GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-31 22:32:34 +01:00
Code Issues Projects Releases Packages Wiki Activity

fighting with bats

Browse source
This commit is contained in:
Alexei Ledenev 2016-05-05 18:50:47 +03:00 committed by Alexei Ledenev
parent fc42e548fe
commit bd56792523
2 changed files with 50 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
helper_lib.sh
View file

@ -1,8 +1,5 @@
#!/bin/sh #!/bin/sh
# echo to stderr
echoerr() { echo "$@" 1>&2; }
# Returns the absolute path of a given string # Returns the absolute path of a given string
abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; esac; } abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; esac; }

75
tests/1_host_configuration.bats → test/1_host_configuration.bats
View file

@ -1,34 +1,31 @@
#!/usr/bin/env bats #!/usr/bin/env bats
load 'test_helper/bats-support/load'
load 'test_helper/bats-assert/load'
setup() { setup() {
. "$BATS_TEST_DIRNAME/../helper_lib.sh" . "$BATS_TEST_DIRNAME/../helper_lib.sh"
} }
# 1.1 # 1.1
@test "1.1 - Create a separate partition for containers" { @test "1.1 - Create a separate partition for containers" {
grep /var/lib/docker /etc/fstab run grep /var/lib/docker /etc/fstab
[ $status -eq 0 ] assert_success
} }
# 1.2 # 1.2
@test "1.2 - Use an updated Linux Kernel" { @test "1.2 - Use an updated Linux Kernel" {
kernel_version=$(uname -r | cut -d "-" -f 1) kernel_version=$(uname -r | cut -d "-" -f 1)
run do_version_check 3.10 "$kernel_version" run do_version_check 3.10 "$kernel_version"
[ $status -eq 9 ] || [ $status -eq 10 ] assert [ $status -eq 9 -o $status -eq 10 ]
} }
# 1.4 # 1.4
@test "1.4 - Remove all non-essential services from the host - Network" { @test "1.4 - Remove all non-essential services from the host - Network" {
# Check for listening network services. # Check for listening network services.
listening_services=$(netstat -na | grep -v tcp6 | grep -v unix | grep -c LISTEN) listening_services=$(netstat -na | grep -v tcp6 | grep -v unix | grep -c LISTEN)
if [ "$listening_services" -eq 0 ]; then refute [ "$listening_services" -eq 0 ] "1.4 - Failed to get listening services for check: $BATS_TEST_NAME"
echoerr "1.4 - Failed to get listening services for check: $BATS_TEST_NAME" refute [ "$listening_services" -gt 5 ] "Host listening on: $listening_services ports"
else
if [ "$listening_services" -gt 5 ]; then
echoerr " * Host listening on: $listening_services ports"
fi
fi
[ "$listening_services" -ne 0 ] && [ "$listening_services" -le 5 ]
} }
# 1.5 # 1.5
@ -39,22 +36,26 @@ setup() {
docker_current_date="2016-04-27" docker_current_date="2016-04-27"
run do_version_check "$docker_current_version" "$docker_version" run do_version_check "$docker_current_version" "$docker_version"
if [ $status -eq 11 ]; then if [ $status -eq 11 ]; then
echoerr " * Using $docker_version, when $docker_current_version is current as of $docker_current_date" fail "Using $docker_version, when $docker_current_version is current as of $docker_current_date. Your operating system vendor may provide support and security maintenance for docker."
echoerr " * Your operating system vendor may provide support and security maintenance for docker"
else
pass "$check_1_5"
echoerr " * Using $docker_version which is current as of $docker_current_date"
echoerr " * Check with your operating system vendor for support and security maintenance for docker"
fi fi
[ $status -eq 9 ] || [ $status -eq 10 ] assert [ $status -eq 9 -o $status -eq 10 ]
} }
# 1.6 # 1.6
@test "1.6 - Only allow trusted users to control Docker daemon" { @test "1.6 - Only allow trusted users to control Docker daemon" {
docker_users=$(getent group docker) declare -a trusted_users=("vagrant" "docker" "ubuntu")
echoerr "$BATS_TEST_NAME" users_string=$(awk -F':' '/^docker/{print $4}' /etc/group)
for u in $docker_users; do docker_users=(${users_string//,/ })
echoerr " * $u" for u in ${docker_users[@]}; do
local found=1
for tu in ${trusted_users[@]}; do
if [ "$u" = "$tu" ]; then
found=0
fi
done
if [ $found -eq 1 ]; then
fail "User $u is not a trusted user!"
fi
done done
} }
@ -65,19 +66,43 @@ setup() {
if [ $status -eq 0 ]; then if [ $status -eq 0 ]; then
auditctl -l | grep "$file" >/dev/null 2>&1 auditctl -l | grep "$file" >/dev/null 2>&1
else else
echoerr " * Failed to inspect: auditctl command not found." fail "Failed to inspect: auditctl command not found."
fi fi
[ $status -eq 0 ] [ $status -eq 0 ]
} }
# 1.8 # 1.8
@test "1.8 - Audit Docker files and directories - /var/lib/docker" { @test "1.8 - Audit Docker files and directories - /var/lib/docker" {
skip "TODO: need to implement" directory="/var/lib/docker"
if [ -d "$directory" ]; then
run command -v auditctl >/dev/null
if [ $status -eq 0 ]; then
auditctl -l | grep $directory >/dev/null 2>&1
else
fail "1.8 - Failed to inspect: auditctl command not found."
fi
[ $status -eq 0 ]
else
fail " * '$directory' Directory not found"
[ -d "$directory" ]
fi
} }
# 1.9 # 1.9
@test "1.9 - Audit Docker files and directories - /etc/docker" { @test "1.9 - Audit Docker files and directories - /etc/docker" {
skip "TODO: need to implement" directory="/etc/docker"
if [ -d "$directory" ]; then
run command -v auditctl >/dev/null
if [ $status -eq 0 ]; then
auditctl -l | grep $directory >/dev/null 2>&1
else
fail "1.9 - Failed to inspect: auditctl command not found."
fi
[ $status -eq 0 ]
else
fail "'$directory' Directory not found"
[ -d "$directory" ]
fi
} }
# 1.10 # 1.10