GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-18 08:12:34 +01:00
Code Issues Projects Releases Packages Wiki Activity

Bug fixing and improving source code readability

Browse source
This commit is contained in:
Razvan Stoica 2021-03-29 15:22:14 +03:00
parent 86985f854f
commit d0443cc817
12 changed files with 1028 additions and 783 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
docker-bench-security.sh
View file

@ -24,19 +24,7 @@ readonly myname
export PATH="$PATH:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/"
# Check for required program(s)
req_progs='awk docker grep stat tee tail wc xargs truncate sed'
for p in $req_progs; do
command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; }
done
if command -v ss >/dev/null 2>&1; then
netbin=ss
elif command -v netstat >/dev/null 2>&1; then
netbin=netstat
else
echo "ss or netstat command not found."
exit 1
fi
req_programs 'awk docker grep stat tee tail wc xargs truncate sed'
# Ensure we can connect to docker daemon
if ! docker ps -q >/dev/null 2>&1; then
@ -85,6 +73,7 @@ fi
logger="log/${myname}.log"
limit=0
printremediation="1"
globalRemediation=""
# Get the flags
# If you add an option here, please
@ -130,7 +119,6 @@ beginjson "$version" "$(date +%s)"
# Load all the tests from tests/ and run them
main () {
logit "\n${bldylw}Section A - Check results${txtrsr}"
globalRemediation=""
# Get configuration location
get_docker_configuration_file

49
functions/helper_lib.sh
View file

@ -6,6 +6,23 @@ abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; es
# Audit rules default path
auditrules="/etc/audit/audit.rules"
# Check for required program(s)
req_programs() {
for p in $1; do
command -v "$p" >/dev/null 2>&1 || { printf "Required program not found: %s\n" "$p"; exit 1; }
done
if command -v ss >/dev/null 2>&1; then
netbin=ss
return
fi
if command -v netstat >/dev/null 2>&1; then
netbin=netstat
return
fi
echo "ss or netstat command not found."
exit 1
}
# Compares versions of software of the format X.Y.Z
do_version_check() {
[ "$1" = "$2" ] && return 10
@ -23,9 +40,8 @@ do_version_check() {
[ "$ver2front" = "$2" ] || [ -z "$ver2back" ] && ver2back=0
do_version_check "$ver1back" "$ver2back"
return $?
else
[ "$1" -gt "$2" ] && return 11 || return 9
fi
[ "$1" -gt "$2" ] && return 11 || return 9
}
# Extracts commandline args from the newest running processes named like the first parameter
@ -45,10 +61,9 @@ get_command_line_args() {
get_docker_cumulative_command_line_args() {
OPTION="$1"
line_arg="dockerd"
if ! get_command_line_args "docker daemon" >/dev/null 2>&1 ; then
line_arg="docker daemon"
else
line_arg="dockerd"
fi
get_command_line_args "$line_arg" |
@ -88,11 +103,13 @@ get_docker_configuration_file() {
if [ -f "$FILE" ]; then
CONFIG_FILE="$FILE"
elif [ -f '/etc/docker/daemon.json' ]; then
CONFIG_FILE='/etc/docker/daemon.json'
else
CONFIG_FILE='/dev/null'
return
fi
if [ -f '/etc/docker/daemon.json' ]; then
CONFIG_FILE='/etc/docker/daemon.json'
return
fi
CONFIG_FILE='/dev/null'
}
get_docker_configuration_file_args() {
@ -108,13 +125,17 @@ get_service_file() {
if [ -f "/etc/systemd/system/$SERVICE" ]; then
echo "/etc/systemd/system/$SERVICE"
elif [ -f "/lib/systemd/system/$SERVICE" ]; then
echo "/lib/systemd/system/$SERVICE"
elif systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then
systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
else
echo "/usr/lib/systemd/system/$SERVICE"
return
fi
if [ -f "/lib/systemd/system/$SERVICE" ]; then
echo "/lib/systemd/system/$SERVICE"
return
fi
if systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then
systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
return
fi
echo "/usr/lib/systemd/system/$SERVICE"
}
yell_info() {

63
functions/output_lib.sh
View file

@ -87,8 +87,8 @@ note () {
if [ "$noteCountCheck" = "true" ]; then
printf "%b\n" "${bldylw}[NOTE]${txtrst} $2" | tee -a "$logger"
totalChecks=$((totalChecks + 1))
return
fi
return
fi
printf "%b\n" "${bldylw}[NOTE]${txtrst} $1" | tee -a "$logger"
}
@ -125,37 +125,38 @@ starttestjson() {
SEP=","
}
log_to_json() {
if [ $# -eq 1 ]; then
printf "\"result\": \"%s\"" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2
return
fi
if [ $# -eq 2 ] && [ $# -ne 1 ]; then
# Result also contains details
printf "\"result\": \"%s\",\n \"details\": \"%s\"" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
return
fi
# Result also includes details and a list of items. Add that directly to details and to an array property "items"
# Also limit the number of items to $limit, if $limit is non-zero
truncItems=$3
if [ $limit != 0 ]; then
truncItems=""
ITEM_COUNT=0
for item in $3; do
truncItems="$truncItems $item"
ITEM_COUNT=$((ITEM_COUNT + 1));
if [ "$ITEM_COUNT" == "$limit" ]; then
truncItems="$truncItems (truncated)"
break;
fi
done
fi
itemsJson=$(printf "[\n "; ISEP=""; ITEMCOUNT=0; for item in $truncItems; do printf "%s\"%s\"" "$ISEP" "$item"; ISEP=","; done; printf "\n ]")
printf "\"result\": \"%s\",\n \"details\": \"%s: %s\",\n \"items\": %s" "$1" "$2" "$truncItems" "$itemsJson" | tee -a "$logger.json" 2>/dev/null 1>&2
}
logcheckresult() {
# Log to JSON
if [ $# -eq 1 ]; then
printf "\"result\": \"%s\"" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
if [ $# -eq 2 ] && [ $# -ne 1 ]; then
# Result also contains details
printf "\"result\": \"%s\",\n \"details\": \"%s\"" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
if [ $# -ne 2 ] && [ $# -ne 1 ]; then
# Result also includes details and a list of items. Add that directly to details and to an array property "items"
# Also limit the number of items to $limit, if $limit is non-zero
if [ $limit != 0 ]; then
truncItems=""
ITEM_COUNT=0
for item in $3; do
truncItems="$truncItems $item"
ITEM_COUNT=$((ITEM_COUNT + 1));
if [ "$ITEM_COUNT" == "$limit" ]; then
truncItems="$truncItems (truncated)"
break;
fi
done
else
truncItems=$3
fi
itemsJson=$(printf "[\n "; ISEP=""; ITEMCOUNT=0; for item in $truncItems; do printf "%s\"%s\"" "$ISEP" "$item"; ISEP=","; done; printf "\n ]")
printf "\"result\": \"%s\",\n \"details\": \"%s: %s\",\n \"items\": %s" "$1" "$2" "$truncItems" "$itemsJson" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
log_to_json "$@"
# Log remediation measure to JSON
if [ -n "$remediation" ] && [ "$1" != "PASS" ] && [ "$printremediation" = "1" ]; then

