From d0443cc817cf17452f41510954e450a320b59c6a Mon Sep 17 00:00:00 2001 From: Razvan Stoica Date: Mon, 29 Mar 2021 15:22:14 +0300 Subject: [PATCH] Bug fixing and improving source code readability --- docker-bench-security.sh | 16 +- functions/helper_lib.sh | 49 ++- functions/output_lib.sh | 63 +-- functions/output_lib.sh.save | 194 ++++++++ tests/1_host_configuration.sh | 261 +++++------ tests/2_docker_daemon_configuration.sh | 212 +++++---- tests/3_docker_daemon_configuration_files.sh | 366 ++++++++-------- tests/4_container_images.sh | 78 ++-- tests/5_container_runtime.sh | 437 +++++++++---------- tests/7_docker_swarm_configuration.sh | 92 ++-- tests/8_docker_enterprise_configuration.sh | 3 +- tests/99_community_checks.sh | 40 +- 12 files changed, 1028 insertions(+), 783 deletions(-) create mode 100644 functions/output_lib.sh.save diff --git a/docker-bench-security.sh b/docker-bench-security.sh index 3461db3..c9de3fb 100755 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -24,19 +24,7 @@ readonly myname export PATH="$PATH:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/" # Check for required program(s) -req_progs='awk docker grep stat tee tail wc xargs truncate sed' -for p in $req_progs; do - command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; } -done - -if command -v ss >/dev/null 2>&1; then - netbin=ss -elif command -v netstat >/dev/null 2>&1; then - netbin=netstat -else - echo "ss or netstat command not found." - exit 1 -fi +req_programs 'awk docker grep stat tee tail wc xargs truncate sed' # Ensure we can connect to docker daemon if ! docker ps -q >/dev/null 2>&1; then @@ -85,6 +73,7 @@ fi logger="log/${myname}.log" limit=0 printremediation="1" +globalRemediation="" # Get the flags # If you add an option here, please @@ -130,7 +119,6 @@ beginjson "$version" "$(date +%s)" # Load all the tests from tests/ and run them main () { logit "\n${bldylw}Section A - Check results${txtrsr}" - globalRemediation="" # Get configuration location get_docker_configuration_file diff --git a/functions/helper_lib.sh b/functions/helper_lib.sh index e24a14c..96ac49c 100644 --- a/functions/helper_lib.sh +++ b/functions/helper_lib.sh @@ -6,6 +6,23 @@ abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; es # Audit rules default path auditrules="/etc/audit/audit.rules" +# Check for required program(s) +req_programs() { + for p in $1; do + command -v "$p" >/dev/null 2>&1 || { printf "Required program not found: %s\n" "$p"; exit 1; } + done + if command -v ss >/dev/null 2>&1; then + netbin=ss + return + fi + if command -v netstat >/dev/null 2>&1; then + netbin=netstat + return + fi + echo "ss or netstat command not found." + exit 1 +} + # Compares versions of software of the format X.Y.Z do_version_check() { [ "$1" = "$2" ] && return 10 @@ -23,9 +40,8 @@ do_version_check() { [ "$ver2front" = "$2" ] || [ -z "$ver2back" ] && ver2back=0 do_version_check "$ver1back" "$ver2back" return $? - else - [ "$1" -gt "$2" ] && return 11 || return 9 fi + [ "$1" -gt "$2" ] && return 11 || return 9 } # Extracts commandline args from the newest running processes named like the first parameter @@ -45,10 +61,9 @@ get_command_line_args() { get_docker_cumulative_command_line_args() { OPTION="$1" + line_arg="dockerd" if ! get_command_line_args "docker daemon" >/dev/null 2>&1 ; then line_arg="docker daemon" - else - line_arg="dockerd" fi get_command_line_args "$line_arg" | @@ -88,11 +103,13 @@ get_docker_configuration_file() { if [ -f "$FILE" ]; then CONFIG_FILE="$FILE" - elif [ -f '/etc/docker/daemon.json' ]; then - CONFIG_FILE='/etc/docker/daemon.json' - else - CONFIG_FILE='/dev/null' + return fi + if [ -f '/etc/docker/daemon.json' ]; then + CONFIG_FILE='/etc/docker/daemon.json' + return + fi + CONFIG_FILE='/dev/null' } get_docker_configuration_file_args() { @@ -108,13 +125,17 @@ get_service_file() { if [ -f "/etc/systemd/system/$SERVICE" ]; then echo "/etc/systemd/system/$SERVICE" - elif [ -f "/lib/systemd/system/$SERVICE" ]; then - echo "/lib/systemd/system/$SERVICE" - elif systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then - systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//' - else - echo "/usr/lib/systemd/system/$SERVICE" + return fi + if [ -f "/lib/systemd/system/$SERVICE" ]; then + echo "/lib/systemd/system/$SERVICE" + return + fi + if systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then + systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//' + return + fi + echo "/usr/lib/systemd/system/$SERVICE" } yell_info() { diff --git a/functions/output_lib.sh b/functions/output_lib.sh index 5635db4..e40fb30 100644 --- a/functions/output_lib.sh +++ b/functions/output_lib.sh @@ -87,8 +87,8 @@ note () { if [ "$noteCountCheck" = "true" ]; then printf "%b\n" "${bldylw}[NOTE]${txtrst} $2" | tee -a "$logger" totalChecks=$((totalChecks + 1)) - return - fi + return + fi printf "%b\n" "${bldylw}[NOTE]${txtrst} $1" | tee -a "$logger" } @@ -125,37 +125,38 @@ starttestjson() { SEP="," } +log_to_json() { + if [ $# -eq 1 ]; then + printf "\"result\": \"%s\"" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2 + return + fi + if [ $# -eq 2 ] && [ $# -ne 1 ]; then + # Result also contains details + printf "\"result\": \"%s\",\n \"details\": \"%s\"" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2 + return + fi + # Result also includes details and a list of items. Add that directly to details and to an array property "items" + # Also limit the number of items to $limit, if $limit is non-zero + truncItems=$3 + if [ $limit != 0 ]; then + truncItems="" + ITEM_COUNT=0 + for item in $3; do + truncItems="$truncItems $item" + ITEM_COUNT=$((ITEM_COUNT + 1)); + if [ "$ITEM_COUNT" == "$limit" ]; then + truncItems="$truncItems (truncated)" + break; + fi + done + fi + itemsJson=$(printf "[\n "; ISEP=""; ITEMCOUNT=0; for item in $truncItems; do printf "%s\"%s\"" "$ISEP" "$item"; ISEP=","; done; printf "\n ]") + printf "\"result\": \"%s\",\n \"details\": \"%s: %s\",\n \"items\": %s" "$1" "$2" "$truncItems" "$itemsJson" | tee -a "$logger.json" 2>/dev/null 1>&2 +} + logcheckresult() { # Log to JSON - if [ $# -eq 1 ]; then - printf "\"result\": \"%s\"" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2 - fi - - if [ $# -eq 2 ] && [ $# -ne 1 ]; then - # Result also contains details - printf "\"result\": \"%s\",\n \"details\": \"%s\"" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2 - fi - - if [ $# -ne 2 ] && [ $# -ne 1 ]; then - # Result also includes details and a list of items. Add that directly to details and to an array property "items" - # Also limit the number of items to $limit, if $limit is non-zero - if [ $limit != 0 ]; then - truncItems="" - ITEM_COUNT=0 - for item in $3; do - truncItems="$truncItems $item" - ITEM_COUNT=$((ITEM_COUNT + 1)); - if [ "$ITEM_COUNT" == "$limit" ]; then - truncItems="$truncItems (truncated)" - break; - fi - done - else - truncItems=$3 - fi - itemsJson=$(printf "[\n "; ISEP=""; ITEMCOUNT=0; for item in $truncItems; do printf "%s\"%s\"" "$ISEP" "$item"; ISEP=","; done; printf "\n ]") - printf "\"result\": \"%s\",\n \"details\": \"%s: %s\",\n \"items\": %s" "$1" "$2" "$truncItems" "$itemsJson" | tee -a "$logger.json" 2>/dev/null 1>&2 - fi + log_to_json "$@" # Log remediation measure to JSON if [ -n "$remediation" ] && [ "$1" != "PASS" ] && [ "$printremediation" = "1" ]; then diff --git a/functions/output_lib.sh.save b/functions/output_lib.sh.save new file mode 100644 index 0000000..6ead504 --- /dev/null +++ b/functions/output_lib.sh.save @@ -0,0 +1,194 @@ +#!