_4_1"
info " * No containers running" info " * No containers running"
logjson "4.1" "INFO"
else else
# We have some containers running, set failure flag to 0. Check for Users. # We have some containers running, set failure flag to 0. Check for Users.
fail=0 fail=0
@ -24,15 +25,18 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_4_1" warn "$check_4_1"
warn " * Running as root: $c" warn " * Running as root: $c"
logjson "4.1" "WARN: $c"
fail=1 fail=1
else else
warn " * Running as root: $c" warn " * Running as root: $c"
logjson "4.1" "WARN: $c"
fi fi
fi fi
done done
# We went through all the containers and found none running as root # We went through all the containers and found none running as root
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_4_1" pass "$check_4_1"
logjson "4.1" "PASS"
fi fi
fi fi
# Make the loop separator go back to space # Make the loop separator go back to space
@ -43,21 +47,26 @@ images=$(docker images -q)
# 4.2 # 4.2
check_4_2="4.2 - Ensure that containers use trusted base images" check_4_2="4.2 - Ensure that containers use trusted base images"
note "$check_4_2" note "$check_4_2"
logjson "4.2" "NOTE"
# 4.3 # 4.3
check_4_3="4.3 - Ensure unnecessary packages are not installed in the container" check_4_3="4.3 - Ensure unnecessary packages are not installed in the container"
note "$check_4_3" note "$check_4_3"
logjson "4.3" "NOTE"
# 4.4 # 4.4
check_4_4="4.4 - Ensure images are scanned and rebuilt to include security patches" check_4_4="4.4 - Ensure images are scanned and rebuilt to include security patches"
note "$check_4_4" note "$check_4_4"
logjson "4.4" "NOTE"
# 4.5 # 4.5
check_4_5="4.5 - Ensure Content trust for Docker is Enabled" check_4_5="4.5 - Ensure Content trust for Docker is Enabled"
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
pass "$check_4_5" pass "$check_4_5"
logjson "4.5" "PASS"
else else
warn "$check_4_5" warn "$check_4_5"
logjson "4.5" "WARN"
fi fi
# 4.6 # 4.6
@ -68,15 +77,18 @@ for img in $images; do
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
fail=1 fail=1
warn "$check_4_6" warn "$check_4_6"
logjson "4.6" "WARN"
fi fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then if ! [ "$imgName" = '[]' ]; then
warn " * No Healthcheck found: $imgName" warn " * No Healthcheck found: $imgName"
logjson "4.6" "WARN: $imgName"
fi fi
fi fi
done done
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_4_6" pass "$check_4_6"
logjson "4.6" "PASS"
fi fi
# 4.7 # 4.7
@ -87,6 +99,7 @@ for img in $images; do
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
fail=1 fail=1
info "$check_4_7" info "$check_4_7"
logjson "4.7" "INFO"
fi fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then if ! [ "$imgName" = '[]' ]; then
@ -96,11 +109,13 @@ for img in $images; do
done done
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_4_7" pass "$check_4_7"
logjson "4.7" "PASS"
fi fi
# 4.8 # 4.8
check_4_8="4.8 - Ensure setuid and setgid permissions are removed in the images" check_4_8="4.8 - Ensure setuid and setgid permissions are removed in the images"
note "$check_4_8" note "$check_4_8"
logjson "4.8" "NOTE"
# 4.9 # 4.9
check_4_9="4.9 - Ensure COPY is used instead of ADD in Dockerfile" check_4_9="4.9 - Ensure COPY is used instead of ADD in Dockerfile"
@ -111,21 +126,26 @@ for img in $images; do
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
fail=1 fail=1
info "$check_4_9" info "$check_4_9"
logjson "4.9" "INFO"
fi fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then if ! [ "$imgName" = '[]' ]; then
info " * ADD in image history: $imgName" info " * ADD in image history: $imgName"
logjson "4.9" "INFO: $imgName"
fi fi
fi fi
done done
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_4_9" pass "$check_4_9"
logjson "4.9" "PASS"
fi fi
# 4.10 # 4.10
check_4_10="4.10 - Ensure secrets are not stored in Dockerfiles" check_4_10="4.10 - Ensure secrets are not stored in Dockerfiles"
note "$check_4_10" note "$check_4_10"
logjson "4.10" "NOTE"
# 4.11 # 4.11
check_4_11="4.11 - Ensure verified packages are only Installed" check_4_11="4.11 - Ensure verified packages are only Installed"
