GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-19 08:42:33 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #204 from konstruktoid/113_5

Browse source 
1.13 Section 5
This commit is contained in:
Thomas Sjögren 2017-01-24 15:27:15 +01:00 committed by GitHub
commit c491038215
1 changed files with 16 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
tests/5_container_runtime.sh
View file

@ -11,7 +11,7 @@ else
set -f; IFS=$' set -f; IFS=$'
' '
# 5.1 # 5.1
check_5_1="5.1 - Verify AppArmor Profile, if applicable" check_5_1="5.1 - Do not disable AppArmor Profile"
fail=0 fail=0
for c in $containers; do for c in $containers; do
@ -116,9 +116,7 @@ else
/usr' /usr'
fail=0 fail=0
for c in $containers; do for c in $containers; do
docker inspect --format '{{ .VolumesRW }}' "$c" 2>/dev/null 1>&2 if docker inspect --format '{{ .VolumesRW }}' "$c" 2>/dev/null 1>&2; then
if [ $? -eq 0 ]; then
volumes=$(docker inspect --format '{{ .VolumesRW }}' "$c") volumes=$(docker inspect --format '{{ .VolumesRW }}' "$c")
else else
volumes=$(docker inspect --format '{{ .Mounts }}' "$c") volumes=$(docker inspect --format '{{ .Mounts }}' "$c")
@ -126,7 +124,7 @@ else
# Go over each directory in sensitive dir and see if they exist in the volumes # Go over each directory in sensitive dir and see if they exist in the volumes
for v in $sensitive_dirs; do for v in $sensitive_dirs; do
sensitive=0 sensitive=0
contains "$volumes" "$v:" && sensitive=1 contains "$volumes" "$v" && sensitive=1
if [ $sensitive -eq 1 ]; then if [ $sensitive -eq 1 ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
@ -433,7 +431,6 @@ else
# 5.18 # 5.18
check_5_18="5.18 - Override default ulimit at runtime only if needed" check_5_18="5.18 - Override default ulimit at runtime only if needed"
# List all the running containers, ouput their ID and host devices
fail=0 fail=0
for c in $containers; do for c in $containers; do
ulimits=$(docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' "$c") ulimits=$(docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' "$c")
@ -505,9 +502,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'seccomp:unconfined' 2>/dev/null 1>&2 if docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'seccomp:unconfined' 2>/dev/null 1>&2; then
if [ $? -eq 0 ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_21" warn "$check_5_21"
@ -541,11 +536,11 @@ else
if [ "$mode" != "CgroupParent=x" ]; then if [ "$mode" != "CgroupParent=x" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
info "$check_5_24" warn "$check_5_24"
info " * Confirm cgroup usage: $c" warn " * Confirm cgroup usage: $c"
fail=1 fail=1
else else
info " * Confirm cgroup usage: $c" warn " * Confirm cgroup usage: $c"
fi fi
fi fi
done done
@ -582,8 +577,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}' "$c" 2>/dev/null 1>&2 if ! docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}' "$c" 2>/dev/null 1>&2; then
if [ $? -ne 0 ]; then
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_26" warn "$check_5_26"
warn " * Health check not set: $c" warn " * Health check not set: $c"
@ -608,7 +602,7 @@ else
for c in $containers; do for c in $containers; do
pidslimit=$(docker inspect --format '{{.HostConfig.PidsLimit }}' "$c") pidslimit=$(docker inspect --format '{{.HostConfig.PidsLimit }}' "$c")
if [ $pidslimit -le 0 ]; then if [ "$pidslimit" -le 0 ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_28" warn "$check_5_28"
@ -630,17 +624,17 @@ else
fail=0 fail=0
networks=$(docker network ls -q 2>/dev/null) networks=$(docker network ls -q 2>/dev/null)
for net in $networks; do for net in $networks; do
docker network inspect --format '{{ .Options }}' "$net" 2>/dev/null | grep "com.docker.network.bridge.name:docker0" >/dev/null 2>&1 if docker network inspect --format '{{ .Options }}' "$net" 2>/dev/null | grep "com.docker.network.bridge.name:docker0" >/dev/null 2>&1; then
docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" | \
if [ $? -eq 0 ]; then sed -e 's/^ //' -e 's/ /\n/g' 2>/dev/null)
docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" 2>/dev/null)
if [ -n "$docker0Containers" ]; then if [ -n "$docker0Containers" ]; then
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
info "$check_5_29" info "$check_5_29"
fail=1 fail=1
fi fi
for c in $docker0Containers; do for c in $docker0Containers; do
info " * Container in docker0 network: $c" cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g')
info " * Container in docker0 network: $cName"
done done
fi fi
fi fi
@ -655,9 +649,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
docker inspect --format '{{ .HostConfig.UsernsMode }}' "$c" 2>/dev/null | grep -i 'host' >/dev/null 2>&1 if docker inspect --format '{{ .HostConfig.UsernsMode }}' "$c" 2>/dev/null | grep -i 'host' >/dev/null 2>&1; then
if [ $? -eq 0 ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_30" warn "$check_5_30"
@ -678,9 +670,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
docker inspect --format '{{ .Mounts }}' "$c" 2>/dev/null | grep 'docker.sock' >/dev/null 2>&1 if docker inspect --format '{{ .Mounts }}' "$c" 2>/dev/null | grep 'docker.sock' >/dev/null 2>&1; then
if [ $? -eq 0 ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_31" warn "$check_5_31"