194
functions/output_lib.sh.save Normal file
View file

@ -0,0 +1,194 @@
#!/bin/sh
bldred='\033[1;31m' # Bold Red
bldgrn='\033[1;32m' # Bold Green
bldblu='\033[1;34m' # Bold Blue
bldylw='\033[1;33m' # Bold Yellow
txtrst='\033[0m'
if [ -n "$nocolor"
] && [ "$nocolor" = "nocolor" ]; then
bldred=''
bldgrn=''
bldblu=''
bldylw=''
txtrst=''
fi
logit () {
printf "%b\n" "$1" | tee -a "$logger"
}
info () {
local infoCountCheck
while getopts c args
do
case $args in
c) infoCountCheck="true" ;;
*) exit 1 ;;
esac
done
if [ "$infoCountCheck" = "true" ]; then
printf "%b\n" "${bldblu}[INFO]${txtrst} $2" | tee -a "$logger"
totalChecks=$((totalChecks + 1))
return
fi
printf "%b\n" "${bldblu}[INFO]${txtrst} $1" | tee -a "$logger"
}
pass () {
local passScored
while getopts sc args
do
case $args in
s) passScored="true" ;;
c) passCountCheck="true" ;;
*) exit 1 ;;
esac
done
if [ "$passScored" = "true" ] || [ "$passCountCheck" = "true" ]; then
printf "%b\n" "${bldgrn}[PASS]${txtrst} $2" | tee -a "$logger"
totalChecks=$((totalChecks + 1))
fi
if [ "$passScored" = "true" ]; then
currentScore=$((currentScore + 1))
fi
if [ "$passScored" != "true" ] && [ "$passCountCheck" != "true" ]; then
printf "%b\n" "${bldgrn}[PASS]${txtrst} $1" | tee -a "$logger"
fi
}
warn () {
local warnScored
while getopts s args
do
case $args in
s) warnScored="true" ;;
*) exit 1 ;;
esac
done
if [ "$warnScored" = "true" ]; then
printf "%b\n" "${bldred}[WARN]${txtrst} $2" | tee -a "$logger"
totalChecks=$((totalChecks + 1))
currentScore=$((currentScore - 1))
return
fi
printf "%b\n" "${bldred}[WARN]${txtrst} $1" | tee -a "$logger"
}
note () {
local noteCountCheck
while getopts c args
do
case $args in
c) noteCountCheck="true" ;;
*) exit 1 ;;
esac
done
if [ "$noteCountCheck" = "true" ]; then
printf "%b\n" "${bldylw}[NOTE]${txtrst} $2" | tee -a "$logger"
totalChecks=$((totalChecks + 1))
return
fi
printf "%b\n" "${bldylw}[NOTE]${txtrst} $1" | tee -a "$logger"
}
yell () {
printf "%b\n" "${bldylw}$1${txtrst}\n"
}
appendjson () {
if [ -s "$logger.json" ]; then
tail -n 1 "$logger.json" | wc -c | xargs -I {} truncate "$logger.json" -s -{}
printf "},\n" | tee -a "$logger.json" 2>/dev/null 1>&2
return
fi
printf "[" | tee -a "$logger.json" 2>/dev/null 1>&2
}
beginjson () {
printf "{\n \"dockerbenchsecurity\": \"%s\",\n \"start\": %s,\n \"tests\": [" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
}
endjson (){
printf "\n ], \"checks\": %s, \"score\": %s, \"end\": %s\n}]" "$1" "$2" "$3" | tee -a "$logger.json" 2>/dev/null 1>&2
}
logjson (){
printf "\n \"%s\": \"%s\"," "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
}
SSEP=
SEP=
startsectionjson() {
printf "%s\n {\"id\": \"%s\", \"desc\": \"%s\", \"results\": [" "$SSEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
SEP=
SSEP=","
}
endsectionjson() {
printf "\n ]}" | tee -a "$logger.json" 2>/dev/null 1>&2
}
starttestjson() {
printf "%s\n {\"id\": \"%s\", \"desc\": \"%s\", " "$SEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
SEP=","
}
logcheckresult() {
# Log to JSON
if [ $# -eq 1 ]; then
printf "\"result\": \"%s\"" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
if [ $# -eq 2 ] && [ $# -ne 1 ]; then
# Result also contains details
printf "\"result\": \"%s\", \"details\": \"%s\"" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
if [ $# -ne 2 ] && [ $# -ne 1 ]; then
# Result also includes details and a list of items. Add that directly to details and to an array property "items"
# Also limit the number of items to $limit, if $limit is non-zero
if [ $limit != 0 ]; then
truncItems=""
ITEM_COUNT=0
for item in $3; do
truncItems="$truncItems $item"
ITEM_COUNT=$((ITEM_COUNT + 1));
if [ "$ITEM_COUNT" == "$limit" ]; then
truncItems="$truncItems (truncated)"
break;
fi
done
else
truncItems=$3
fi
itemsJson=$(printf "["; ISEP=""; ITEMCOUNT=0; for item in $truncItems; do printf "%s\"%s\"" "$ISEP" "$item"; ISEP=","; done; printf "]")
printf "\"result\": \"%s\", \"details\": \"%s: %s\", \"items\": %s" "$1" "$2" "$truncItems" "$itemsJson" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
# Log remediation measure to JSON
if [ -n "$remediation" ] && [ "$1" != "PASS" ] && [ "$printremediation" = "1" ]; then
printf ", \"remediation\": \"%s\"" "$remediation" | tee -a "$logger.json" 2>/dev/null 1>&2
if [ -n "$remediationImpact" ]; then
printf ", \"remediation-impact\": \"%s\"" "$remediationImpact" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
fi
printf "}" | tee -a "$logger.json" 2>/dev/null 1>&2
# Save remediation measure for print log to stdout
if [ -n "$remediation" ] && [ "$1" != "PASS" ]; then
if [ -n "${checkHeader}" ]; then
if [ -n "${addSpaceHeader}" ]; then
globalRemediation="${globalRemediation}\n"
fi
globalRemediation="${globalRemediation}\n${bldblu}[INFO]${txtrst} ${checkHeader}"
checkHeader=""
addSpaceHeader="1"
fi
globalRemediation="${globalRemediation}\n${bldblu}[INFO]${txtrst} ${id} - ${remediation}"
if [ -n "${remediationImpact}" ]; then
globalRemediation="${globalRemediation} Impact: ${remediationImpact}"
fi
fi
}