note "$check_4_11" note "$check_4_11"
logjson "4.11" "NOTE"

86
tests/5_container_runtime.sh
View file

@ -22,15 +22,18 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_1" warn "$check_5_1"
warn " * No AppArmorProfile Found: $c" warn " * No AppArmorProfile Found: $c"
logjson "5.1" "WARN: $c"
fail=1 fail=1
else else
warn " * No AppArmorProfile Found: $c" warn " * No AppArmorProfile Found: $c"
logjson "5.1" "WARN: $c"
fi fi
fi fi
done done
# We went through all the containers and found none without AppArmor # We went through all the containers and found none without AppArmor
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_1" pass "$check_5_1"
logjson "5.1" "PASS"
fi fi
# 5.2 # 5.2
@ -45,15 +48,18 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_2" warn "$check_5_2"
warn " * No SecurityOptions Found: $c" warn " * No SecurityOptions Found: $c"
logjson "5.2" "WARN: $c"
fail=1 fail=1
else else
warn " * No SecurityOptions Found: $c" warn " * No SecurityOptions Found: $c"
logjson "5.2" "WARN: $c"
fi fi
fi fi
done done
# We went through all the containers and found none without SELinux # We went through all the containers and found none without SELinux
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_2" pass "$check_5_2"
logjson "5.2" "PASS"
fi fi
# 5.3 # 5.3
@ -71,15 +77,18 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_3" warn "$check_5_3"
warn " * Capabilities added: $caps to $c" warn " * Capabilities added: $caps to $c"
logjson "5.3" "WARN: $c"
fail=1 fail=1
else else
warn " * Capabilities added: $caps to $c" warn " * Capabilities added: $caps to $c"
logjson "5.3" "WARN: $c"
fi fi
fi fi
done done
# We went through all the containers and found none with extra capabilities # We went through all the containers and found none with extra capabilities
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_3" pass "$check_5_3"
logjson "5.3" "PASS"
fi fi
# 5.4 # 5.4
@ -94,15 +103,18 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_4" warn "$check_5_4"
warn " * Container running in Privileged mode: $c" warn " * Container running in Privileged mode: $c"
logjson "5.4" "WARN: $c"
fail=1 fail=1
else else
warn " * Container running in Privileged mode: $c" warn " * Container running in Privileged mode: $c"
logjson "5.4" "WARN: $c"
fi fi
fi fi
done done
# We went through all the containers and found no privileged containers # We went through all the containers and found no privileged containers
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_4" pass "$check_5_4"
logjson "5.4" "PASS"
fi fi
# 5.5 # 5.5
@ -136,9 +148,11 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_5" warn "$check_5_5"
warn " * Sensitive directory $v mounted in: $c" warn " * Sensitive directory $v mounted in: $c"
logjson "5.5" "WARN: $v in $c"
fail=1 fail=1
else else
warn " * Sensitive directory $v mounted in: $c" warn " * Sensitive directory $v mounted in: $c"
logjson "5.5" "WARN: $v in $c"
fi fi
fi fi
done done
@ -146,6 +160,7 @@ else
# We went through all the containers and found none with sensitive mounts # We went through all the containers and found none with sensitive mounts
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_5" pass "$check_5_5"
logjson "5.5" "PASS"
fi fi
# 5.6 # 5.6
@ -161,10 +176,12 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_6" warn "$check_5_6"
warn " * Container running sshd: $c" warn " * Container running sshd: $c"
logjson "5.6" "WARN: $c"
fail=1 fail=1
printcheck=1 printcheck=1
else else
warn " * Container running sshd: $c" warn " * Container running sshd: $c"
logjson "5.6" "WARN: $c"
fi fi
fi fi
@ -172,9 +189,11 @@ else
if [ $? -eq 255 ]; then if [ $? -eq 255 ]; then
if [ $printcheck -eq 0 ]; then if [ $printcheck -eq 0 ]; then
warn "$check_5_6" warn "$check_5_6"
logjson "5.6" "WARN"
printcheck=1 printcheck=1
fi fi
warn " * Docker exec fails: $c" warn " * Docker exec fails: $c"
logjson "5.6" "WARN: $c"
fail=1 fail=1
fi fi
@ -199,9 +218,11 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_7" warn "$check_5_7"
warn " * Privileged Port in use: $port in $c" warn " * Privileged Port in use: $port in $c"
logjson "5.7" "WARN: $port in $c"