/bin/sh + +bldred='\033[1;31m' # Bold Red +bldgrn='\033[1;32m' # Bold Green +bldblu='\033[1;34m' # Bold Blue +bldylw='\033[1;33m' # Bold Yellow +txtrst='\033[0m' + +if [ -n "$nocolor" +] && [ "$nocolor" = "nocolor" ]; then + bldred='' + bldgrn='' + bldblu='' + bldylw='' + txtrst='' +fi + +logit () { + printf "%b\n" "$1" | tee -a "$logger" +} + +info () { + local infoCountCheck + while getopts c args + do + case $args in + c) infoCountCheck="true" ;; + *) exit 1 ;; + esac + done + if [ "$infoCountCheck" = "true" ]; then + printf "%b\n" "${bldblu}[INFO]${txtrst} $2" | tee -a "$logger" + totalChecks=$((totalChecks + 1)) + return + fi + printf "%b\n" "${bldblu}[INFO]${txtrst} $1" | tee -a "$logger" +} + +pass () { + local passScored + while getopts sc args + do + case $args in + s) passScored="true" ;; + c) passCountCheck="true" ;; + *) exit 1 ;; + esac + done + if [ "$passScored" = "true" ] || [ "$passCountCheck" = "true" ]; then + printf "%b\n" "${bldgrn}[PASS]${txtrst} $2" | tee -a "$logger" + totalChecks=$((totalChecks + 1)) + fi + if [ "$passScored" = "true" ]; then + currentScore=$((currentScore + 1)) + fi + if [ "$passScored" != "true" ] && [ "$passCountCheck" != "true" ]; then + printf "%b\n" "${bldgrn}[PASS]${txtrst} $1" | tee -a "$logger" + fi +} + +warn () { + local warnScored + while getopts s args + do + case $args in + s) warnScored="true" ;; + *) exit 1 ;; + esac + done + if [ "$warnScored" = "true" ]; then + printf "%b\n" "${bldred}[WARN]${txtrst} $2" | tee -a "$logger" + totalChecks=$((totalChecks + 1)) + currentScore=$((currentScore - 1)) + return + fi + printf "%b\n" "${bldred}[WARN]${txtrst} $1" | tee -a "$logger" +} + +note () { + local noteCountCheck + while getopts c args + do + case $args in + c) noteCountCheck="true" ;; + *) exit 1 ;; + esac + done + if [ "$noteCountCheck" = "true" ]; then + printf "%b\n" "${bldylw}[NOTE]${txtrst} $2" | tee -a "$logger" + totalChecks=$((totalChecks + 1)) + return + fi + printf "%b\n" "${bldylw}[NOTE]${txtrst} $1" | tee -a "$logger" +} + +yell () { + printf "%b\n" "${bldylw}$1${txtrst}\n" +} + +appendjson () { + if [ -s "$logger.json" ]; then + tail -n 1 "$logger.json" | wc -c | xargs -I {} truncate "$logger.json" -s -{} + printf "},\n" | tee -a "$logger.json" 2>/dev/null 1>&2 + return + fi + printf "[" | tee -a "$logger.json" 2>/dev/null 1>&2 +} + +beginjson () { + printf "{\n \"dockerbenchsecurity\": \"%s\",\n \"start\": %s,\n \"tests\": [" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2 +} + +endjson (){ + printf "\n ], \"checks\": %s, \"score\": %s, \"end\": %s\n}]" "$1" "$2" "$3" | tee -a "$logger.json" 2>/dev/null 1>&2 +} + +logjson (){ + printf "\n \"%s\": \"%s\"," "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2 +} + +SSEP= +SEP= +startsectionjson() { + printf "%s\n {\"id\": \"%s\", \"desc\": \"%s\", \"results\": [" "$SSEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2 + SEP= + SSEP="," +} + +endsectionjson() { + printf "\n ]}" | tee -a "$logger.json" 2>/dev/null 1>&2 +} + +starttestjson() { + printf "%s\n {\"id\": \"%s\", \"desc\": \"%s\", " "$SEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2 + SEP="," +} + +logcheckresult() { + # Log to JSON + if [ $# -eq 1 ]; then + printf "\"result\": \"%s\"" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2 + fi + + if [ $# -eq 2 ] && [ $# -ne 1 ]; then + # Result also contains details + printf "\"result\": \"%s\", \"details\": \"%s\"" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2 + fi + + if [ $# -ne 2 ] && [ $# -ne 1 ]; then + # Result also includes details and a list of items. Add that directly to details and to an array property "items" + # Also limit the number of items to $limit, if $limit is non-zero + if [ $limit != 0 ]; then + truncItems="" + ITEM_COUNT=0 + for item in $3; do + truncItems="$truncItems $item" + ITEM_COUNT=$((ITEM_COUNT + 1)); + if [ "$ITEM_COUNT" == "$limit" ]; then + truncItems="$truncItems (truncated)" + break; + fi + done + else + truncItems=$3 + fi + itemsJson=$(printf "["; ISEP=""; ITEMCOUNT=0; for item in $truncItems; do printf "%s\"%s\"" "$ISEP" "$item"; ISEP=","; done; printf "]") + printf "\"result\": \"%s\", \"details\": \"%s: %s\", \"items\": %s" "$1" "$2" "$truncItems" "$itemsJson" | tee -a "$logger.json" 2>/dev/null 1>&2 + fi + + # Log remediation measure to JSON + if [ -n "$remediation" ] && [ "$1" != "PASS" ] && [ "$printremediation" = "1" ]; then + printf ", \"remediation\": \"%s\"" "$remediation" | tee -a "$logger.json" 2>/dev/null 1>&2 + if [ -n "$remediationImpact" ]; then + printf ", \"remediation-impact\": \"%s\"" "$remediationImpact" | tee -a "$logger.json" 2>/dev/null 1>&2 + fi + fi + printf "}" | tee -a "$logger.json" 2>/dev/null 1>&2 + + # Save remediation measure for print log to stdout + if [ -n "$remediation" ] && [ "$1" != "PASS" ]; then + if [ -n "${checkHeader}" ]; then + if [ -n "${addSpaceHeader}" ]; then + globalRemediation="${globalRemediation}\n" + fi + globalRemediation="${globalRemediation}\n${bldblu}[INFO]${txtrst} ${checkHeader}" + checkHeader="" + addSpaceHeader="1" + fi + globalRemediation="${globalRemediation}\n${bldblu}[INFO]${txtrst} ${id} - ${remediation}" + if [ -n "${remediationImpact}" ]; then + globalRemediation="${globalRemediation} Impact: ${remediationImpact}" + fi + fi +} diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index c3e3d86..ef96286 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -41,16 +41,15 @@ check_1_1_2() { docker_current_version="$(date +%y.%m.0 -d @$(( $(date +%s) - 2592000)))" do_version_check "$docker_current_version" "$docker_version" if [ $? -eq 11 ]; then - info -c "$check" - info " * Using $docker_version, verify is it up to date as deemed necessary" - info " * Your operating system vendor may provide support and security maintenance for Docker" - logcheckresult "INFO" "Using $docker_version" - else pass -c "$check" - info " * Using $docker_version which is current" - info " * Check with your operating system vendor for support and security maintenance for Docker" - logcheckresult "PASS" "Using $docker_version" + info " * Using $docker_version, verify is it up to date as deemed necessary" + logcheckresult "INFO" "Using $docker_version" + return fi + pass -c "$check" + info " * Using $docker_version which is current" + info " * Check with your operating system vendor for support and security maintenance for Docker" + logcheckresult "PASS" "Using $docker_version" } check_1_2() { @@ -76,10 +75,10 @@ check_1_2_1() { if mountpoint -q -- "$docker_root_dir" >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi + warn -s "$check" + logcheckresult "WARN" } check_1_2_2() { @@ -90,10 +89,9 @@ check_1_2_2() { local check="$id - $desc" starttestjson "$id" "$desc" + docker_users=$(grep 'docker' /etc/group) if command -v getent >/dev/null 2>&1; then docker_users=$(getent group docker) - else - docker_users=$(grep 'docker' /etc/group) fi docker_users=$(printf "%s" "$docker_users" | awk -F: '{print $4}') @@ -101,10 +99,9 @@ check_1_2_2() { if [ -n "$dockertrustusers" ]; then for u in $(printf "%s" "$docker_users" | sed "s/,/ /g"); do if ! printf "%s" "$dockertrustusers" | grep -q "$u" ; then + doubtfulusers="$u" if [ -n "${doubtfulusers}" ]; then doubtfulusers="${doubtfulusers},$u" - else - doubtfulusers="$u" fi fi done @@ -139,17 +136,19 @@ check_1_2_3() { if auditctl -l | grep "$file" >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi - elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass -s "$check" - logcheckresult "PASS" - else warn -s "$check" logcheckresult "WARN" + return fi + if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then + pass -s "$check" + logcheckresult "PASS" + return + fi + warn -s "$check" + logcheckresult "WARN" } check_1_2_4() { @@ -166,22 +165,24 @@ check_1_2_4() { if auditctl -l | grep $directory >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi - elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass -s "$check" - logcheckresult "PASS" - else warn -s "$check" logcheckresult "WARN" + return fi - else - info -c "$check" - info " * Directory not found" - logcheckresult "INFO" "Directory not found" + if grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then + pass -s "$check" + logcheckresult "PASS" + return + fi + warn -s "$check" + logcheckresult "WARN" + return fi + info -c "$check" + info " * Directory not found" + logcheckresult "INFO" "Directory not found" } check_1_2_5() { @@ -198,22 +199,24 @@ check_1_2_5() { if auditctl -l | grep $directory >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi - elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass -s "$check" - logcheckresult "PASS" - else warn -s "$check" logcheckresult "WARN" + return fi - else - info -c "$check" - info " * Directory not found" - logcheckresult "INFO" "Directory not found" -fi + if grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then + pass -s "$check" + logcheckresult "PASS" + return + fi + warn -s "$check" + logcheckresult "WARN" + return + fi + info -c "$check" + info " * Directory not found" + logcheckresult "INFO" "Directory not found" } check_1_2_6() { @@ -231,22 +234,24 @@ check_1_2_6() { if auditctl -l | grep "$file" >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi - elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass -s "$check" - logcheckresult "PASS" - else warn -s "$check" logcheckresult "WARN" + return fi - else - info -c "$check" - info " * File not found" - logcheckresult "INFO" "File not found" + if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then + pass -s "$check" + logcheckresult "PASS" + return + fi + warn -s "$check" + logcheckresult "WARN" + return fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" } check_1_2_7() { @@ -264,22 +269,24 @@ check_1_2_7() { if auditctl -l | grep "$file" >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi - elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass -s "$check" - logcheckresult "PASS" - else warn -s "$check" logcheckresult "WARN" + return fi - else - info -c "$check" - info " * File not found" - logcheckresult "INFO" "File not found" + if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then + pass -s "$check" + logcheckresult "PASS" + return + fi + warn -s "$check" + logcheckresult "WARN" + return fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" } check_1_2_8() { @@ -296,22 +303,24 @@ check_1_2_8() { if auditctl -l | grep $file >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi - elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass -s "$check" - logcheckresult "PASS" - else warn -s "$check" logcheckresult "WARN" + return fi - else - info -c "$check" - info " * File not found" - logcheckresult "INFO" "File not found" + if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then + pass -s "$check" + logcheckresult "PASS" + return + fi + warn -s "$check" + logcheckresult "WARN" + return fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" } check_1_2_9() { @@ -328,22 +337,24 @@ check_1_2_9() { if auditctl -l | grep $file >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi - elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass -s "$check" - logcheckresult "PASS" - else warn -s "$check" logcheckresult "WARN" + return fi - else - info -c "$check" - info " * File not found" - logcheckresult "INFO" "File not found" + if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then + pass -s "$check" + logcheckresult "PASS" + return + fi + warn -s "$check" + logcheckresult "WARN" + return fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" } check_1_2_10() { @@ -360,22 +371,24 @@ check_1_2_10() { if auditctl -l | grep $file >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi - elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass -s "$check" - logcheckresult "PASS" - else warn -s "$check" logcheckresult "WARN" + return fi - else - info -c "$check" - info " * File not found" - logcheckresult "INFO" "File not found" + if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then + pass -s "$check" + logcheckresult "PASS" + return + fi + warn -s "$check" + logcheckresult "WARN" + return fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" } check_1_2_11() { @@ -392,22 +405,24 @@ check_1_2_11() { if auditctl -l | grep $file >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi - elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass -s "$check" - logcheckresult "PASS" - else warn -s "$check" logcheckresult "WARN" + return fi - else - info -c "$check" - info " * File not found" - logcheckresult "INFO" "File not found" + if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then + pass -s "$check" + logcheckresult "PASS" + return + fi + warn -s "$check" + logcheckresult "WARN" + return fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" } check_1_2_12() { @@ -424,22 +439,24 @@ check_1_2_12() { if auditctl -l | grep $file >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi - elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass -s "$check" - logcheckresult "PASS" - else warn -s "$check" logcheckresult "WARN" + return fi - else - info -c "$check" - info " * File not found" - logcheckresult "INFO" "File not found" + if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then + pass -s "$check" + logcheckresult "PASS" + return + fi + warn -s "$check" + logcheckresult "WARN" + return fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" } check_1_end() { diff --git a/tests/2_docker_daemon_configuration.sh b/tests/2_docker_daemon_configuration.sh index 5b81ceb..a985eae 100644 --- a/tests/2_docker_daemon_configuration.sh +++ b/tests/2_docker_daemon_configuration.sh @@ -20,13 +20,15 @@ check_2_1() { if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then + return + fi + if get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi + warn -s "$check" + logcheckresult "WARN" } check_2_2() { @@ -41,25 +43,29 @@ check_2_2() { if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then + return + fi + if [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi - elif get_docker_effective_command_line_args '-l'; then + warn -s "$check" + logcheckresult "WARN" + return + fi + if get_docker_effective_command_line_args '-l'; then if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi - else - pass -s "$check" - logcheckresult "PASS" + warn -s "$check" + logcheckresult "WARN" + return fi + pass -s "$check" + logcheckresult "PASS" } check_2_3() { @@ -73,13 +79,15 @@ check_2_3() { if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then warn -s "$check" logcheckresult "WARN" - elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then + return + fi + if get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then warn -s "$check" logcheckresult "WARN" - else - pass -s "$check" - logcheckresult "PASS" + return fi + pass -s "$check" + logcheckresult "PASS" } check_2_4() { @@ -93,18 +101,20 @@ check_2_4() { if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then warn -s "$check" logcheckresult "WARN" - elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then + return + fi + if ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi - else - pass -s "$check" - logcheckresult "PASS" + warn -s "$check" + logcheckresult "WARN" + return fi + pass -s "$check" + logcheckresult "PASS" } check_2_5() { @@ -118,10 +128,10 @@ check_2_5() { if docker info 2>/dev/null | grep -e "^\sStorage Driver:\s*aufs\s*$" >/dev/null 2>&1; then warn -s "$check" logcheckresult "WARN" - else - pass -s "$check" - logcheckresult "PASS" + return fi + pass -s "$check" + logcheckresult "PASS" } check_2_6() { @@ -138,21 +148,23 @@ check_2_6() { [ $(get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify') >/dev/null 2>&1 ]; then pass -s "$check" logcheckresult "PASS" - elif [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \ + return + fi + if [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \ [ $(get_docker_cumulative_command_line_args '--tls' | grep 'tls$') >/dev/null 2>&1 ]; then warn -s "$check" warn " * Docker daemon currently listening on TCP with TLS, but no verification" logcheckresult "WARN" "Docker daemon currently listening on TCP with TLS, but no verification" - else - warn -s "$check" - warn " * Docker daemon currently listening on TCP without TLS" - logcheckresult "WARN" "Docker daemon currently listening on TCP without TLS" + return fi - else - info -c "$check" - info " * Docker daemon not listening on TCP" - logcheckresult "INFO" "Docker daemon not listening on TCP" + warn -s "$check" + warn " * Docker daemon currently listening on TCP without TLS" + logcheckresult "WARN" "Docker daemon currently listening on TCP without TLS" + return fi + info -c "$check" + info " * Docker daemon not listening on TCP" + logcheckresult "INFO" "Docker daemon not listening on TCP" } check_2_7() { @@ -166,14 +178,16 @@ check_2_7() { if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then pass -c "$check" logcheckresult "PASS" - elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then + return + fi + if get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then pass -c "$check" logcheckresult "PASS" - else - info -c "$check" - info " * Default ulimit doesn't appear to be set" - logcheckresult "INFO" "Default ulimit doesn't appear to be set" + return fi + info -c "$check" + info " * Default ulimit doesn't appear to be set" + logcheckresult "INFO" "Default ulimit doesn't appear to be set" } check_2_8() { @@ -187,13 +201,15 @@ check_2_8() { if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then pass -s "$check" logcheckresult "PASS" - elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then + return + fi + if get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi + warn -s "$check" + logcheckresult "WARN" } check_2_9() { @@ -208,14 +224,16 @@ check_2_9() { warn -s "$check" info " * Confirm cgroup usage" logcheckresult "WARN" "Confirm cgroup usage" - elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then + return + fi + if get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then warn -s "$check" info " * Confirm cgroup usage" logcheckresult "WARN" "Confirm cgroup usage" - else - pass -s "$check" - logcheckresult "PASS" + return fi + pass -s "$check" + logcheckresult "PASS" } check_2_10() { @@ -229,13 +247,15 @@ check_2_10() { if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then warn -s "$check" logcheckresult "WARN" - elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then + return + fi + if get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then warn -s "$check" logcheckresult "WARN" - else - pass -s "$check" - logcheckresult "PASS" + return fi + pass -s "$check" + logcheckresult "PASS" } check_2_11() { @@ -249,13 +269,15 @@ check_2_11() { if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then pass -s "$check" logcheckresult "PASS" - elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then + return + fi + if get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi + warn -s "$check" + logcheckresult "WARN" } check_2_12() { @@ -269,10 +291,10 @@ check_2_12() { if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then warn -s "$check" logcheckresult "WARN" - else - pass -s "$check" - logcheckresult "PASS" + return fi + pass -s "$check" + logcheckresult "PASS" } check_2_13() { @@ -286,18 +308,20 @@ check_2_13() { if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - else - if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then - pass -s "$check (Incompatible with swarm mode)" - logcheckresult "PASS" - elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then - pass -s "$check" - logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" - fi + return fi + if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then + pass -s "$check (Incompatible with swarm mode)" + logcheckresult "PASS" + return + fi + if get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then + pass -s "$check" + logcheckresult "PASS" + return + fi + warn -s "$check" + logcheckresult "WARN" } check_2_14() { @@ -311,13 +335,15 @@ check_2_14() { if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then + return + fi + if get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi + warn -s "$check" + logcheckresult "WARN" } check_2_15() { @@ -331,10 +357,10 @@ check_2_15() { if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then pass -c "$check" logcheckresult "PASS" - else - info -c "$check" - logcheckresult "INFO" + return fi + info -c "$check" + logcheckresult "INFO" } check_2_16() { @@ -352,16 +378,16 @@ check_2_16() { if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi - else - local desc="$desc (Deprecated)" - local check="$id - $desc" - info -c "$desc" - logcheckresult "INFO" + warn -s "$check" + logcheckresult "WARN" + return fi + local desc="$desc (Deprecated)" + local check="$id - $desc" + info -c "$desc" + logcheckresult "INFO" } check_2_17() { @@ -375,13 +401,15 @@ check_2_17() { if get_docker_effective_command_line_args '--no-new-privileges' | grep "no-new-privileges" >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - elif get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then + return + fi + if get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi + warn -s "$check" + logcheckresult "WARN" } check_2_end() { diff --git a/tests/3_docker_daemon_configuration_files.sh b/tests/3_docker_daemon_configuration_files.sh index 8c5e5a5..6d8c984 100644 --- a/tests/3_docker_daemon_configuration_files.sh +++ b/tests/3_docker_daemon_configuration_files.sh @@ -22,16 +22,16 @@ check_3_1() { if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - warn " * Wrong ownership for $file" - logcheckresult "WARN" "Wrong ownership for $file" + return fi - else - info -c "$check" - info " * File not found" - logcheckresult "INFO" "File not found" + warn -s "$check" + warn " * Wrong ownership for $file" + logcheckresult "WARN" "Wrong ownership for $file" + return fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" } check_3_2() { @@ -47,16 +47,16 @@ check_3_2() { if [ "$(stat -c %a $file)" -le 644 ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - warn " * Wrong permissions for $file" - logcheckresult "WARN" "Wrong permissions for $file" + return fi - else - info -c "$check" - info " * File not found" - logcheckresult "INFO" "File not found" + warn -s "$check" + warn " * Wrong permissions for $file" + logcheckresult "WARN" "Wrong permissions for $file" + return fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" } check_3_3() { @@ -72,16 +72,16 @@ check_3_3() { if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - warn " * Wrong ownership for $file" - logcheckresult "WARN" "Wrong ownership for $file" + return fi - else - info -c "$check" - info " * File not found" - logcheckresult "INFO" "File not found" + warn -s "$check" + warn " * Wrong ownership for $file" + logcheckresult "WARN" "Wrong ownership for $file" + return fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" } check_3_4() { @@ -97,16 +97,16 @@ check_3_4() { if [ "$(stat -c %a $file)" -le 644 ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - warn " * Wrong permissions for $file" - logcheckresult "WARN" "Wrong permissions for $file" + return fi - else - info -c "$check" - info " * File not found" - logcheckresult "INFO" "File not found" + warn -s "$check" + warn " * Wrong permissions for $file" + logcheckresult "WARN" "Wrong permissions for $file" + return fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" } check_3_5() { @@ -122,16 +122,16 @@ check_3_5() { if [ "$(stat -c %u%g $directory)" -eq 00 ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - warn " * Wrong ownership for $directory" - logcheckresult "WARN" "Wrong ownership for $directory" + return fi - else - info -c "$check" - info " * Directory not found" - logcheckresult "INFO" "Directory not found" + warn -s "$check" + warn " * Wrong ownership for $directory" + logcheckresult "WARN" "Wrong ownership for $directory" + return fi + info -c "$check" + info " * Directory not found" + logcheckresult "INFO" "Directory not found" } check_3_6() { @@ -147,16 +147,16 @@ check_3_6() { if [ "$(stat -c %a $directory)" -le 755 ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - warn " * Wrong permissions for $directory" - logcheckresult "WARN" "Wrong permissions for $directory" + return fi - else - info -c "$check" - info " * Directory not found" - logcheckresult "INFO" "Directory not found" + warn -s "$check" + warn " * Wrong permissions for $directory" + logcheckresult "WARN" "Wrong permissions for $directory" + return fi + info -c "$check" + info " * Directory not found" + logcheckresult "INFO" "Directory not found" } check_3_7() { @@ -180,15 +180,15 @@ check_3_7() { warn -s "$check" warn " * Wrong ownership for $directory" logcheckresult "WARN" "Wrong ownership for $directory" - else - pass -s "$check" - logcheckresult "PASS" + return fi - else - info -c "$check" - info " * Directory not found" - logcheckresult "INFO" "Directory not found" + pass -s "$check" + logcheckresult "PASS" + return fi + info -c "$check" + info " * Directory not found" + logcheckresult "INFO" "Directory not found" } check_3_8() { @@ -212,15 +212,15 @@ check_3_8() { warn -s "$check" warn " * Wrong permissions for $directory" logcheckresult "WARN" "Wrong permissions for $directory" - else - pass -s "$check" - logcheckresult "PASS" + return fi - else - info -c "$check" - info " * Directory not found" - logcheckresult "INFO" "Directory not found" + pass -s "$check" + logcheckresult "PASS" + return fi + info -c "$check" + info " * Directory not found" + logcheckresult "INFO" "Directory not found" } check_3_9() { @@ -231,25 +231,24 @@ check_3_9() { local check="$id - $desc" starttestjson "$id" "$desc" + tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then