261
tests/1_host_configuration.sh
View file

@ -41,16 +41,15 @@ check_1_1_2() {
docker_current_version="$(date +%y.%m.0 -d @$(( $(date +%s) - 2592000)))"
do_version_check "$docker_current_version" "$docker_version"
if [ $? -eq 11 ]; then
info -c "$check"
info " * Using $docker_version, verify is it up to date as deemed necessary"
info " * Your operating system vendor may provide support and security maintenance for Docker"
logcheckresult "INFO" "Using $docker_version"
else
pass -c "$check"
info " * Using $docker_version which is current"
info " * Check with your operating system vendor for support and security maintenance for Docker"
logcheckresult "PASS" "Using $docker_version"
info " * Using $docker_version, verify is it up to date as deemed necessary"
logcheckresult "INFO" "Using $docker_version"
return
fi
pass -c "$check"
info " * Using $docker_version which is current"
info " * Check with your operating system vendor for support and security maintenance for Docker"
logcheckresult "PASS" "Using $docker_version"
}
check_1_2() {
@ -76,10 +75,10 @@ check_1_2_1() {
if mountpoint -q -- "$docker_root_dir" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_1_2_2() {
@ -90,10 +89,9 @@ check_1_2_2() {
local check="$id - $desc"
starttestjson "$id" "$desc"
docker_users=$(grep 'docker' /etc/group)
if command -v getent >/dev/null 2>&1; then
docker_users=$(getent group docker)
else
docker_users=$(grep 'docker' /etc/group)
fi
docker_users=$(printf "%s" "$docker_users" | awk -F: '{print $4}')
@ -101,10 +99,9 @@ check_1_2_2() {
if [ -n "$dockertrustusers" ]; then
for u in $(printf "%s" "$docker_users" | sed "s/,/ /g"); do
if ! printf "%s" "$dockertrustusers" | grep -q "$u" ; then
doubtfulusers="$u"
if [ -n "${doubtfulusers}" ]; then
doubtfulusers="${doubtfulusers},$u"
else
doubtfulusers="$u"
fi
fi
done
@ -139,17 +136,19 @@ check_1_2_3() {
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_1_2_4() {
@ -166,22 +165,24 @@ check_1_2_4() {
if auditctl -l | grep $directory >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
else
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
if grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
}
check_1_2_5() {
@ -198,22 +199,24 @@ check_1_2_5() {
if auditctl -l | grep $directory >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
else
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
fi
if grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
}
check_1_2_6() {
@ -231,22 +234,24 @@ check_1_2_6() {
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_2_7() {
@ -264,22 +269,24 @@ check_1_2_7() {
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_2_8() {
@ -296,22 +303,24 @@ check_1_2_8() {
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_2_9() {
@ -328,22 +337,24 @@ check_1_2_9() {
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_2_10() {
@ -360,22 +371,24 @@ check_1_2_10() {
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_2_11() {
@ -392,22 +405,24 @@ check_1_2_11() {
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_2_12() {
@ -424,22 +439,24 @@ check_1_2_12() {
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_end() {

212
tests/2_docker_daemon_configuration.sh
View file

@ -20,13 +20,15 @@ check_2_1() {
if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then
return
fi
if get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_2_2() {
@ -41,25 +43,29 @@ check_2_2() {
if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then
return
fi
if [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
elif get_docker_effective_command_line_args '-l'; then
warn -s "$check"
logcheckresult "WARN"
return
fi
if get_docker_effective_command_line_args '-l'; then
if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
else
pass -s "$check"
logcheckresult "PASS"
warn -s "$check"
logcheckresult "WARN"
return
fi
pass -s "$check"
logcheckresult "PASS"
}
check_2_3() {
@ -73,13 +79,15 @@ check_2_3() {
if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then
warn -s "$check"
logcheckresult "WARN"
elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then
return
fi
if get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then
warn -s "$check"
logcheckresult "WARN"
else
pass -s "$check"
logcheckresult "PASS"
return
fi
pass -s "$check"
logcheckresult "PASS"
}
check_2_4() {
@ -93,18 +101,20 @@ check_2_4() {
if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then
warn -s "$check"
logcheckresult "WARN"
elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
return
fi
if ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
else
pass -s "$check"
logcheckresult "PASS"
warn -s "$check"
logcheckresult "WARN"
return
fi
pass -s "$check"
logcheckresult "PASS"
}
check_2_5() {
@ -118,10 +128,10 @@ check_2_5() {
if docker info 2>/dev/null | grep -e "^\sStorage Driver:\s*aufs\s*$" >/dev/null 2>&1; then
warn -s "$check"
logcheckresult "WARN"
else
pass -s "$check"
logcheckresult "PASS"
return
fi
pass -s "$check"
logcheckresult "PASS"
}
check_2_6() {
@ -138,21 +148,23 @@ check_2_6() {
[ $(get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify') >/dev/null 2>&1 ]; then
pass -s "$check"
logcheckresult "PASS"
elif [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \
return
fi
if [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \
[ $(get_docker_cumulative_command_line_args '--tls' | grep 'tls$') >/dev/null 2>&1 ]; then
warn -s "$check"
warn " * Docker daemon currently listening on TCP with TLS, but no verification"
logcheckresult "WARN" "Docker daemon currently listening on TCP with TLS, but no verification"
else
warn -s "$check"
warn " * Docker daemon currently listening on TCP without TLS"
logcheckresult "WARN" "Docker daemon currently listening on TCP without TLS"
return
fi
else
info -c "$check"
info " * Docker daemon not listening on TCP"
logcheckresult "INFO" "Docker daemon not listening on TCP"
warn -s "$check"
warn " * Docker daemon currently listening on TCP without TLS"
logcheckresult "WARN" "Docker daemon currently listening on TCP without TLS"
return
fi
info -c "$check"
info " * Docker daemon not listening on TCP"
logcheckresult "INFO" "Docker daemon not listening on TCP"
}
check_2_7() {
@ -166,14 +178,16 @@ check_2_7() {
if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then
pass -c "$check"
logcheckresult "PASS"
elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
return
fi
if get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
pass -c "$check"
logcheckresult "PASS"
else
info -c "$check"
info " * Default ulimit doesn't appear to be set"
logcheckresult "INFO" "Default ulimit doesn't appear to be set"
return
fi
info -c "$check"
info " * Default ulimit doesn't appear to be set"
logcheckresult "INFO" "Default ulimit doesn't appear to be set"
}
check_2_8() {
@ -187,13 +201,15 @@ check_2_8() {
if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then
pass -s "$check"
logcheckresult "PASS"
elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
return
fi
if get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_2_9() {
@ -208,14 +224,16 @@ check_2_9() {
warn -s "$check"
info " * Confirm cgroup usage"
logcheckresult "WARN" "Confirm cgroup usage"
elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
return
fi
if get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
warn -s "$check"
info " * Confirm cgroup usage"
logcheckresult "WARN" "Confirm cgroup usage"
else
pass -s "$check"
logcheckresult "PASS"
return
fi
pass -s "$check"
logcheckresult "PASS"
}
check_2_10() {
@ -229,13 +247,15 @@ check_2_10() {
if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then
warn -s "$check"
logcheckresult "WARN"
elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
return
fi
if get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
warn -s "$check"
logcheckresult "WARN"
else
pass -s "$check"
logcheckresult "PASS"
return
fi
pass -s "$check"
logcheckresult "PASS"
}
check_2_11() {
@ -249,13 +269,15 @@ check_2_11() {
if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then
pass -s "$check"
logcheckresult "PASS"
elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
return
fi
if get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_2_12() {
@ -269,10 +291,10 @@ check_2_12() {
if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then
warn -s "$check"
logcheckresult "WARN"
else
pass -s "$check"
logcheckresult "PASS"
return
fi
pass -s "$check"
logcheckresult "PASS"
}
check_2_13() {
@ -286,18 +308,20 @@ check_2_13() {
if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
pass -s "$check (Incompatible with swarm mode)"
logcheckresult "PASS"
elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
fi
return
fi
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
pass -s "$check (Incompatible with swarm mode)"
logcheckresult "PASS"
return
fi
if get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_2_14() {
@ -311,13 +335,15 @@ check_2_14() {
if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
return
fi
if get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_2_15() {
@ -331,10 +357,10 @@ check_2_15() {
if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then
pass -c "$check"
logcheckresult "PASS"
else
info -c "$check"
logcheckresult "INFO"
return
fi
info -c "$check"
logcheckresult "INFO"
}
check_2_16() {
@ -352,16 +378,16 @@ check_2_16() {
if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
else
local desc="$desc (Deprecated)"
local check="$id - $desc"
info -c "$desc"
logcheckresult "INFO"
warn -s "$check"
logcheckresult "WARN"
return
fi
local desc="$desc (Deprecated)"
local check="$id - $desc"
info -c "$desc"
logcheckresult "INFO"
}
check_2_17() {
@ -375,13 +401,15 @@ check_2_17() {
if get_docker_effective_command_line_args '--no-new-privileges' | grep "no-new-privileges" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
elif get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then
return
fi
if get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_2_end() {