fail=1 fail=1
else else
warn " * Privileged Port in use: $port in $c" warn " * Privileged Port in use: $port in $c"
logjson "5.7" "WARN: $port in $c"
fi fi
fi fi
done done
@ -209,11 +230,13 @@ else
# We went through all the containers and found no privileged ports # We went through all the containers and found no privileged ports
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_7" pass "$check_5_7"
logjson "5.7" "PASS"
fi fi
# 5.8 # 5.8
check_5_8="5.8 - Ensure only needed ports are open on the container" check_5_8="5.8 - Ensure only needed ports are open on the container"
note "$check_5_8" note "$check_5_8"
logjson "5.8" "NOTE"
# 5.9 # 5.9
check_5_9="5.9 - Ensure the host's network namespace is not shared" check_5_9="5.9 - Ensure the host's network namespace is not shared"
@ -227,15 +250,18 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_9" warn "$check_5_9"
warn " * Container running with networking mode 'host': $c" warn " * Container running with networking mode 'host': $c"
logjson "5.9" "WARN: $c"
fail=1 fail=1
else else
warn " * Container running with networking mode 'host': $c" warn " * Container running with networking mode 'host': $c"
logjson "5.9" "WARN: $c"
fi fi
fi fi
done done
# We went through all the containers and found no Network Mode host # We went through all the containers and found no Network Mode host
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_9" pass "$check_5_9"
logjson "5.9" "PASS"
fi fi
# 5.10 # 5.10
@ -254,15 +280,18 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_10" warn "$check_5_10"
warn " * Container running without memory restrictions: $c" warn " * Container running without memory restrictions: $c"
logjson "5.10" "WARN: $c"
fail=1 fail=1
else else
warn " * Container running without memory restrictions: $c" warn " * Container running without memory restrictions: $c"
logjson "5.10" "WARN: $c"
fi fi
fi fi
done done
# We went through all the containers and found no lack of Memory restrictions # We went through all the containers and found no lack of Memory restrictions
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_10" pass "$check_5_10"
logjson "5.10" "PASS"
fi fi
# 5.11 # 5.11
@ -281,15 +310,18 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_11" warn "$check_5_11"
warn " * Container running without CPU restrictions: $c" warn " * Container running without CPU restrictions: $c"
logjson "5.11" "WARN: $c"
fail=1 fail=1
else else
warn " * Container running without CPU restrictions: $c" warn " * Container running without CPU restrictions: $c"
logjson "5.11" "WARN: $c"
fi fi
fi fi
done done
# We went through all the containers and found no lack of CPUShare restrictions # We went through all the containers and found no lack of CPUShare restrictions
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_11" pass "$check_5_11"
logjson "5.11" "PASS"
fi fi
# 5.12 # 5.12
@ -304,15 +336,18 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_12" warn "$check_5_12"
warn " * Container running with root FS mounted R/W: $c" warn " * Container running with root FS mounted R/W: $c"
logjson "5.12" "WARN: $c"
fail=1 fail=1
else else
warn " * Container running with root FS mounted R/W: $c" warn " * Container running with root FS mounted R/W: $c"
logjson "5.12" "WARN: $c"
fi fi
fi fi
done done
# We went through all the containers and found no R/W FS mounts # We went through all the containers and found no R/W FS mounts
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_12" pass "$check_5_12"
logjson "5.12" "PASS"
fi fi
# 5.13 # 5.13
@ -326,9 +361,11 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_13" warn "$check_5_13"
warn " * Port being bound to wildcard IP: $ip in $c" warn " * Port being bound to wildcard IP: $ip in $c"
logjson "5.13" "WARN: $ip in $c"
fail=1 fail=1
else else
warn " * Port being bound to wildcard IP: $ip in $c" warn " * Port being bound to wildcard IP: $ip in $c"
logjson "5.13" "WARN: $ip in $c"
fi fi
fi fi
done done
@ -336,6 +373,7 @@ else
# We went through all the containers and found no ports bound to 0.0.0.0 # We went through all the containers and found no ports bound to 0.0.0.0
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_13" pass "$check_5_13"
