mirror of
https://github.com/docker/docker-bench-security.git
synced 2025-01-19 00:32:34 +01:00
commit
c491038215
1 changed files with 16 additions and 26 deletions
|
@ -11,7 +11,7 @@ else
|
||||||
set -f; IFS=$'
|
set -f; IFS=$'
|
||||||
'
|
'
|
||||||
# 5.1
|
# 5.1
|
||||||
check_5_1="5.1 - Verify AppArmor Profile, if applicable"
|
check_5_1="5.1 - Do not disable AppArmor Profile"
|
||||||
|
|
||||||
fail=0
|
fail=0
|
||||||
for c in $containers; do
|
for c in $containers; do
|
||||||
|
@ -116,9 +116,7 @@ else
|
||||||
/usr'
|
/usr'
|
||||||
fail=0
|
fail=0
|
||||||
for c in $containers; do
|
for c in $containers; do
|
||||||
docker inspect --format '{{ .VolumesRW }}' "$c" 2>/dev/null 1>&2
|
if docker inspect --format '{{ .VolumesRW }}' "$c" 2>/dev/null 1>&2; then
|
||||||
|
|
||||||
if [ $? -eq 0 ]; then
|
|
||||||
volumes=$(docker inspect --format '{{ .VolumesRW }}' "$c")
|
volumes=$(docker inspect --format '{{ .VolumesRW }}' "$c")
|
||||||
else
|
else
|
||||||
volumes=$(docker inspect --format '{{ .Mounts }}' "$c")
|
volumes=$(docker inspect --format '{{ .Mounts }}' "$c")
|
||||||
|
@ -126,7 +124,7 @@ else
|
||||||
# Go over each directory in sensitive dir and see if they exist in the volumes
|
# Go over each directory in sensitive dir and see if they exist in the volumes
|
||||||
for v in $sensitive_dirs; do
|
for v in $sensitive_dirs; do
|
||||||
sensitive=0
|
sensitive=0
|
||||||
contains "$volumes" "$v:" && sensitive=1
|
contains "$volumes" "$v" && sensitive=1
|
||||||
if [ $sensitive -eq 1 ]; then
|
if [ $sensitive -eq 1 ]; then
|
||||||
# If it's the first container, fail the test
|
# If it's the first container, fail the test
|
||||||
if [ $fail -eq 0 ]; then
|
if [ $fail -eq 0 ]; then
|
||||||
|
@ -433,7 +431,6 @@ else
|
||||||
# 5.18
|
# 5.18
|
||||||
check_5_18="5.18 - Override default ulimit at runtime only if needed"
|
check_5_18="5.18 - Override default ulimit at runtime only if needed"
|
||||||
|
|
||||||
# List all the running containers, ouput their ID and host devices
|
|
||||||
fail=0
|
fail=0
|
||||||
for c in $containers; do
|
for c in $containers; do
|
||||||
ulimits=$(docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' "$c")
|
ulimits=$(docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' "$c")
|
||||||
|
@ -505,9 +502,7 @@ else
|
||||||
|
|
||||||
fail=0
|
fail=0
|
||||||
for c in $containers; do
|
for c in $containers; do
|
||||||
docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'seccomp:unconfined' 2>/dev/null 1>&2
|
if docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'seccomp:unconfined' 2>/dev/null 1>&2; then
|
||||||
|
|
||||||
if [ $? -eq 0 ]; then
|
|
||||||
# If it's the first container, fail the test
|
# If it's the first container, fail the test
|
||||||
if [ $fail -eq 0 ]; then
|
if [ $fail -eq 0 ]; then
|
||||||
warn "$check_5_21"
|
warn "$check_5_21"
|
||||||
|
@ -541,11 +536,11 @@ else
|
||||||
if [ "$mode" != "CgroupParent=x" ]; then
|
if [ "$mode" != "CgroupParent=x" ]; then
|
||||||
# If it's the first container, fail the test
|
# If it's the first container, fail the test
|
||||||
if [ $fail -eq 0 ]; then
|
if [ $fail -eq 0 ]; then
|
||||||
info "$check_5_24"
|
warn "$check_5_24"
|
||||||
info " * Confirm cgroup usage: $c"
|
warn " * Confirm cgroup usage: $c"
|
||||||
fail=1
|
fail=1
|
||||||
else
|
else
|
||||||
info " * Confirm cgroup usage: $c"
|
warn " * Confirm cgroup usage: $c"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
@ -582,8 +577,7 @@ else
|
||||||
|
|
||||||
fail=0
|
fail=0
|
||||||