366
tests/3_docker_daemon_configuration_files.sh
View file

@ -22,16 +22,16 @@ check_3_1() {
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
return
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_2() {
@ -47,16 +47,16 @@ check_3_2() {
if [ "$(stat -c %a $file)" -le 644 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
return
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_3() {
@ -72,16 +72,16 @@ check_3_3() {
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
return
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_4() {
@ -97,16 +97,16 @@ check_3_4() {
if [ "$(stat -c %a $file)" -le 644 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
return
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_5() {
@ -122,16 +122,16 @@ check_3_5() {
if [ "$(stat -c %u%g $directory)" -eq 00 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong ownership for $directory"
logcheckresult "WARN" "Wrong ownership for $directory"
return
fi
else
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
warn -s "$check"
warn " * Wrong ownership for $directory"
logcheckresult "WARN" "Wrong ownership for $directory"
return
fi
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
}
check_3_6() {
@ -147,16 +147,16 @@ check_3_6() {
if [ "$(stat -c %a $directory)" -le 755 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong permissions for $directory"
logcheckresult "WARN" "Wrong permissions for $directory"
return
fi
else
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
warn -s "$check"
warn " * Wrong permissions for $directory"
logcheckresult "WARN" "Wrong permissions for $directory"
return
fi
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
}
check_3_7() {
@ -180,15 +180,15 @@ check_3_7() {
warn -s "$check"
warn " * Wrong ownership for $directory"
logcheckresult "WARN" "Wrong ownership for $directory"
else
pass -s "$check"
logcheckresult "PASS"
return
fi
else
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
pass -s "$check"
logcheckresult "PASS"
return
fi
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
}
check_3_8() {
@ -212,15 +212,15 @@ check_3_8() {
warn -s "$check"
warn " * Wrong permissions for $directory"
logcheckresult "WARN" "Wrong permissions for $directory"
else
pass -s "$check"
logcheckresult "PASS"
return
fi
else
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
pass -s "$check"
logcheckresult "PASS"
return
fi
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
}
check_3_9() {
@ -231,25 +231,24 @@ check_3_9() {
local check="$id - $desc"
starttestjson "$id" "$desc"
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then
tlscacert=$(get_docker_configuration_file_args 'tlscacert')
else
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi
if [ -f "$tlscacert" ]; then
if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong ownership for $tlscacert"
logcheckresult "WARN" "Wrong ownership for $tlscacert"
return
fi
else
info -c "$check"
info " * No TLS CA certificate found"
logcheckresult "INFO" "No TLS CA certificate found"
warn -s "$check"
warn " * Wrong ownership for $tlscacert"
logcheckresult "WARN" "Wrong ownership for $tlscacert"
return
fi
info -c "$check"
info " * No TLS CA certificate found"
logcheckresult "INFO" "No TLS CA certificate found"
}
check_3_10() {
@ -260,25 +259,24 @@ check_3_10() {
local check="$id - $desc"
starttestjson "$id" "$desc"
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then
tlscacert=$(get_docker_configuration_file_args 'tlscacert')
else
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi
if [ -f "$tlscacert" ]; then
if [ "$(stat -c %a $tlscacert)" -le 444 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong permissions for $tlscacert"
logcheckresult "WARN" "Wrong permissions for $tlscacert"
return
fi
else
info -c "$check"
info " * No TLS CA certificate found"
logcheckresult "INFO" "No TLS CA certificate found"
warn -s "$check"
warn " * Wrong permissions for $tlscacert"
logcheckresult "WARN" "Wrong permissions for $tlscacert"
return
fi
info -c "$check"
info " * No TLS CA certificate found"
logcheckresult "INFO" "No TLS CA certificate found"
}
check_3_11() {
@ -289,25 +287,24 @@ check_3_11() {
local check="$id - $desc"
starttestjson "$id" "$desc"
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then
tlscert=$(get_docker_configuration_file_args 'tlscert')
else
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi
if [ -f "$tlscert" ]; then
if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong ownership for $tlscert"
logcheckresult "WARN" "Wrong ownership for $tlscert"
return
fi
else
info -c "$check"
info " * No TLS Server certificate found"
logcheckresult "INFO" "No TLS Server certificate found"
warn -s "$check"
warn " * Wrong ownership for $tlscert"
logcheckresult "WARN" "Wrong ownership for $tlscert"
return
fi
info -c "$check"
info " * No TLS Server certificate found"
logcheckresult "INFO" "No TLS Server certificate found"
}
check_3_12() {
@ -318,25 +315,24 @@ check_3_12() {
local check="$id - $desc"
starttestjson "$id" "$desc"
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then
tlscert=$(get_docker_configuration_file_args 'tlscert')
else
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi
if [ -f "$tlscert" ]; then
if [ "$(stat -c %a $tlscert)" -le 444 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong permissions for $tlscert"
logcheckresult "WARN" "Wrong permissions for $tlscert"
return
fi
else
info -c "$check"
info " * No TLS Server certificate found"
logcheckresult "INFO" "No TLS Server certificate found"
warn -s "$check"
warn " * Wrong permissions for $tlscert"
logcheckresult "WARN" "Wrong permissions for $tlscert"
return
fi
info -c "$check"
info " * No TLS Server certificate found"
logcheckresult "INFO" "No TLS Server certificate found"
}
check_3_13() {
@ -347,25 +343,24 @@ check_3_13() {
local check="$id - $desc"
starttestjson "$id" "$desc"
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then
tlskey=$(get_docker_configuration_file_args 'tlskey')
else
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi
if [ -f "$tlskey" ]; then
if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong ownership for $tlskey"
logcheckresult "WARN" "Wrong ownership for $tlskey"
return
fi
else
info -c "$check"
info " * No TLS Key found"
logcheckresult "INFO" "No TLS Key found"
warn -s "$check"
warn " * Wrong ownership for $tlskey"
logcheckresult "WARN" "Wrong ownership for $tlskey"
return
fi
info -c "$check"
info " * No TLS Key found"
logcheckresult "INFO" "No TLS Key found"
}
check_3_14() {
@ -376,25 +371,24 @@ check_3_14() {
local check="$id - $desc"
starttestjson "$id" "$desc"
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then
tlskey=$(get_docker_configuration_file_args 'tlskey')
else
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi
if [ -f "$tlskey" ]; then
if [ "$(stat -c %a $tlskey)" -eq 400 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong permissions for $tlskey"
logcheckresult "WARN" "Wrong permissions for $tlskey"
return
fi
else
info -c "$check"
info " * No TLS Key found"
logcheckresult "INFO" "No TLS Key found"
warn -s "$check"
warn " * Wrong permissions for $tlskey"
logcheckresult "WARN" "Wrong permissions for $tlskey"
return
fi
info -c "$check"
info " * No TLS Key found"
logcheckresult "INFO" "No TLS Key found"
}
check_3_15() {
@ -410,16 +404,16 @@ check_3_15() {
if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
return
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_16() {
@ -435,16 +429,16 @@ check_3_16() {
if [ "$(stat -c %a $file)" -le 660 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
return
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_17() {
@ -460,16 +454,16 @@ check_3_17() {
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
return
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_18() {
@ -485,16 +479,16 @@ check_3_18() {
if [ "$(stat -c %a $file)" -le 644 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
return
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_19() {
@ -510,16 +504,16 @@ check_3_19() {
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
return
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_20() {
@ -535,16 +529,16 @@ check_3_20() {
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
return
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_21() {
@ -560,16 +554,16 @@ check_3_21() {
if [ "$(stat -c %a $file)" -le 644 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
return
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_22() {
@ -585,16 +579,16 @@ check_3_22() {
if [ "$(stat -c %a $file)" -le 644 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
return
fi
else
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_end() {