logjson "5.13" "PASS"
fi fi
# 5.14 # 5.14
@ -350,15 +388,18 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_14" warn "$check_5_14"
warn " * MaximumRetryCount is not set to 5: $c" warn " * MaximumRetryCount is not set to 5: $c"
logjson "5.14" "WARN: $c"
fail=1 fail=1
else else
warn " * MaximumRetryCount is not set to 5: $c" warn " * MaximumRetryCount is not set to 5: $c"
logjson "5.14" "WARN: $c"
fi fi
fi fi
done done
# We went through all the containers and they all had MaximumRetryCount=5 # We went through all the containers and they all had MaximumRetryCount=5
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_14" pass "$check_5_14"
logjson "5.14" "PASS"
fi fi
# 5.15 # 5.15
@ -373,15 +414,18 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_15" warn "$check_5_15"
warn " * Host PID namespace being shared with: $c" warn " * Host PID namespace being shared with: $c"
logjson "5.15" "WARN: $c"
fail=1 fail=1
else else
warn " * Host PID namespace being shared with: $c" warn " * Host PID namespace being shared with: $c"
logjson "5.15" "WARN: $c"
fi fi
fi fi
done done
# We went through all the containers and found none with PidMode as host # We went through all the containers and found none with PidMode as host
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_15" pass "$check_5_15"
logjson "5.15" "PASS"
fi fi
# 5.16 # 5.16
@ -396,15 +440,18 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_16" warn "$check_5_16"
warn " * Host IPC namespace being shared with: $c" warn " * Host IPC namespace being shared with: $c"
logjson "5.16" "WARN: $c"
fail=1 fail=1
else else
warn " * Host IPC namespace being shared with: $c" warn " * Host IPC namespace being shared with: $c"
logjson "5.16" "WARN: $c"
fi fi
fi fi
done done
# We went through all the containers and found none with IPCMode as host # We went through all the containers and found none with IPCMode as host
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_16" pass "$check_5_16"
logjson "5.16" "PASS"
fi fi
# 5.17 # 5.17
@ -419,15 +466,18 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
info "$check_5_17" info "$check_5_17"
info " * Container has devices exposed directly: $c" info " * Container has devices exposed directly: $c"
logjson "5.17" "INFO: $c"
fail=1 fail=1
else else
info " * Container has devices exposed directly: $c" info " * Container has devices exposed directly: $c"
logjson "5.17" "INFO: $c"
fi fi
fi fi
done done
# We went through all the containers and found none with devices # We went through all the containers and found none with devices
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_17" pass "$check_5_17"
logjson "5.17" "PASS"
fi fi
# 5.18 # 5.18
@ -442,15 +492,18 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
info "$check_5_18" info "$check_5_18"
info " * Container no default ulimit override: $c" info " * Container no default ulimit override: $c"
logjson "5.18" "INFO: $c"
fail=1 fail=1
else else
info " * Container no default ulimit override: $c" info " * Container no default ulimit override: $c"
logjson "5.18" "INFO: $c"
fi fi
fi fi
done done
# We went through all the containers and found none without Ulimits # We went through all the containers and found none without Ulimits
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_18" pass "$check_5_18"
logjson "5.18" "PASS"
fi fi
# 5.19 # 5.19
@ -464,15 +517,18 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_19" warn "$check_5_19"
warn " * Mount propagation mode is shared: $c" warn " * Mount propagation mode is shared: $c"
logjson "5.19" "WARN: $c"
fail=1 fail=1
else else
warn " * Mount propagation mode is shared: $c" warn " * Mount propagation mode is shared: $c"
logjson "5.19" "WARN: $c"
fi fi
fi fi
done done
# We went through all the containers and found none with shared propagation mode # We went through all the containers and found none with shared propagation mode
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_19" pass "$check_5_19"
logjson "5.19" "PASS"
fi fi
