GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-19 00:32:34 +01:00
Code Issues Projects Releases Packages Wiki Activity

check 4.x json log

Browse source 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
This commit is contained in:
Thomas Sjögren 2017-10-13 10:02:48 +02:00
parent 7a1b813cdc
commit b8fac4a7d2
1 changed files with 20 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
tests/4_container_images.sh
View file

@ -10,6 +10,7 @@ check_4_1="4.1 - Ensure a user for the container has been created"
if [ -z "$containers" ]; then if [ -z "$containers" ]; then
info "$check_4_1" info "$check_4_1"
info " * No containers running" info " * No containers running"
logjson "4.1" "INFO"
else else
# We have some containers running, set failure flag to 0. Check for Users. # We have some containers running, set failure flag to 0. Check for Users.
fail=0 fail=0
@ -24,15 +25,18 @@ else
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_4_1" warn "$check_4_1"
warn " * Running as root: $c" warn " * Running as root: $c"
logjson "4.1" "WARN: $c"
fail=1 fail=1
else else
warn " * Running as root: $c" warn " * Running as root: $c"
logjson "4.1" "WARN: $c"
fi fi
fi fi
done done
# We went through all the containers and found none running as root # We went through all the containers and found none running as root
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_4_1" pass "$check_4_1"
logjson "4.1" "PASS"
fi fi
fi fi
# Make the loop separator go back to space # Make the loop separator go back to space
@ -43,21 +47,26 @@ images=$(docker images -q)
# 4.2 # 4.2
check_4_2="4.2 - Ensure that containers use trusted base images" check_4_2="4.2 - Ensure that containers use trusted base images"
note "$check_4_2" note "$check_4_2"
logjson "4.2" "NOTE"
# 4.3 # 4.3
check_4_3="4.3 - Ensure unnecessary packages are not installed in the container" check_4_3="4.3 - Ensure unnecessary packages are not installed in the container"
note "$check_4_3" note "$check_4_3"
logjson "4.3" "NOTE"
# 4.4 # 4.4
check_4_4="4.4 - Ensure images are scanned and rebuilt to include security patches" check_4_4="4.4 - Ensure images are scanned and rebuilt to include security patches"
note "$check_4_4" note "$check_4_4"
logjson "4.4" "NOTE"
# 4.5 # 4.5
check_4_5="4.5 - Ensure Content trust for Docker is Enabled" check_4_5="4.5 - Ensure Content trust for Docker is Enabled"
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
pass "$check_4_5" pass "$check_4_5"
logjson "4.5" "PASS"
else else
warn "$check_4_5" warn "$check_4_5"
logjson "4.5" "WARN"
fi fi
# 4.6 # 4.6
@ -68,15 +77,18 @@ for img in $images; do
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
fail=1 fail=1
warn "$check_4_6" warn "$check_4_6"
logjson "4.6" "WARN"
fi fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then if ! [ "$imgName" = '[]' ]; then
warn " * No Healthcheck found: $imgName" warn " * No Healthcheck found: $imgName"
logjson "4.6" "WARN: $imgName"
fi fi
fi fi
done done
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_4_6" pass "$check_4_6"
logjson "4.6" "PASS"
fi fi
# 4.7 # 4.7
@ -87,6 +99,7 @@ for img in $images; do
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
fail=1 fail=1
info "$check_4_7" info "$check_4_7"
logjson "4.7" "INFO"
fi fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then if ! [ "$imgName" = '[]' ]; then
@ -96,11 +109,13 @@ for img in $images; do
done done
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_4_7" pass "$check_4_7"
logjson "4.7" "PASS"
fi fi
# 4.8 # 4.8
check_4_8="4.8 - Ensure setuid and setgid permissions are removed in the images" check_4_8="4.8 - Ensure setuid and setgid permissions are removed in the images"
note "$check_4_8" note "$check_4_8"
logjson "4.8" "NOTE"
# 4.9 # 4.9
check_4_9="4.9 - Ensure COPY is used instead of ADD in Dockerfile" check_4_9="4.9 - Ensure COPY is used instead of ADD in Dockerfile"
@ -111,21 +126,26 @@ for img in $images; do
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
fail=1 fail=1
info "$check_4_9" info "$check_4_9"
logjson "4.9" "INFO"
fi fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then if ! [ "$imgName" = '[]' ]; then
info " * ADD in image history: $imgName" info " * ADD in image history: $imgName"
logjson "4.9" "INFO: $imgName"
fi fi
fi fi
done done
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_4_9" pass "$check_4_9"
logjson "4.9" "PASS"
fi fi
# 4.10 # 4.10
check_4_10="4.10 - Ensure secrets are not stored in Dockerfiles" check_4_10="4.10 - Ensure secrets are not stored in Dockerfiles"
note "$check_4_10" note "$check_4_10"
logjson "4.10" "NOTE"
# 4.11 # 4.11
check_4_11="4.11 - Ensure verified packages are only Installed" check_4_11="4.11 - Ensure verified packages are only Installed"
note "$check_4_11" note "$check_4_11"
logjson "4.11" "NOTE"