tlscacert=$(get_docker_configuration_file_args 'tlscacert') - else - tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi if [ -f "$tlscacert" ]; then if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - warn " * Wrong ownership for $tlscacert" - logcheckresult "WARN" "Wrong ownership for $tlscacert" + return fi - else - info -c "$check" - info " * No TLS CA certificate found" - logcheckresult "INFO" "No TLS CA certificate found" + warn -s "$check" + warn " * Wrong ownership for $tlscacert" + logcheckresult "WARN" "Wrong ownership for $tlscacert" + return fi + info -c "$check" + info " * No TLS CA certificate found" + logcheckresult "INFO" "No TLS CA certificate found" } check_3_10() { @@ -260,25 +259,24 @@ check_3_10() { local check="$id - $desc" starttestjson "$id" "$desc" + tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then tlscacert=$(get_docker_configuration_file_args 'tlscacert') - else - tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi if [ -f "$tlscacert" ]; then if [ "$(stat -c %a $tlscacert)" -le 444 ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - warn " * Wrong permissions for $tlscacert" - logcheckresult "WARN" "Wrong permissions for $tlscacert" + return fi - else - info -c "$check" - info " * No TLS CA certificate found" - logcheckresult "INFO" "No TLS CA certificate found" + warn -s "$check" + warn " * Wrong permissions for $tlscacert" + logcheckresult "WARN" "Wrong permissions for $tlscacert" + return fi + info -c "$check" + info " * No TLS CA certificate found" + logcheckresult "INFO" "No TLS CA certificate found" } check_3_11() { @@ -289,25 +287,24 @@ check_3_11() { local check="$id - $desc" starttestjson "$id" "$desc" + tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then tlscert=$(get_docker_configuration_file_args 'tlscert') - else - tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi if [ -f "$tlscert" ]; then if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - warn " * Wrong ownership for $tlscert" - logcheckresult "WARN" "Wrong ownership for $tlscert" + return fi - else - info -c "$check" - info " * No TLS Server certificate found" - logcheckresult "INFO" "No TLS Server certificate found" + warn -s "$check" + warn " * Wrong ownership for $tlscert" + logcheckresult "WARN" "Wrong ownership for $tlscert" + return fi + info -c "$check" + info " * No TLS Server certificate found" + logcheckresult "INFO" "No TLS Server certificate found" } check_3_12() { @@ -318,25 +315,24 @@ check_3_12() { local check="$id - $desc" starttestjson "$id" "$desc" + tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then tlscert=$(get_docker_configuration_file_args 'tlscert') - else - tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi if [ -f "$tlscert" ]; then if [ "$(stat -c %a $tlscert)" -le 444 ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - warn " * Wrong permissions for $tlscert" - logcheckresult "WARN" "Wrong permissions for $tlscert" + return fi - else - info -c "$check" - info " * No TLS Server certificate found" - logcheckresult "INFO" "No TLS Server certificate found" + warn -s "$check" + warn " * Wrong permissions for $tlscert" + logcheckresult "WARN" "Wrong permissions for $tlscert" + return fi + info -c "$check" + info " * No TLS Server certificate found" + logcheckresult "INFO" "No TLS Server certificate found" } check_3_13() { @@ -347,25 +343,24 @@ check_3_13() { local check="$id - $desc" starttestjson "$id" "$desc" + tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then tlskey=$(get_docker_configuration_file_args 'tlskey') - else - tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi if [ -f "$tlskey" ]; then if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - warn " * Wrong ownership for $tlskey" - logcheckresult "WARN" "Wrong ownership for $tlskey" + return fi - else - info -c "$check" - info " * No TLS Key found" - logcheckresult "INFO" "No TLS Key found" + warn -s "$check" + warn " * Wrong ownership for $tlskey" + logcheckresult "WARN" "Wrong ownership for $tlskey" + return fi + info -c "$check" + info " * No TLS Key found" + logcheckresult "INFO" "No TLS Key found" } check_3_14() { @@ -376,25 +371,24 @@ check_3_14() { local check="$id - $desc" starttestjson "$id" "$desc" + tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then tlskey=$(get_docker_configuration_file_args 'tlskey') - else - tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi if [ -f "$tlskey" ]; then if [ "$(stat -c %a $tlskey)" -eq 400 ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - warn " * Wrong permissions for $tlskey" - logcheckresult "WARN" "Wrong permissions for $tlskey" + return fi - else - info -c "$check" - info " * No TLS Key found" - logcheckresult "INFO" "No TLS Key found" + warn -s "$check" + warn " * Wrong permissions for $tlskey" + logcheckresult "WARN" "Wrong permissions for $tlskey" + return fi + info -c "$check" + info " * No TLS Key found" + logcheckresult "INFO" "No TLS Key found" } check_3_15() { @@ -410,16 +404,16 @@ check_3_15() { if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - warn " * Wrong ownership for $file" - logcheckresult "WARN" "Wrong ownership for $file" + return fi - else - info -c "$check" - info " * File not found" - logcheckresult "INFO" "File not found" + warn -s "$check" + warn " * Wrong ownership for $file" + logcheckresult "WARN" "Wrong ownership for $file" + return fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" } check_3_16() { @@ -435,16 +429,16 @@ check_3_16() { if [ "$(stat -c %a $file)" -le 660 ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - warn " * Wrong permissions for $file" - logcheckresult "WARN" "Wrong permissions for $file" + return fi - else - info -c "$check" - info " * File not found" - logcheckresult "INFO" "File not found" + warn -s "$check" + warn " * Wrong permissions for $file" + logcheckresult "WARN" "Wrong permissions for $file" + return fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" } check_3_17() { @@ -460,16 +454,16 @@ check_3_17() { if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - warn " * Wrong ownership for $file" - logcheckresult "WARN" "Wrong ownership for $file" + return fi - else - info -c "$check" - info " * File not found" - logcheckresult "INFO" "File not found" + warn -s "$check" + warn " * Wrong ownership for $file" + logcheckresult "WARN" "Wrong ownership for $file" + return fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" } check_3_18() { @@ -485,16 +479,16 @@ check_3_18() { if [ "$(stat -c %a $file)" -le 644 ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - warn " * Wrong permissions for $file" - logcheckresult "WARN" "Wrong permissions for $file" + return fi - else - info -c "$check" - info " * File not found" - logcheckresult "INFO" "File not found" + warn -s "$check" + warn " * Wrong permissions for $file" + logcheckresult "WARN" "Wrong permissions for $file" + return fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" } check_3_19() { @@ -510,16 +504,16 @@ check_3_19() { if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - warn " * Wrong ownership for $file" - logcheckresult "WARN" "Wrong ownership for $file" + return fi - else - info -c "$check" - info " * File not found" - logcheckresult "INFO" "File not found" + warn -s "$check" + warn " * Wrong ownership for $file" + logcheckresult "WARN" "Wrong ownership for $file" + return fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" } check_3_20() { @@ -535,16 +529,16 @@ check_3_20() { if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - warn " * Wrong ownership for $file" - logcheckresult "WARN" "Wrong ownership for $file" + return fi - else - info -c "$check" - info " * File not found" - logcheckresult "INFO" "File not found" + warn -s "$check" + warn " * Wrong ownership for $file" + logcheckresult "WARN" "Wrong ownership for $file" + return fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" } check_3_21() { @@ -560,16 +554,16 @@ check_3_21() { if [ "$(stat -c %a $file)" -le 644 ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - warn " * Wrong permissions for $file" - logcheckresult "WARN" "Wrong permissions for $file" + return fi - else - info -c "$check" - info " * File not found" - logcheckresult "INFO" "File not found" + warn -s "$check" + warn " * Wrong permissions for $file" + logcheckresult "WARN" "Wrong permissions for $file" + return fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" } check_3_22() { @@ -585,16 +579,16 @@ check_3_22() { if [ "$(stat -c %a $file)" -le 644 ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - warn " * Wrong permissions for $file" - logcheckresult "WARN" "Wrong permissions for $file" + return fi - else - info -c "$check" - info " * File not found" - logcheckresult "INFO" "File not found" + warn -s "$check" + warn " * Wrong permissions for $file" + logcheckresult "WARN" "Wrong permissions for $file" + return fi + info -c "$check" + info " * File not found" + logcheckresult "INFO" "File not found" } check_3_end() { diff --git a/tests/4_container_images.sh b/tests/4_container_images.sh index 0c76141..3e83a84 100644 --- a/tests/4_container_images.sh +++ b/tests/4_container_images.sh @@ -22,37 +22,37 @@ check_4_1() { info -c "$check" info " * No containers running" logcheckresult "INFO" "No containers running" - else - # We have some containers running, set failure flag to 0. Check for Users. - fail=0 - # Make the loop separator be a new-line in POSIX compliant fashion - set -f; IFS=$' - ' - root_containers="" - for c in $containers; do - user=$(docker inspect --format 'User={{.Config.User}}' "$c") - - if [ "$user" = "User=0" ] || [ "$user" = "User=root" ] || [ "$user" = "User=" ] || [ "$user" = "User=[]" ] || [ "$user" = "User=" ]; then - # If it's the first container, fail the test - if [ $fail -eq 0 ]; then - warn -s "$check" - warn " * Running as root: $c" - root_containers="$root_containers $c" - fail=1 - else - warn " * Running as root: $c" - root_containers="$root_containers $c" - fi - fi - done - # We went through all the containers and found none running as root - if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "running as root" "$root_containers" - fi + return fi + # We have some containers running, set failure flag to 0. Check for Users. + fail=0 + # Make the loop separator be a new-line in POSIX compliant fashion + set -f; IFS=$' + ' + root_containers="" + for c in $containers; do + user=$(docker inspect --format 'User={{.Config.User}}' "$c") + + if [ "$user" = "User=0" ] || [ "$user" = "User=root" ] || [ "$user" = "User=" ] || [ "$user" = "User=[]" ] || [ "$user" = "User=" ]; then + # If it's the first container, fail the test + if [ $fail -eq 0 ]; then + warn -s "$check" + warn " * Running as root: $c" + root_containers="$root_containers $c" + fail=1 + continue + fi + warn " * Running as root: $c" + root_containers="$root_containers $c" + fi + done + # We went through all the containers and found none running as root + if [ $fail -eq 0 ]; then + pass -s "$check" + logcheckresult "PASS" + return + fi + logcheckresult "WARN" "running as root" "$root_containers" # Make the loop separator go back to space set +f; unset IFS } @@ -104,10 +104,10 @@ check_4_5() { if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi + warn -s "$check" + logcheckresult "WARN" } check_4_6() { @@ -139,9 +139,9 @@ check_4_6() { if [ $fail -eq 0 ]; then pass -s "$check" logcheckresult "PASS" - else - logcheckresult "WARN" "Images w/o HEALTHCHECK" "$no_health_images" + return fi + logcheckresult "WARN" "Images w/o HEALTHCHECK" "$no_health_images" } check_4_7() { @@ -170,9 +170,9 @@ check_4_7() { if [ $fail -eq 0 ]; then pass -c "$check" logcheckresult "PASS" - else - logcheckresult "INFO" "Update instructions found" "$update_images" + return fi + logcheckresult "INFO" "Update instructions found" "$update_images" } check_4_8() { @@ -214,9 +214,9 @@ check_4_9() { if [ $fail -eq 0 ]; then pass -c "$check" logcheckresult "PASS" - else - logcheckresult "INFO" "Images using ADD" "$add_images" + return fi + logcheckresult "INFO" "Images using ADD" "$add_images" } check_4_10() { diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh index 443a7e4..50eecc5 100644 --- a/tests/5_container_runtime.sh +++ b/tests/5_container_runtime.sh @@ -13,11 +13,11 @@ check_running_containers() { # If containers is empty, there are no running containers if [ -z "$containers" ]; then info " * No containers running, skipping Section 5" - else - # Make the loop separator be a new-line in POSIX compliant fashion - set -f; IFS=$' - ' + return fi + # Make the loop separator be a new-line in POSIX compliant fashion + set -f; IFS=$' + ' } check_5_1() { @@ -42,21 +42,21 @@ check_5_1() { if [ $fail -eq 0 ]; then warn -s "$check" warn " * No AppArmorProfile Found: $c" - no_apparmor_containers="$no_apparmor_containers $c" + no_apparmor_containers="$no_apparmor_containers $c" fail=1 - else - warn " * No AppArmorProfile Found: $c" - no_apparmor_containers="$no_apparmor_containers $c" + continue fi + warn " * No AppArmorProfile Found: $c" + no_apparmor_containers="$no_apparmor_containers $c" fi done # We went through all the containers and found none without AppArmor if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers with no AppArmorProfile" "$no_apparmor_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers with no AppArmorProfile" "$no_apparmor_containers" } check_5_2() { @@ -81,21 +81,21 @@ check_5_2() { if [ $fail -eq 0 ]; then warn -s "$check" warn " * No SecurityOptions Found: $c" - no_securityoptions_containers="$no_securityoptions_containers $c" + no_securityoptions_containers="$no_securityoptions_containers $c" fail=1 - else - warn " * No SecurityOptions Found: $c" - no_securityoptions_containers="$no_securityoptions_containers $c" + continue fi + warn " * No SecurityOptions Found: $c" + no_securityoptions_containers="$no_securityoptions_containers $c" fi done # We went through all the containers and found none without SELinux if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers with no SecurityOptions" "$no_securityoptions_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers with no SecurityOptions" "$no_securityoptions_containers" } check_5_3() { @@ -123,21 +123,21 @@ check_5_3() { if [ $fail -eq 0 ]; then warn -s "$check" warn " * Capabilities added: $caps to $c" - caps_containers="$caps_containers $c" + caps_containers="$caps_containers $c" fail=1 - else - warn " * Capabilities added: $caps to $c" - caps_containers="$caps_containers $c" + continue fi + warn " * Capabilities added: $caps to $c" + caps_containers="$caps_containers $c" fi done # We went through all the containers and found none with extra capabilities if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Capabilities added for containers" "$caps_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Capabilities added for containers" "$caps_containers" } check_5_4() { @@ -162,21 +162,21 @@ check_5_4() { if [ $fail -eq 0 ]; then warn -s "$check" warn " * Container running in Privileged mode: $c" - privileged_containers="$privileged_containers $c" + privileged_containers="$privileged_containers $c" fail=1 - else - warn " * Container running in Privileged mode: $c" - privileged_containers="$privileged_containers $c" + continue fi + warn " * Container running in Privileged mode: $c" + privileged_containers="$privileged_containers $c" fi done # We went through all the containers and found no privileged containers if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers running in privileged mode" "$privileged_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers running in privileged mode" "$privileged_containers" } check_5_5() { @@ -204,10 +204,9 @@ check_5_5() { fail=0 sensitive_mount_containers="" for c in $containers; do + volumes=$(docker inspect --format '{{ .Mounts }}' "$c") if docker inspect --format '{{ .VolumesRW }}' "$c" 2>/dev/null 1>&2; then volumes=$(docker inspect --format '{{ .VolumesRW }}' "$c") - else - volumes=$(docker inspect --format '{{ .Mounts }}' "$c") fi # Go over each directory in sensitive dir and see if they exist in the volumes for v in $sensitive_dirs; do @@ -220,22 +219,22 @@ check_5_5() { if [ $fail -eq 0 ]; then warn -s "$check" warn " * Sensitive directory $v mounted in: $c" - sensitive_mount_containers="$sensitive_mount_containers $c:$v" + sensitive_mount_containers="$sensitive_mount_containers $c:$v" fail=1 - else - warn " * Sensitive directory $v mounted in: $c" - sensitive_mount_containers="$sensitive_mount_containers $c:$v" + continue fi + warn " * Sensitive directory $v mounted in: $c" + sensitive_mount_containers="$sensitive_mount_containers $c:$v" fi done done # We went through all the containers and found none with sensitive mounts if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers with sensitive directories mounted" "$sensitive_mount_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers with sensitive directories mounted" "$sensitive_mount_containers" } check_5_6() { @@ -261,12 +260,12 @@ check_5_6() { if [ $fail -eq 0 ]; then warn -s "$check" warn " * Container running sshd: $c" - ssh_exec_containers="$ssh_exec_containers $c" + ssh_exec_containers="$ssh_exec_containers $c" fail=1 printcheck=1 else warn " * Container running sshd: $c" - ssh_exec_containers="$ssh_exec_containers $c" + ssh_exec_containers="$ssh_exec_containers $c" fi fi @@ -284,11 +283,11 @@ check_5_6() { done # We went through all the containers and found none with sshd if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers with sshd/docker exec failures" "$ssh_exec_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers with sshd/docker exec failures" "$ssh_exec_containers" } check_5_7() { @@ -311,27 +310,27 @@ check_5_7() { # iterate through port range (line delimited) for port in $ports; do - if [ -n "$port" ] && [ "$port" -lt 1024 ]; then + if [ -n "$port" ] && [ "$port" -lt 1024 ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn -s "$check" warn " * Privileged Port in use: $port in $c" - privileged_port_containers="$privileged_port_containers $c:$port" + privileged_port_containers="$privileged_port_containers $c:$port" fail=1 - else - warn " * Privileged Port in use: $port in $c" - privileged_port_containers="$privileged_port_containers $c:$port" + continue fi + warn " * Privileged Port in use: $port in $c" + privileged_port_containers="$privileged_port_containers $c:$port" fi done done # We went through all the containers and found no privileged ports if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers using privileged ports" "$privileged_port_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers using privileged ports" "$privileged_port_containers" } check_5_8() { @@ -372,21 +371,21 @@ check_5_9() { if [ $fail -eq 0 ]; then warn -s "$check" warn " * Container running with networking mode 'host': $c" - net_host_containers="$net_host_containers $c" + net_host_containers="$net_host_containers $c" fail=1 - else - warn " * Container running with networking mode 'host': $c" - net_host_containers="$net_host_containers $c" + continue fi + warn " * Container running with networking mode 'host': $c" + net_host_containers="$net_host_containers $c" fi done # We went through all the containers and found no Network Mode host if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers running with networking mode 'host'" "$net_host_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers running with networking mode 'host'" "$net_host_containers" } check_5_10() { @@ -404,10 +403,9 @@ check_5_10() { fail=0 mem_unlimited_containers="" for c in $containers; do + memory=$(docker inspect --format '{{ .HostConfig.Memory }}' "$c") if docker inspect --format '{{ .Config.Memory }}' "$c" 2> /dev/null 1>&2; then memory=$(docker inspect --format '{{ .Config.Memory }}' "$c") - else - memory=$(docker inspect --format '{{ .HostConfig.Memory }}' "$c") fi if [ "$memory" = "0" ]; then @@ -415,21 +413,21 @@ check_5_10() { if [ $fail -eq 0 ]; then warn -s "$check" warn " * Container running without memory restrictions: $c" - mem_unlimited_containers="$mem_unlimited_containers $c" + mem_unlimited_containers="$mem_unlimited_containers $c" fail=1 - else - warn " * Container running without memory restrictions: $c" - mem_unlimited_containers="$mem_unlimited_containers $c" + continue fi + warn " * Container running without memory restrictions: $c" + mem_unlimited_containers="$mem_unlimited_containers $c" fi done # We went through all the containers and found no lack of Memory restrictions if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Container running without memory restrictions" "$mem_unlimited_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Container running without memory restrictions" "$mem_unlimited_containers" } check_5_11() { @@ -447,10 +445,9 @@ check_5_11() { fail=0 cpu_unlimited_containers="" for c in $containers; do + shares=$(docker inspect --format '{{ .HostConfig.CpuShares }}' "$c") if docker inspect --format '{{ .Config.CpuShares }}' "$c" 2> /dev/null 1>&2; then shares=$(docker inspect --format '{{ .Config.CpuShares }}' "$c") - else - shares=$(docker inspect --format '{{ .HostConfig.CpuShares }}' "$c") fi if [ "$shares" = "0" ]; then @@ -460,19 +457,19 @@ check_5_11() { warn " * Container running without CPU restrictions: $c" cpu_unlimited_containers="$cpu_unlimited_containers $c" fail=1 - else - warn " * Container running without CPU restrictions: $c" - cpu_unlimited_containers="$cpu_unlimited_containers $c" + continue fi + warn " * Container running without CPU restrictions: $c" + cpu_unlimited_containers="$cpu_unlimited_containers $c" fi done # We went through all the containers and found no lack of CPUShare restrictions if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers running without CPU restrictions" "$cpu_unlimited_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers running without CPU restrictions" "$cpu_unlimited_containers" } check_5_12() { @@ -497,21 +494,21 @@ check_5_12() { if [ $fail -eq 0 ]; then warn -s "$check" warn " * Container running with root FS mounted R/W: $c" - fsroot_mount_containers="$fsroot_mount_containers $c" + fsroot_mount_containers="$fsroot_mount_containers $c" fail=1 - else - warn " * Container running with root FS mounted R/W: $c" - fsroot_mount_containers="$fsroot_mount_containers $c" + continue fi + warn " * Container running with root FS mounted R/W: $c" + fsroot_mount_containers="$fsroot_mount_containers $c" fi done # We went through all the containers and found no R/W FS mounts if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers running with root FS mounted R/W" "$fsroot_mount_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers running with root FS mounted R/W" "$fsroot_mount_containers" } check_5_13() { @@ -537,20 +534,20 @@ check_5_13() { warn " * Port being bound to wildcard IP: $ip in $c" incoming_unbound_containers="$incoming_unbound_containers $c:$ip" fail=1 - else - warn " * Port being bound to wildcard IP: $ip in $c" - incoming_unbound_containers="$incoming_unbound_containers $c:$ip" + continue fi + warn " * Port being bound to wildcard IP: $ip in $c" + incoming_unbound_containers="$incoming_unbound_containers $c:$ip" fi done done # We went through all the containers and found no ports bound to 0.0.0.0 if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers with port bound to wildcard IP" "$incoming_unbound_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers with port bound to wildcard IP" "$incoming_unbound_containers" } check_5_14() { @@ -575,21 +572,21 @@ check_5_14() { if [ $fail -eq 0 ]; then warn -s "$check" warn " * MaximumRetryCount is not set to 5: $c" - maxretry_unset_containers="$maxretry_unset_containers $c" + maxretry_unset_containers="$maxretry_unset_containers $c" fail=1 - else - warn " * MaximumRetryCount is not set to 5: $c" - maxretry_unset_containers="$maxretry_unset_containers $c" + continue fi + warn " * MaximumRetryCount is not set to 5: $c" + maxretry_unset_containers="$maxretry_unset_containers $c" fi done # We went through all the containers and they all had MaximumRetryCount=5 if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5" "$maxretry_unset_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5" "$maxretry_unset_containers" } check_5_15() { @@ -616,19 +613,19 @@ check_5_15() { warn " * Host PID namespace being shared with: $c" pidns_shared_containers="$pidns_shared_containers $c" fail=1 - else - warn " * Host PID namespace being shared with: $c" - pidns_shared_containers="$pidns_shared_containers $c" + continue fi + warn " * Host PID namespace being shared with: $c" + pidns_shared_containers="$pidns_shared_containers $c" fi done # We went through all the containers and found none with PidMode as host if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers sharing host PID namespace" "$pidns_shared_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers sharing host PID