From bfcc4ec4b80a305dac088135bd3e63231d258775 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 20 Feb 2017 11:20:41 +0100 Subject: [PATCH 1/5] add get_docker_configuration_file_args MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- helper_lib.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/helper_lib.sh b/helper_lib.sh index df48084..0d2df7c 100644 --- a/helper_lib.sh +++ b/helper_lib.sh @@ -77,7 +77,16 @@ get_docker_cumulative_command_line_args() { # Does not account for option default or implicit options. get_docker_effective_command_line_args() { OPTION="$1" - get_docker_cumulative_command_line_args $OPTION | tail -n1 + get_docker_cumulative_command_line_args "$OPTION" | tail -n1 +} + +get_docker_configuration_file_args() { + OPTION="$1" + FILE="$(get_docker_effective_command_line_args '--config-file' | \ + sed 's/.*=//g')" + if ! grep "$OPTION" "$FILE"; then + echo 0 + fi } get_systemd_service_file(){ From cda18f31a5fc0cb6dd231ae6888b091876561c14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 20 Feb 2017 11:21:18 +0100 Subject: [PATCH 2/5] check config file settings MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/2_docker_daemon_configuration.sh | 71 +++++++++++++++++++++----- 1 file changed, 58 insertions(+), 13 deletions(-) diff --git a/tests/2_docker_daemon_configuration.sh b/tests/2_docker_daemon_configuration.sh index d9cd31b..65545a7 100644 --- a/tests/2_docker_daemon_configuration.sh +++ b/tests/2_docker_daemon_configuration.sh @@ -5,7 +5,9 @@ info "2 - Docker Daemon Configuration" # 2.1 check_2_1="2.1 - Restrict network traffic between containers" -if get_docker_effective_command_line_args '--icc' | grep "false" >/dev/null 2>&1; then +if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then + pass "$check_2_1" +elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then pass "$check_2_1" else warn "$check_2_1" @@ -13,7 +15,15 @@ fi # 2.2 check_2_2="2.2 - Set the logging level" -if get_docker_effective_command_line_args '-l' >/dev/null 2>&1; then +if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then + if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then + pass "$check_2_2" + elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then + pass "$check_2_2" + else + warn "$check_2_2" + fi +elif get_docker_effective_command_line_args '-l'; then if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then pass "$check_2_2" else @@ -27,6 +37,8 @@ fi check_2_3="2.3 - Allow Docker to make changes to iptables" if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then warn "$check_2_3" +elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then + warn "$check_2_3" else pass "$check_2_3" fi @@ -35,6 +47,12 @@ fi check_2_4="2.4 - Do not use insecure registries" if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then warn "$check_2_4" +elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then + if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then + pass "$check_2_4" + else + warn "$check_2_4" + fi else pass "$check_2_4" fi @@ -49,7 +67,19 @@ fi # 2.6 check_2_6="2.6 - Configure TLS authentication for Docker daemon" -if get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1; then +if get_docker_configuration_file_args 'tls' | grep true >/dev/null 2>&1; then + if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then + if get_docker_configuration_file_args 'tlsverify' | grep 'true' >/dev/null 2>&1; then + pass "$check_2_6" + else + warn "$check_2_6" + warn " * Docker daemon currently listening on TCP with TLS, but no verification" + fi + else + warn "$check_2_6" + warn " * Docker daemon currently listening on TCP without TLS" + fi +elif get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1; then if get_docker_cumulative_command_line_args '--tlskey' | grep 'tlskey=' >/dev/null 2>&1; then if get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify' >/dev/null 2>&1; then pass "$check_2_6" @@ -69,7 +99,9 @@ fi # 2.7 check_2_7="2.7 - Set default ulimit as appropriate" -if get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then +if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then + pass "$check_2_7" +elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then pass "$check_2_7" else info "$check_2_7" @@ -78,7 +110,9 @@ fi # 2.8 check_2_8="2.8 - Enable user namespace support" -if get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then +if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then + pass "$check_2_8" +elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then pass "$check_2_8" else warn "$check_2_8" @@ -86,7 +120,10 @@ fi # 2.9 check_2_9="2.9 - Confirm default cgroup usage" -if get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then +if get_docker_configuration_file_args 'cgroup-parent' | grep -v '""'; then + warn "$check_2_9" + info " * Confirm cgroup usage" +elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then warn "$check_2_9" info " * Confirm cgroup usage" else @@ -95,7 +132,9 @@ fi # 2.10 check_2_10="2.10 - Do not change base device size until needed" -if get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then +if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then + warn "$check_2_10" +elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then warn "$check_2_10" else pass "$check_2_10" @@ -103,7 +142,9 @@ fi # 2.11 check_2_11="2.11 - Use authorization plugin" -if get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then +if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then + pass "$check_2_11" +elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then pass "$check_2_11" else warn "$check_2_11" @@ -111,15 +152,17 @@ fi # 2.12 check_2_12="2.12 - Configure centralized and remote logging" -if get_docker_effective_command_line_args '--log-driver' | grep "log-driver" >/dev/null 2>&1; then - pass "$check_2_12" -else +if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then warn "$check_2_12" +else + pass "$check_2_12" fi # 2.13 check_2_13="2.13 - Disable operations on legacy registry (v1)" -if get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then +if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then + pass "$check_2_13" +elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then pass "$check_2_13" else warn "$check_2_13" @@ -169,7 +212,9 @@ fi # 2.18 check_2_18="2.18 - Disable Userland Proxy" -if get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then +if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then + pass "$check_2_18" +elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then pass "$check_2_18" else warn "$check_2_18" From 03f5088d082abf6213b32e0e97f457b83fa25c16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Mon, 20 Feb 2017 11:22:01 +0100 Subject: [PATCH 3/5] get file locations from config file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/3_docker_daemon_configuration_files.sh | 36 ++++++++++++++++---- 1 file changed, 30 insertions(+), 6 deletions(-) diff --git a/tests/3_docker_daemon_configuration_files.sh b/tests/3_docker_daemon_configuration_files.sh index d252208..60fd01a 100644 --- a/tests/3_docker_daemon_configuration_files.sh +++ b/tests/3_docker_daemon_configuration_files.sh @@ -142,7 +142,11 @@ fi # 3.9 check_3_9="3.9 - Verify that TLS CA certificate file ownership is set to root:root" -tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +if get_docker_configuration_file_args 'tlscacert' | grep -v ""; then + tlscacert=$(get_docker_configuration_file_args 'tlscacert' | sed 's/.*://g' | tr -d "",) +else + tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +fi if [ -f "$tlscacert" ]; then if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then pass "$check_3_9" @@ -157,7 +161,11 @@ fi # 3.10 check_3_10="3.10 - Verify that TLS CA certificate file permissions are set to 444 or more restrictive" -tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +if get_docker_configuration_file_args 'tlscacert' | grep -v ""; then + tlscacert=$(get_docker_configuration_file_args 'tlscacert' | sed 's/.*://g' | tr -d "",) +else + tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +fi if [ -f "$tlscacert" ]; then perms=$(ls -ld "$tlscacert" | awk '{print $1}') if [ "$perms" = "-r--r--r--" ]; then @@ -173,7 +181,11 @@ fi # 3.11 check_3_11="3.11 - Verify that Docker server certificate file ownership is set to root:root" -tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +if get_docker_configuration_file_args 'tlscert' | grep -v ""; then + tlscert=$(get_docker_configuration_file_args 'tlscert' | sed 's/.*://g' | tr -d "",) +else + tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +fi if [ -f "$tlscert" ]; then if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then pass "$check_3_11" @@ -188,7 +200,11 @@ fi # 3.12 check_3_12="3.12 - Verify that Docker server certificate file permissions are set to 444 or more restrictive" -tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +if get_docker_configuration_file_args 'tlscert' | grep -v ""; then + tlscert=$(get_docker_configuration_file_args 'tlscert' | sed 's/.*://g' | tr -d "",) +else + tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +fi if [ -f "$tlscert" ]; then perms=$(ls -ld "$tlscert" | awk '{print $1}') if [ "$perms" = "-r--r--r--" ]; then @@ -204,7 +220,11 @@ fi # 3.13 check_3_13="3.13 - Verify that Docker server key file ownership is set to root:root" -tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +if get_docker_configuration_file_args 'tlskey' | grep -v ""; then + tlskey=$(get_docker_configuration_file_args 'tlskey' | sed 's/.*://g' | tr -d "",) +else + tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +fi if [ -f "$tlskey" ]; then if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then pass "$check_3_13" @@ -219,7 +239,11 @@ fi # 3.14 check_3_14="3.14 - Verify that Docker server key file permissions are set to 400 or more restrictive" -tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +if get_docker_configuration_file_args 'tlskey' | grep -v ""; then + tlskey=$(get_docker_configuration_file_args 'tlskey' | sed 's/.*://g' | tr -d "",) +else + tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +fi if [ -f "$tlskey" ]; then perms=$(ls -ld "$tlskey" | awk '{print $1}') if [ "$perms" = "-r--------" ]; then From 1f499387c6c687a631b6050258412a89019565f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 21 Feb 2017 11:49:06 +0100 Subject: [PATCH 4/5] fallback to default daemon.json MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- helper_lib.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/helper_lib.sh b/helper_lib.sh index 0d2df7c..15934eb 100644 --- a/helper_lib.sh +++ b/helper_lib.sh @@ -84,7 +84,14 @@ get_docker_configuration_file_args() { OPTION="$1" FILE="$(get_docker_effective_command_line_args '--config-file' | \ sed 's/.*=//g')" - if ! grep "$OPTION" "$FILE"; then + + if [ -f "$FILE" ]; then + CONFIG_FILE="$FILE" + else + CONFIG_FILE="/etc/docker/daemon.json" + fi + + if ! grep "$OPTION" "$CONFIG_FILE"; then echo 0 fi } From ff314754a3893770e56e49141794b33aa8a188bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 22 Feb 2017 09:37:42 +0100 Subject: [PATCH 5/5] null if no config file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- helper_lib.sh | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/helper_lib.sh b/helper_lib.sh index 15934eb..d7a4618 100644 --- a/helper_lib.sh +++ b/helper_lib.sh @@ -87,12 +87,10 @@ get_docker_configuration_file_args() { if [ -f "$FILE" ]; then CONFIG_FILE="$FILE" + elif [ -f '/etc/docker/daemon.json' ]; then + CONFIG_FILE='/etc/docker/daemon.json' else - CONFIG_FILE="/etc/docker/daemon.json" - fi - - if ! grep "$OPTION" "$CONFIG_FILE"; then - echo 0 + CONFIG_FILE='/dev/null' fi }