78
tests/4_container_images.sh
View file

@ -22,37 +22,37 @@ check_4_1() {
info -c "$check"
info " * No containers running"
logcheckresult "INFO" "No containers running"
else
# We have some containers running, set failure flag to 0. Check for Users.
fail=0
# Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$'
'
root_containers=""
for c in $containers; do
user=$(docker inspect --format 'User={{.Config.User}}' "$c")
if [ "$user" = "User=0" ] || [ "$user" = "User=root" ] || [ "$user" = "User=" ] || [ "$user" = "User=[]" ] || [ "$user" = "User=<no value>" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Running as root: $c"
root_containers="$root_containers $c"
fail=1
else
warn " * Running as root: $c"
root_containers="$root_containers $c"
fi
fi
done
# We went through all the containers and found none running as root
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "running as root" "$root_containers"
fi
return
fi
# We have some containers running, set failure flag to 0. Check for Users.
fail=0
# Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$'
'
root_containers=""
for c in $containers; do
user=$(docker inspect --format 'User={{.Config.User}}' "$c")
if [ "$user" = "User=0" ] || [ "$user" = "User=root" ] || [ "$user" = "User=" ] || [ "$user" = "User=[]" ] || [ "$user" = "User=<no value>" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Running as root: $c"
root_containers="$root_containers $c"
fail=1
continue
fi
warn " * Running as root: $c"
root_containers="$root_containers $c"
fi
done
# We went through all the containers and found none running as root
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "running as root" "$root_containers"
# Make the loop separator go back to space
set +f; unset IFS
}
@ -104,10 +104,10 @@ check_4_5() {
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_4_6() {
@ -139,9 +139,9 @@ check_4_6() {
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Images w/o HEALTHCHECK" "$no_health_images"
return
fi
logcheckresult "WARN" "Images w/o HEALTHCHECK" "$no_health_images"
}
check_4_7() {
@ -170,9 +170,9 @@ check_4_7() {
if [ $fail -eq 0 ]; then
pass -c "$check"
logcheckresult "PASS"
else
logcheckresult "INFO" "Update instructions found" "$update_images"
return
fi
logcheckresult "INFO" "Update instructions found" "$update_images"
}
check_4_8() {
@ -214,9 +214,9 @@ check_4_9() {
if [ $fail -eq 0 ]; then
pass -c "$check"
logcheckresult "PASS"
else
logcheckresult "INFO" "Images using ADD" "$add_images"
return
fi
logcheckresult "INFO" "Images using ADD" "$add_images"
}
check_4_10() {