for c in $containers; do
|
for c in $containers; do
|
||||||
docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}' "$c" 2>/dev/null 1>&2
|
if ! docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}' "$c" 2>/dev/null 1>&2; then
|
||||||
if [ $? -ne 0 ]; then
|
|
||||||
if [ $fail -eq 0 ]; then
|
if [ $fail -eq 0 ]; then
|
||||||
warn "$check_5_26"
|
warn "$check_5_26"
|
||||||
warn " * Health check not set: $c"
|
warn " * Health check not set: $c"
|
||||||
|
@ -608,7 +602,7 @@ else
|
||||||
for c in $containers; do
|
for c in $containers; do
|
||||||
pidslimit=$(docker inspect --format '{{.HostConfig.PidsLimit }}' "$c")
|
pidslimit=$(docker inspect --format '{{.HostConfig.PidsLimit }}' "$c")
|
||||||
|
|
||||||
if [ $pidslimit -le 0 ]; then
|
if [ "$pidslimit" -le 0 ]; then
|
||||||
# If it's the first container, fail the test
|
# If it's the first container, fail the test
|
||||||
if [ $fail -eq 0 ]; then
|
if [ $fail -eq 0 ]; then
|
||||||
warn "$check_5_28"
|
warn "$check_5_28"
|
||||||
|
@ -630,17 +624,17 @@ else
|
||||||
fail=0
|
fail=0
|
||||||
networks=$(docker network ls -q 2>/dev/null)
|
networks=$(docker network ls -q 2>/dev/null)
|
||||||
for net in $networks; do
|
for net in $networks; do
|
||||||
docker network inspect --format '{{ .Options }}' "$net" 2>/dev/null | grep "com.docker.network.bridge.name:docker0" >/dev/null 2>&1
|
if docker network inspect --format '{{ .Options }}' "$net" 2>/dev/null | grep "com.docker.network.bridge.name:docker0" >/dev/null 2>&1; then
|
||||||
|
docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" | \
|
||||||
if [ $? -eq 0 ]; then
|
sed -e 's/^ //' -e 's/ /\n/g' 2>/dev/null)
|
||||||
docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" 2>/dev/null)
|
|
||||||
if [ -n "$docker0Containers" ]; then
|
if [ -n "$docker0Containers" ]; then
|
||||||
if [ $fail -eq 0 ]; then
|
if [ $fail -eq 0 ]; then
|
||||||
info "$check_5_29"
|
info "$check_5_29"
|
||||||
fail=1
|
fail=1
|
||||||
fi
|
fi
|
||||||
for c in $docker0Containers; do
|
for c in $docker0Containers; do
|
||||||
info " * Container in docker0 network: $c"
|
cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g')
|
||||||
|
info " * Container in docker0 network: $cName"
|
||||||
done
|
done
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
@ -655,9 +649,7 @@ else
|
||||||
|
|
||||||
fail=0
|
fail=0
|
||||||
for c in $containers; do
|
for c in $containers; do
|
||||||
docker inspect --format '{{ .HostConfig.UsernsMode }}' "$c" 2>/dev/null | grep -i 'host' >/dev/null 2>&1
|
if docker inspect --format '{{ .HostConfig.UsernsMode }}' "$c" 2>/dev/null | grep -i 'host' >/dev/null 2>&1; then
|
||||||
|
|
||||||
if [ $? -eq 0 ]; then
|
|
||||||
# If it's the first container, fail the test
|
# If it's the first container, fail the test
|
||||||
if [ $fail -eq 0 ]; then
|
if [ $fail -eq 0 ]; then
|
||||||
warn "$check_5_30"
|
warn "$check_5_30"
|
||||||
|
@ -678,9 +670,7 @@ else
|
||||||
|
|
||||||
fail=0
|
fail=0
|
||||||
for c in $containers; do
|
for c in $containers; do
|
||||||
docker inspect --format '{{ .Mounts }}' "$c" 2>/dev/null | grep 'docker.sock' >/dev/null 2>&1
|
if docker inspect --format '{{ .Mounts }}' "$c" 2>/dev/null | grep 'docker.sock' >/dev/null 2>&1; then
|
||||||
|
|
||||||
if [ $? -eq 0 ]; then
|
|
||||||
# If it's the first container, fail the test
|
# If it's the first container, fail the test
|
||||||
if [ $fail -eq 0 ]; then
|
if [ $fail -eq 0 ]; then
|
||||||
warn "$check_5_31"
|
warn "$check_5_31"
|
||||||
|
|
Loading…
Reference in a new issue