# 5.20 # 5.20
@ -487,15 +543,18 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_20" warn "$check_5_20"
warn " * Host UTS namespace being shared with: $c" warn " * Host UTS namespace being shared with: $c"
logjson "5.20" "WARN: $c"
fail=1 fail=1
else else
warn " * Host UTS namespace being shared with: $c" warn " * Host UTS namespace being shared with: $c"
logjson "5.20" "WARN: $c"
fi fi
fi fi
done done
# We went through all the containers and found none with UTSMode as host # We went through all the containers and found none with UTSMode as host
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_20" pass "$check_5_20"
logjson "5.20" "PASS"
fi fi
# 5.21 # 5.21
@ -508,24 +567,29 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_21" warn "$check_5_21"
warn " * Default seccomp profile disabled: $c" warn " * Default seccomp profile disabled: $c"
logjson "5.21" "WARN: $c"
fail=1 fail=1
else else
warn " * Default seccomp profile disabled: $c" warn " * Default seccomp profile disabled: $c"
logjson "5.21" "WARN: $c"
fi fi
fi fi
done done
# We went through all the containers and found none with default secomp profile disabled # We went through all the containers and found none with default secomp profile disabled
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_21" pass "$check_5_21"
logjson "5.21" "PASS"
fi fi
# 5.22 # 5.22
check_5_22="5.22 - Ensure docker exec commands are not used with privileged option" check_5_22="5.22 - Ensure docker exec commands are not used with privileged option"
note "$check_5_22" note "$check_5_22"
logjson "5.22" "NOTE"
# 5.23 # 5.23
check_5_23="5.23 - Ensure docker exec commands are not used with user option" check_5_23="5.23 - Ensure docker exec commands are not used with user option"
note "$check_5_23" note "$check_5_23"
logjson "5.23" "NOTE"
# 5.24 # 5.24
check_5_24="5.24 - Ensure cgroup usage is confirmed" check_5_24="5.24 - Ensure cgroup usage is confirmed"
@ -539,15 +603,18 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_24" warn "$check_5_24"
warn " * Confirm cgroup usage: $c" warn " * Confirm cgroup usage: $c"
logjson "5.24" "WARN: $c"
fail=1 fail=1
else else
warn " * Confirm cgroup usage: $c" warn " * Confirm cgroup usage: $c"
logjson "5.24" "WARN: $c"
fi fi
fi fi
done done
# We went through all the containers and found none with UTSMode as host # We went through all the containers and found none with UTSMode as host
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_24" pass "$check_5_24"
logjson "5.24" "PASS"
fi fi
# 5.25 # 5.25
@ -560,15 +627,18 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_25" warn "$check_5_25"
warn " * Privileges not restricted: $c" warn " * Privileges not restricted: $c"
logjson "5.25" "WARN: $c"
fail=1 fail=1
else else
warn " * Privileges not restricted: $c" warn " * Privileges not restricted: $c"
logjson "5.25" "WARN: $c"
fi fi
fi fi
done done
# We went through all the containers and found none with capability to acquire additional privileges # We went through all the containers and found none with capability to acquire additional privileges
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_25" pass "$check_5_25"
logjson "5.25" "PASS"
fi fi
# 5.26 # 5.26
@ -580,19 +650,23 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_26" warn "$check_5_26"
warn " * Health check not set: $c" warn " * Health check not set: $c"
logjson "5.26" "WARN: $c"
fail=1 fail=1
else else
warn " * Health check not set: $c" warn " * Health check not set: $c"
logjson "5.26" "WARN: $c"
fi fi
fi fi
done done
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_26" pass "$check_5_26"
logjson "5.26" "PASS"
fi fi
# 5.27 # 5.27
check_5_27="5.27 - Ensure docker commands always get the latest version of the image" check_5_27="5.27 - Ensure docker commands always get the latest version of the image"
info "$check_5_27" info "$check_5_27"
logjson "5.27" "INFO"
# 5.28 # 5.28
check_5_28="5.28 - Ensure PIDs cgroup limit is used" check_5_28="5.28 - Ensure PIDs cgroup limit is used"
@ -606,15 +680,18 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_28" warn "$check_5_28"