437
tests/5_container_runtime.sh
View file

@ -13,11 +13,11 @@ check_running_containers() {
# If containers is empty, there are no running containers
if [ -z "$containers" ]; then
info " * No containers running, skipping Section 5"
else
# Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$'
'
return
fi
# Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$'
'
}
check_5_1() {
@ -42,21 +42,21 @@ check_5_1() {
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * No AppArmorProfile Found: $c"
no_apparmor_containers="$no_apparmor_containers $c"
no_apparmor_containers="$no_apparmor_containers $c"
fail=1
else
warn " * No AppArmorProfile Found: $c"
no_apparmor_containers="$no_apparmor_containers $c"
continue
fi
warn " * No AppArmorProfile Found: $c"
no_apparmor_containers="$no_apparmor_containers $c"
fi
done
# We went through all the containers and found none without AppArmor
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers with no AppArmorProfile" "$no_apparmor_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers with no AppArmorProfile" "$no_apparmor_containers"
}
check_5_2() {
@ -81,21 +81,21 @@ check_5_2() {
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * No SecurityOptions Found: $c"
no_securityoptions_containers="$no_securityoptions_containers $c"
no_securityoptions_containers="$no_securityoptions_containers $c"
fail=1
else
warn " * No SecurityOptions Found: $c"
no_securityoptions_containers="$no_securityoptions_containers $c"
continue
fi
warn " * No SecurityOptions Found: $c"
no_securityoptions_containers="$no_securityoptions_containers $c"
fi
done
# We went through all the containers and found none without SELinux
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers with no SecurityOptions" "$no_securityoptions_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers with no SecurityOptions" "$no_securityoptions_containers"
}
check_5_3() {
@ -123,21 +123,21 @@ check_5_3() {
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Capabilities added: $caps to $c"
caps_containers="$caps_containers $c"
caps_containers="$caps_containers $c"
fail=1
else
warn " * Capabilities added: $caps to $c"
caps_containers="$caps_containers $c"
continue
fi
warn " * Capabilities added: $caps to $c"
caps_containers="$caps_containers $c"
fi
done
# We went through all the containers and found none with extra capabilities
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Capabilities added for containers" "$caps_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Capabilities added for containers" "$caps_containers"
}
check_5_4() {
@ -162,21 +162,21 @@ check_5_4() {
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Container running in Privileged mode: $c"
privileged_containers="$privileged_containers $c"
privileged_containers="$privileged_containers $c"
fail=1
else
warn " * Container running in Privileged mode: $c"
privileged_containers="$privileged_containers $c"
continue
fi
warn " * Container running in Privileged mode: $c"
privileged_containers="$privileged_containers $c"
fi
done
# We went through all the containers and found no privileged containers
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers running in privileged mode" "$privileged_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers running in privileged mode" "$privileged_containers"
}
check_5_5() {
@ -204,10 +204,9 @@ check_5_5() {
fail=0
sensitive_mount_containers=""
for c in $containers; do
volumes=$(docker inspect --format '{{ .Mounts }}' "$c")
if docker inspect --format '{{ .VolumesRW }}' "$c" 2>/dev/null 1>&2; then
volumes=$(docker inspect --format '{{ .VolumesRW }}' "$c")
else
volumes=$(docker inspect --format '{{ .Mounts }}' "$c")
fi
# Go over each directory in sensitive dir and see if they exist in the volumes
for v in $sensitive_dirs; do
@ -220,22 +219,22 @@ check_5_5() {
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Sensitive directory $v mounted in: $c"
sensitive_mount_containers="$sensitive_mount_containers $c:$v"
sensitive_mount_containers="$sensitive_mount_containers $c:$v"
fail=1
else
warn " * Sensitive directory $v mounted in: $c"
sensitive_mount_containers="$sensitive_mount_containers $c:$v"
continue
fi
warn " * Sensitive directory $v mounted in: $c"
sensitive_mount_containers="$sensitive_mount_containers $c:$v"
fi
done
done
# We went through all the containers and found none with sensitive mounts
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers with sensitive directories mounted" "$sensitive_mount_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers with sensitive directories mounted" "$sensitive_mount_containers"
}
check_5_6() {
@ -261,12 +260,12 @@ check_5_6() {
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Container running sshd: $c"
ssh_exec_containers="$ssh_exec_containers $c"
ssh_exec_containers="$ssh_exec_containers $c"
fail=1
printcheck=1
else
warn " * Container running sshd: $c"
ssh_exec_containers="$ssh_exec_containers $c"
ssh_exec_containers="$ssh_exec_containers $c"
fi
fi
@ -284,11 +283,11 @@ check_5_6() {
done
# We went through all the containers and found none with sshd
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers with sshd/docker exec failures" "$ssh_exec_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers with sshd/docker exec failures" "$ssh_exec_containers"
}
check_5_7() {
@ -311,27 +310,27 @@ check_5_7() {
# iterate through port range (line delimited)
for port in $ports; do
if [ -n "$port" ] && [ "$port" -lt 1024 ]; then
if [ -n "$port" ] && [ "$port" -lt 1024 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Privileged Port in use: $port in $c"
privileged_port_containers="$privileged_port_containers $c:$port"
privileged_port_containers="$privileged_port_containers $c:$port"
fail=1
else
warn " * Privileged Port in use: $port in $c"
privileged_port_containers="$privileged_port_containers $c:$port"
continue
fi
warn " * Privileged Port in use: $port in $c"
privileged_port_containers="$privileged_port_containers $c:$port"
fi
done
done
# We went through all the containers and found no privileged ports
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers using privileged ports" "$privileged_port_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers using privileged ports" "$privileged_port_containers"
}
check_5_8() {
@ -372,21 +371,21 @@ check_5_9() {
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Container running with networking mode 'host': $c"
net_host_containers="$net_host_containers $c"
net_host_containers="$net_host_containers $c"
fail=1
else
warn " * Container running with networking mode 'host': $c"
net_host_containers="$net_host_containers $c"
continue
fi
warn " * Container running with networking mode 'host': $c"
net_host_containers="$net_host_containers $c"
fi
done
# We went through all the containers and found no Network Mode host
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers running with networking mode 'host'" "$net_host_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers running with networking mode 'host'" "$net_host_containers"
}
check_5_10() {
@ -404,10 +403,9 @@ check_5_10() {
fail=0
mem_unlimited_containers=""
for c in $containers; do
memory=$(docker inspect --format '{{ .HostConfig.Memory }}' "$c")
if docker inspect --format '{{ .Config.Memory }}' "$c" 2> /dev/null 1>&2; then
memory=$(docker inspect --format '{{ .Config.Memory }}' "$c")
else
memory=$(docker inspect --format '{{ .HostConfig.Memory }}' "$c")
fi
if [ "$memory" = "0" ]; then
@ -415,21 +413,21 @@ check_5_10() {
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Container running without memory restrictions: $c"
mem_unlimited_containers="$mem_unlimited_containers $c"
mem_unlimited_containers="$mem_unlimited_containers $c"
fail=1
else
warn " * Container running without memory restrictions: $c"
mem_unlimited_containers="$mem_unlimited_containers $c"
continue
fi
warn " * Container running without memory restrictions: $c"
mem_unlimited_containers="$mem_unlimited_containers $c"
fi
done
# We went through all the containers and found no lack of Memory restrictions
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Container running without memory restrictions" "$mem_unlimited_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Container running without memory restrictions" "$mem_unlimited_containers"
}
check_5_11() {
@ -447,10 +445,9 @@ check_5_11() {
fail=0
cpu_unlimited_containers=""
for c in $containers; do
shares=$(docker inspect --format '{{ .HostConfig.CpuShares }}' "$c")
if docker inspect --format '{{ .Config.CpuShares }}' "$c" 2> /dev/null 1>&2; then
shares=$(docker inspect --format '{{ .Config.CpuShares }}' "$c")
else
shares=$(docker inspect --format '{{ .HostConfig.CpuShares }}' "$c")
fi
if [ "$shares" = "0" ]; then
@ -460,19 +457,19 @@ check_5_11() {
warn " * Container running without CPU restrictions: $c"
cpu_unlimited_containers="$cpu_unlimited_containers $c"
fail=1
else
warn " * Container running without CPU restrictions: $c"
cpu_unlimited_containers="$cpu_unlimited_containers $c"
continue
fi
warn " * Container running without CPU restrictions: $c"
cpu_unlimited_containers="$cpu_unlimited_containers $c"
fi
done
# We went through all the containers and found no lack of CPUShare restrictions
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers running without CPU restrictions" "$cpu_unlimited_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers running without CPU restrictions" "$cpu_unlimited_containers"
}
check_5_12() {
@ -497,21 +494,21 @@ check_5_12() {
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Container running with root FS mounted R/W: $c"
fsroot_mount_containers="$fsroot_mount_containers $c"
fsroot_mount_containers="$fsroot_mount_containers $c"
fail=1
else
warn " * Container running with root FS mounted R/W: $c"
fsroot_mount_containers="$fsroot_mount_containers $c"
continue
fi
warn " * Container running with root FS mounted R/W: $c"
fsroot_mount_containers="$fsroot_mount_containers $c"
fi
done
# We went through all the containers and found no R/W FS mounts
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers running with root FS mounted R/W" "$fsroot_mount_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers running with root FS mounted R/W" "$fsroot_mount_containers"
}
check_5_13() {
@ -537,20 +534,20 @@ check_5_13() {
warn " * Port being bound to wildcard IP: $ip in $c"
incoming_unbound_containers="$incoming_unbound_containers $c:$ip"
fail=1
else
warn " * Port being bound to wildcard IP: $ip in $c"
incoming_unbound_containers="$incoming_unbound_containers $c:$ip"
continue
fi
warn " * Port being bound to wildcard IP: $ip in $c"
incoming_unbound_containers="$incoming_unbound_containers $c:$ip"
fi
done
done
# We went through all the containers and found no ports bound to 0.0.0.0
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers with port bound to wildcard IP" "$incoming_unbound_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers with port bound to wildcard IP" "$incoming_unbound_containers"
}
check_5_14() {
@ -575,21 +572,21 @@ check_5_14() {
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * MaximumRetryCount is not set to 5: $c"
maxretry_unset_containers="$maxretry_unset_containers $c"
maxretry_unset_containers="$maxretry_unset_containers $c"
fail=1
else
warn " * MaximumRetryCount is not set to 5: $c"
maxretry_unset_containers="$maxretry_unset_containers $c"
continue
fi
warn " * MaximumRetryCount is not set to 5: $c"
maxretry_unset_containers="$maxretry_unset_containers $c"
fi
done
# We went through all the containers and they all had MaximumRetryCount=5
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5" "$maxretry_unset_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5" "$maxretry_unset_containers"
}
check_5_15() {
@ -616,19 +613,19 @@ check_5_15() {
warn " * Host PID namespace being shared with: $c"
pidns_shared_containers="$pidns_shared_containers $c"
fail=1
else
warn " * Host PID namespace being shared with: $c"
pidns_shared_containers="$pidns_shared_containers $c"
continue
fi
warn " * Host PID namespace being shared with: $c"
pidns_shared_containers="$pidns_shared_containers $c"
fi
done
# We went through all the containers and found none with PidMode as host
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers sharing host PID namespace" "$pidns_shared_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers sharing host PID namespace" "$pidns_shared_containers"
}
check_5_16() {
@ -655,19 +652,19 @@ check_5_16() {
warn " * Host IPC namespace being shared with: $c"
ipcns_shared_containers="$ipcns_shared_containers $c"
fail=1
else
warn " * Host IPC namespace being shared with: $c"
ipcns_shared_containers="$ipcns_shared_containers $c"
continue
fi
warn " * Host IPC namespace being shared with: $c"
ipcns_shared_containers="$ipcns_shared_containers $c"
fi
done
# We went through all the containers and found none with IPCMode as host
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers sharing host IPC namespace" "$ipcns_shared_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers sharing host IPC namespace" "$ipcns_shared_containers"
}
check_5_17() {
@ -694,19 +691,19 @@ check_5_17() {
info " * Container has devices exposed directly: $c"
hostdev_exposed_containers="$hostdev_exposed_containers $c"
fail=1
else
info " * Container has devices exposed directly: $c"
hostdev_exposed_containers="$hostdev_exposed_containers $c"
continue
fi
info " * Container has devices exposed directly: $c"
hostdev_exposed_containers="$hostdev_exposed_containers $c"
fi
done
# We went through all the containers and found none with devices
if [ $fail -eq 0 ]; then
pass -c "$check"
logcheckresult "PASS"
else
logcheckresult "INFO" "Containers with host devices exposed directly" "$hostdev_exposed_containers"
pass -c "$check"
logcheckresult "PASS"
return
fi
logcheckresult "INFO" "Containers with host devices exposed directly" "$hostdev_exposed_containers"
}
check_5_18() {
@ -733,19 +730,19 @@ check_5_18() {
info " * Container no default ulimit override: $c"
no_ulimit_containers="$no_ulimit_containers $c"
fail=1
else
info " * Container no default ulimit override: $c"
no_ulimit_containers="$no_ulimit_containers $c"
continue
fi
info " * Container no default ulimit override: $c"
no_ulimit_containers="$no_ulimit_containers $c"
fi
done
# We went through all the containers and found none without Ulimits
if [ $fail -eq 0 ]; then
pass -c "$check"
logcheckresult "PASS"
else
logcheckresult "INFO" "Containers with no default ulimit override" "$no_ulimit_containers"
pass -c "$check"
logcheckresult "PASS"
return
fi
logcheckresult "INFO" "Containers with no default ulimit override" "$no_ulimit_containers"
}
check_5_19() {
@ -771,19 +768,19 @@ check_5_19() {
warn " * Mount propagation mode is shared: $c"
mountprop_shared_containers="$mountprop_shared_containers $c"
fail=1
else
warn " * Mount propagation mode is shared: $c"
mountprop_shared_containers="$mountprop_shared_containers $c"
continue
fi
warn " * Mount propagation mode is shared: $c"
mountprop_shared_containers="$mountprop_shared_containers $c"
fi
done
# We went through all the containers and found none with shared propagation mode
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers with shared mount propagation" "$mountprop_shared_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers with shared mount propagation" "$mountprop_shared_containers"
}
check_5_20() {
@ -810,19 +807,19 @@ check_5_20() {
warn " * Host UTS namespace being shared with: $c"
utcns_shared_containers="$utcns_shared_containers $c"
fail=1
else
warn " * Host UTS namespace being shared with: $c"
utcns_shared_containers="$utcns_shared_containers $c"
continue
fi
warn " * Host UTS namespace being shared with: $c"
utcns_shared_containers="$utcns_shared_containers $c"
fi
done
# We went through all the containers and found none with UTSMode as host
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers sharing host UTS namespace" "$utcns_shared_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers sharing host UTS namespace" "$utcns_shared_containers"
}
check_5_21() {
@ -856,11 +853,11 @@ check_5_21() {
done
# We went through all the containers and found none with default secomp profile disabled
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers with default seccomp profile disabled" "$seccomp_disabled_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers with default seccomp profile disabled" "$seccomp_disabled_containers"
}
check_5_22() {
@ -919,19 +916,19 @@ check_5_24() {
warn " * Confirm cgroup usage: $c"
unexpected_cgroup_containers="$unexpected_cgroup_containers $c"
fail=1
else
warn " * Confirm cgroup usage: $c"
unexpected_cgroup_containers="$unexpected_cgroup_containers $c"
continue
fi
warn " * Confirm cgroup usage: $c"
unexpected_cgroup_containers="$unexpected_cgroup_containers $c"
fi
done
# We went through all the containers and found none with UTSMode as host
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers using unexpected cgroup" "$unexpected_cgroup_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers using unexpected cgroup" "$unexpected_cgroup_containers"
}
check_5_25() {
@ -955,19 +952,19 @@ check_5_25() {
warn " * Privileges not restricted: $c"
addprivs_containers="$addprivs_containers $c"
fail=1
else
warn " * Privileges not restricted: $c"
addprivs_containers="$addprivs_containers $c"
continue
fi
warn " * Privileges not restricted: $c"
addprivs_containers="$addprivs_containers $c"
fi
done
# We went through all the containers and found none with capability to acquire additional privileges
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers without restricted privileges" "$addprivs_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers without restricted privileges" "$addprivs_containers"
}
check_5_26() {
@ -991,18 +988,18 @@ check_5_26() {
warn " * Health check not set: $c"
nohealthcheck_containers="$nohealthcheck_containers $c"
fail=1
else
warn " * Health check not set: $c"
nohealthcheck_containers="$nohealthcheck_containers $c"
continue
fi
warn " * Health check not set: $c"
nohealthcheck_containers="$nohealthcheck_containers $c"
fi
done
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers without health check" "$nohealthcheck_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers without health check" "$nohealthcheck_containers"
}
check_5_27() {
@ -1045,19 +1042,19 @@ check_5_28() {
warn " * PIDs limit not set: $c"
nopids_limit_containers="$nopids_limit_containers $c"
fail=1
else
warn " * PIDs limit not set: $c"
nopids_limit_containers="$nopids_limit_containers $c"
continue
fi
warn " * PIDs limit not set: $c"
nopids_limit_containers="$nopids_limit_containers $c"
fi
done
# We went through all the containers and found all with PIDs limit
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers without PIDs cgroup limit" "$nopids_limit_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers without PIDs cgroup limit" "$nopids_limit_containers"
}
check_5_29() {
@ -1080,33 +1077,33 @@ check_5_29() {
docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" | \
sed -e 's/^ //' -e 's/ /\n/g' 2>/dev/null)
if [ -n "$docker0Containers" ]; then
if [ $fail -eq 0 ]; then
info -c "$check"
fail=1
fi
for c in $docker0Containers; do
if [ -z "$exclude" ]; then
cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g')
else
pattern=$(echo "$exclude" | sed 's/,/|/g')
cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g' | grep -Ev "$pattern" )
fi
if [ -n "$cName" ]; then
info " * Container in docker0 network: $cName"
docker_network_containers="$docker_network_containers $c:$cName"
fi
done
if [ -n "$docker0Containers" ]; then
if [ $fail -eq 0 ]; then
info -c "$check"
fail=1
fi
for c in $docker0Containers; do
if [ -z "$exclude" ]; then
cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g')
else
pattern=$(echo "$exclude" | sed 's/,/|/g')
cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g' | grep -Ev "$pattern" )
fi
if [ -n "$cName" ]; then
info " * Container in docker0 network: $cName"
docker_network_containers="$docker_network_containers $c:$cName"
fi
done
fi
fi
done
# We went through all the containers and found none in docker0 network
if [ $fail -eq 0 ]; then
pass -c "$check"
logcheckresult "PASS"
else
logcheckresult "INFO" "Containers using docker0 network" "$docker_network_containers"
pass -c "$check"
logcheckresult "PASS"
return
fi
logcheckresult "INFO" "Containers using docker0 network" "$docker_network_containers"
}
check_5_30() {
@ -1131,19 +1128,19 @@ check_5_30() {
warn " * Namespace shared: $c"
hostns_shared_containers="$hostns_shared_containers $c"
fail=1
else
warn " * Namespace shared: $c"
hostns_shared_containers="$hostns_shared_containers $c"
continue
fi
warn " * Namespace shared: $c"
hostns_shared_containers="$hostns_shared_containers $c"
fi
done
# We went through all the containers and found none with host's user namespace shared
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers sharing host user namespace" "$hostns_shared_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers sharing host user namespace" "$hostns_shared_containers"
}
check_5_31() {
@ -1168,19 +1165,19 @@ check_5_31() {
warn " * Docker socket shared: $c"
docker_sock_containers="$docker_sock_containers $c"
fail=1
else
warn " * Docker socket shared: $c"
docker_sock_containers="$docker_sock_containers $c"
continue
fi
warn " * Docker socket shared: $c"
docker_sock_containers="$docker_sock_containers $c"
fi
done
# We went through all the containers and found none with docker.sock shared
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Containers sharing docker socket" "$docker_sock_containers"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers sharing docker socket" "$docker_sock_containers"
}
check_5_end() {