warn " * PIDs limit not set: $c" warn " * PIDs limit not set: $c"
logjson "5.28" "WARN: $c"
fail=1 fail=1
else else
warn " * PIDs limit not set: $c" warn " * PIDs limit not set: $c"
logjson "5.28" "WARN: $c"
fi fi
fi fi
done done
# We went through all the containers and found all with PIDs limit # We went through all the containers and found all with PIDs limit
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_28" pass "$check_5_28"
logjson "5.28" "PASS"
fi fi
# 5.29 # 5.29
@ -629,11 +706,13 @@ else
if [ -n "$docker0Containers" ]; then if [ -n "$docker0Containers" ]; then
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
info "$check_5_29" info "$check_5_29"
logjson "5.29" "INFO"
fail=1 fail=1
fi fi
for c in $docker0Containers; do for c in $docker0Containers; do
cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g') cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g')
info " * Container in docker0 network: $cName" info " * Container in docker0 network: $cName"
logjson "5.29" "INFO: $c"
done done
fi fi
fi fi
@ -641,6 +720,7 @@ else
# We went through all the containers and found none in docker0 network # We went through all the containers and found none in docker0 network
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_29" pass "$check_5_29"
logjson "5.29" "PASS"
fi fi
# 5.30 # 5.30
@ -653,15 +733,18 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_30" warn "$check_5_30"
warn " * Namespace shared: $c" warn " * Namespace shared: $c"
logjson "5.30" "WARN: $c"
fail=1 fail=1
else else
warn " * Namespace shared: $c" warn " * Namespace shared: $c"
logjson "5.30" "WARN: $c"
fi fi
fi fi
done done
# We went through all the containers and found none with host's user namespace shared # We went through all the containers and found none with host's user namespace shared
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_30" pass "$check_5_30"
logjson "5.30" "PASS"
fi fi
# 5.31 # 5.31
@ -674,14 +757,17 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_31" warn "$check_5_31"
warn " * Docker socket shared: $c" warn " * Docker socket shared: $c"
logjson "5.31" "WARN: $c"
fail=1 fail=1
else else
warn " * Docker socket shared: $c" warn " * Docker socket shared: $c"
logjson "5.31" "WARN: $c"
fi fi
fi fi
done done
# We went through all the containers and found none with docker.sock shared # We went through all the containers and found none with docker.sock shared
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_31" pass "$check_5_31"
logjson "5.31" "PASS"
fi fi
fi fi

3
tests/6_docker_security_operations.sh
View file

@ -19,6 +19,7 @@ done
if [ "$active_images" -lt "$((images / 2))" ]; then if [ "$active_images" -lt "$((images / 2))" ]; then
info " * Only $active_images out of $images are in use" info " * Only $active_images out of $images are in use"
logjson "6.1" "INFO: $active_images"
fi fi
# 6.2 # 6.2
@ -29,7 +30,9 @@ diff="$((total_containers - running_containers))"
if [ "$diff" -gt 25 ]; then if [ "$diff" -gt 25 ]; then
info "$check_6_2" info "$check_6_2"
info " * There are currently a total of $total_containers containers, with only $running_containers of them currently running" info " * There are currently a total of $total_containers containers, with only $running_containers of them currently running"
logjson "6.2" "INFO: $running_containers"
else else
info "$check_6_2" info "$check_6_2"
info " * There are currently a total of $total_containers containers, with $running_containers of them currently running" info " * There are currently a total of $total_containers containers, with $running_containers of them currently running"
logjson "6.2" "INFO: $running_containers"
fi fi

33
tests/7_docker_swarm_configuration.sh
View file

@ -7,8 +7,10 @@ info "7 - Docker Swarm Configuration"
check_7_1="7.1 - Ensure swarm mode is not Enabled, if not needed" check_7_1="7.1 - Ensure swarm mode is not Enabled, if not needed"
if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
pass "$check_7_1" pass "$check_7_1"
logjson "7.1" "PASS"
else else
warn "$check_7_1" warn "$check_7_1"
logjson "7.1" "WARN"
fi fi