92
tests/7_docker_swarm_configuration.sh
View file

@ -20,10 +20,10 @@ check_7_1() {
if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_7_2() {
@ -39,14 +39,14 @@ check_7_2() {
if [ "$managernodes" -eq 1 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
else
pass -s "$check (Swarm mode not enabled)"
logcheckresult "PASS"
warn -s "$check"
logcheckresult "WARN"
return
fi
pass -s "$check (Swarm mode not enabled)"
logcheckresult "PASS"
}
check_7_3() {
@ -62,14 +62,14 @@ check_7_3() {
if [ $? -eq 1 ]; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
else
pass -s "$check (Swarm mode not enabled)"
logcheckresult "PASS"
warn -s "$check"
logcheckresult "WARN"
return
fi
pass -s "$check (Swarm mode not enabled)"
logcheckresult "PASS"
}
check_7_4() {
@ -96,11 +96,11 @@ check_7_4() {
done
# We went through all the networks and found none that are unencrypted
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "Unencrypted overlay networks:" "$unencrypted_networks"
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Unencrypted overlay networks:" "$unencrypted_networks"
}
check_7_5() {
@ -115,14 +115,14 @@ check_7_5() {
if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then
pass -c "$check"
logcheckresult "PASS"
else
info -c "$check"
logcheckresult "INFO"
return
fi
else
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
info -c "$check"
logcheckresult "INFO"
return
fi
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
}
check_7_6() {
@ -137,14 +137,14 @@ check_7_6() {
if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then
warn -s "$check"
logcheckresult "WARN"
else
pass -s "$check"
logcheckresult "PASS"
return
fi
else
pass -s "$check (Swarm mode not enabled)"
logcheckresult "PASS"
pass -s "$check"
logcheckresult "PASS"
return
fi
pass -s "$check (Swarm mode not enabled)"
logcheckresult "PASS"
}
check_7_7() {
@ -158,10 +158,10 @@ check_7_7() {
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
note -c "$check"
logcheckresult "NOTE"
else
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
return
fi
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
}
check_7_8() {
@ -176,14 +176,14 @@ check_7_8() {
if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then
pass -c "$check"
logcheckresult "PASS"
else
info -c "$check"
logcheckresult "INFO"
return
fi
else
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
info -c "$check"
logcheckresult "INFO"
return
fi
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
}
check_7_9() {
@ -197,10 +197,10 @@ check_7_9() {
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
info -c "$check"
logcheckresult "INFO"
else
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
return
fi
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
}
check_7_10() {
@ -214,10 +214,10 @@ check_7_10() {
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
info -c "$check"
logcheckresult "INFO"
else
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
return
fi
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
}
check_7_end() {

3
tests/8_docker_enterprise_configuration.sh
View file

@ -10,11 +10,10 @@ check_8() {
}
check_product_license() {
enterprise_license=1
if docker version | grep -Eqi '^Server.*Community$|Version.*-ce$'; then
info " * Community Engine license, skipping section 8"
enterprise_license=0
else
enterprise_license=1
fi
}

40
tests/99_community_checks.sh
View file

@ -19,13 +19,15 @@ check_c_1() {
if docker info --format='{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
elif docker info --format='{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>&2; then
return
fi
if docker info --format='{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>&2; then
info -c "$check"
logcheckresult "INFO"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_c_1_1() {
@ -39,13 +41,15 @@ check_c_1_1() {
if docker info --format='{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>&2; then
pass -c "$check"
logcheckresult "PASS"
elif docker info --format='{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>&2; then
return
fi
if docker info --format='{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>&2; then
info -c "$check"
logcheckresult "INFO"
else
warn -c "$check"
logcheckresult "WARN"
return
fi
warn -c "$check"
logcheckresult "WARN"
}
check_c_2() {
@ -63,19 +67,21 @@ check_c_2() {
if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then
return
fi
if get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
return
fi
else
local desc="$desc (Deprecated)"
local check="$id - $desc"
info -c "$check"
logcheckresult "INFO"
warn -s "$check"
logcheckresult "WARN"
return
fi
local desc="$desc (Deprecated)"
local check="$id - $desc"
info -c "$check"
logcheckresult "INFO"
}
check_c_end() {