# 7.2 # 7.2
@ -17,11 +19,14 @@ if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
managernodes=$(docker node ls | grep -c "Leader") managernodes=$(docker node ls | grep -c "Leader")
if [ "$managernodes" -le 1 ]; then if [ "$managernodes" -le 1 ]; then
pass "$check_7_2" pass "$check_7_2"
logjson "7.2" "PASS"
else else
warn "$check_7_2" warn "$check_7_2"
logjson "7.2" "WARN"
fi fi
else else
pass "$check_7_2 (Swarm mode not enabled)" pass "$check_7_2 (Swarm mode not enabled)"
logjson "7.2" "PASS"
fi fi
# 7.3 # 7.3
@ -30,11 +35,14 @@ if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
netstat -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1 netstat -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1
if [ $? -eq 1 ]; then if [ $? -eq 1 ]; then
pass "$check_7_3" pass "$check_7_3"
logjson "7.3" "PASS"
else else
warn "$check_7_3" warn "$check_7_3"
logjson "7.3" "WARN"
fi fi
else else
pass "$check_7_3 (Swarm mode not enabled)" pass "$check_7_3 (Swarm mode not enabled)"
logjson "7.3" "PASS"
fi fi
# 7.4 # 7.4
@ -47,10 +55,12 @@ if docker network ls --filter driver=overlay --quiet | \
if docker network inspect --format '{{.Name}} {{ .Options }}' "$encnet" | \ if docker network inspect --format '{{.Name}} {{ .Options }}' "$encnet" | \
grep -v 'encrypted:' 2>/dev/null 1>&2; then grep -v 'encrypted:' 2>/dev/null 1>&2; then
warn " * Unencrypted overlay network: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")" warn " * Unencrypted overlay network: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
logjson "7.4" "WARN: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
fi fi
done done
else else
pass "$check_7_4" pass "$check_7_4"
logjson "7.4" "PASS"
fi fi
# 7.5 # 7.5
@ -58,11 +68,14 @@ check_7_5="7.5 - Ensure Docker's secret management commands are used for managi
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then
pass "$check_7_5" pass "$check_7_5"
logjson "7.5" "PASS"
else else
info "$check_7_5" info "$check_7_5"
logjson "7.5" "INFO"
fi fi
else else
pass "$check_7_5 (Swarm mode not enabled)" pass "$check_7_5 (Swarm mode not enabled)"
logjson "7.5" "PASS"
fi fi
# 7.6 # 7.6
@ -70,19 +83,24 @@ check_7_6="7.6 - Ensure swarm manager is run in auto-lock mode"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then
warn "$check_7_6" warn "$check_7_6"
logjson "7.6" "WARN"
else else
pass "$check_7_6" pass "$check_7_6"
logjson "7.6" "PASS"
fi fi
else else
pass "$check_7_6 (Swarm mode not enabled)" pass "$check_7_6 (Swarm mode not enabled)"
logjson "7.6" "PASS"
fi fi
# 7.7 # 7.7
check_7_7="7.7 - Ensure swarm manager auto-lock key is rotated periodically" check_7_7="7.7 - Ensure swarm manager auto-lock key is rotated periodically"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
note "$check_7_7" note "$check_7_7"
logjson "7.7" "NOTE"
else else
pass "$check_7_7 (Swarm mode not enabled)" pass "$check_7_7 (Swarm mode not enabled)"
logjson "7.7" "PASS"
fi fi
# 7.8 # 7.8
@ -90,25 +108,32 @@ check_7_8="7.8 - Ensure node certificates are rotated as appropriate"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then
pass "$check_7_8" pass "$check_7_8"
logjson "7.8" "PASS"
else else
info "$check_7_8" info "$check_7_8"
logjson "7.8" "INFO"
fi fi
else else
pass "$check_7_8 (Swarm mode not enabled)" pass "$check_7_8 (Swarm mode not enabled)"
logjson "7.8" "PASS"
fi fi
# 7.9 # 7.9
check_7_9="7.9 - Ensure CA certificates are rotated as appropriate" check_7_9="7.9 - Ensure CA certificates are rotated as appropriate"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
info "$check_7_9" info "$check_7_9"
logjson "7.9" "INFO"
else else
pass "$check_7_9 (Swarm mode not enabled)" pass "$check_7_9 (Swarm mode not enabled)"
logjson "7.9" "PASS"
fi fi
# 7.10 # 7.10
check_7_10="7.10 - Ensure management plane traffic has been separated from data plane traffic" check_7_10="7.10 - Ensure management plane traffic has been separated from data plane traffic"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
info "$check_7_10" info "$check_7_10"
logjson "7.10" "INFO"
else else
pass "$check_7_10 (Swarm mode not enabled)" pass "$check_7_10 (Swarm mode not enabled)"
logjson "7.10" "PASS"
fi fi