namespace" "$pidns_shared_containers" } check_5_16() { @@ -655,19 +652,19 @@ check_5_16() { warn " * Host IPC namespace being shared with: $c" ipcns_shared_containers="$ipcns_shared_containers $c" fail=1 - else - warn " * Host IPC namespace being shared with: $c" - ipcns_shared_containers="$ipcns_shared_containers $c" + continue fi + warn " * Host IPC namespace being shared with: $c" + ipcns_shared_containers="$ipcns_shared_containers $c" fi done # We went through all the containers and found none with IPCMode as host if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers sharing host IPC namespace" "$ipcns_shared_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers sharing host IPC namespace" "$ipcns_shared_containers" } check_5_17() { @@ -694,19 +691,19 @@ check_5_17() { info " * Container has devices exposed directly: $c" hostdev_exposed_containers="$hostdev_exposed_containers $c" fail=1 - else - info " * Container has devices exposed directly: $c" - hostdev_exposed_containers="$hostdev_exposed_containers $c" + continue fi + info " * Container has devices exposed directly: $c" + hostdev_exposed_containers="$hostdev_exposed_containers $c" fi done # We went through all the containers and found none with devices if [ $fail -eq 0 ]; then - pass -c "$check" - logcheckresult "PASS" - else - logcheckresult "INFO" "Containers with host devices exposed directly" "$hostdev_exposed_containers" + pass -c "$check" + logcheckresult "PASS" + return fi + logcheckresult "INFO" "Containers with host devices exposed directly" "$hostdev_exposed_containers" } check_5_18() { @@ -733,19 +730,19 @@ check_5_18() { info " * Container no default ulimit override: $c" no_ulimit_containers="$no_ulimit_containers $c" fail=1 - else - info " * Container no default ulimit override: $c" - no_ulimit_containers="$no_ulimit_containers $c" + continue fi + info " * Container no default ulimit override: $c" + no_ulimit_containers="$no_ulimit_containers $c" fi done # We went through all the containers and found none without Ulimits if [ $fail -eq 0 ]; then - pass -c "$check" - logcheckresult "PASS" - else - logcheckresult "INFO" "Containers with no default ulimit override" "$no_ulimit_containers" + pass -c "$check" + logcheckresult "PASS" + return fi + logcheckresult "INFO" "Containers with no default ulimit override" "$no_ulimit_containers" } check_5_19() { @@ -771,19 +768,19 @@ check_5_19() { warn " * Mount propagation mode is shared: $c" mountprop_shared_containers="$mountprop_shared_containers $c" fail=1 - else - warn " * Mount propagation mode is shared: $c" - mountprop_shared_containers="$mountprop_shared_containers $c" + continue fi + warn " * Mount propagation mode is shared: $c" + mountprop_shared_containers="$mountprop_shared_containers $c" fi done # We went through all the containers and found none with shared propagation mode if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers with shared mount propagation" "$mountprop_shared_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers with shared mount propagation" "$mountprop_shared_containers" } check_5_20() { @@ -810,19 +807,19 @@ check_5_20() { warn " * Host UTS namespace being shared with: $c" utcns_shared_containers="$utcns_shared_containers $c" fail=1 - else - warn " * Host UTS namespace being shared with: $c" - utcns_shared_containers="$utcns_shared_containers $c" + continue fi + warn " * Host UTS namespace being shared with: $c" + utcns_shared_containers="$utcns_shared_containers $c" fi done # We went through all the containers and found none with UTSMode as host if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers sharing host UTS namespace" "$utcns_shared_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers sharing host UTS namespace" "$utcns_shared_containers" } check_5_21() { @@ -856,11 +853,11 @@ check_5_21() { done # We went through all the containers and found none with default secomp profile disabled if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers with default seccomp profile disabled" "$seccomp_disabled_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers with default seccomp profile disabled" "$seccomp_disabled_containers" } check_5_22() { @@ -919,19 +916,19 @@ check_5_24() { warn " * Confirm cgroup usage: $c" unexpected_cgroup_containers="$unexpected_cgroup_containers $c" fail=1 - else - warn " * Confirm cgroup usage: $c" - unexpected_cgroup_containers="$unexpected_cgroup_containers $c" + continue fi + warn " * Confirm cgroup usage: $c" + unexpected_cgroup_containers="$unexpected_cgroup_containers $c" fi done # We went through all the containers and found none with UTSMode as host if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers using unexpected cgroup" "$unexpected_cgroup_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers using unexpected cgroup" "$unexpected_cgroup_containers" } check_5_25() { @@ -955,19 +952,19 @@ check_5_25() { warn " * Privileges not restricted: $c" addprivs_containers="$addprivs_containers $c" fail=1 - else - warn " * Privileges not restricted: $c" - addprivs_containers="$addprivs_containers $c" + continue fi + warn " * Privileges not restricted: $c" + addprivs_containers="$addprivs_containers $c" fi done # We went through all the containers and found none with capability to acquire additional privileges if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers without restricted privileges" "$addprivs_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers without restricted privileges" "$addprivs_containers" } check_5_26() { @@ -991,18 +988,18 @@ check_5_26() { warn " * Health check not set: $c" nohealthcheck_containers="$nohealthcheck_containers $c" fail=1 - else - warn " * Health check not set: $c" - nohealthcheck_containers="$nohealthcheck_containers $c" + continue fi + warn " * Health check not set: $c" + nohealthcheck_containers="$nohealthcheck_containers $c" fi done if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers without health check" "$nohealthcheck_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers without health check" "$nohealthcheck_containers" } check_5_27() { @@ -1045,19 +1042,19 @@ check_5_28() { warn " * PIDs limit not set: $c" nopids_limit_containers="$nopids_limit_containers $c" fail=1 - else - warn " * PIDs limit not set: $c" - nopids_limit_containers="$nopids_limit_containers $c" + continue fi + warn " * PIDs limit not set: $c" + nopids_limit_containers="$nopids_limit_containers $c" fi done # We went through all the containers and found all with PIDs limit if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers without PIDs cgroup limit" "$nopids_limit_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers without PIDs cgroup limit" "$nopids_limit_containers" } check_5_29() { @@ -1080,33 +1077,33 @@ check_5_29() { docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" | \ sed -e 's/^ //' -e 's/ /\n/g' 2>/dev/null) - if [ -n "$docker0Containers" ]; then - if [ $fail -eq 0 ]; then - info -c "$check" - fail=1 - fi - for c in $docker0Containers; do - if [ -z "$exclude" ]; then - cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g') - else - pattern=$(echo "$exclude" | sed 's/,/|/g') - cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g' | grep -Ev "$pattern" ) - fi - if [ -n "$cName" ]; then - info " * Container in docker0 network: $cName" - docker_network_containers="$docker_network_containers $c:$cName" - fi - done + if [ -n "$docker0Containers" ]; then + if [ $fail -eq 0 ]; then + info -c "$check" + fail=1 fi + for c in $docker0Containers; do + if [ -z "$exclude" ]; then + cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g') + else + pattern=$(echo "$exclude" | sed 's/,/|/g') + cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g' | grep -Ev "$pattern" ) + fi + if [ -n "$cName" ]; then + info " * Container in docker0 network: $cName" + docker_network_containers="$docker_network_containers $c:$cName" + fi + done + fi fi done # We went through all the containers and found none in docker0 network if [ $fail -eq 0 ]; then - pass -c "$check" - logcheckresult "PASS" - else - logcheckresult "INFO" "Containers using docker0 network" "$docker_network_containers" + pass -c "$check" + logcheckresult "PASS" + return fi + logcheckresult "INFO" "Containers using docker0 network" "$docker_network_containers" } check_5_30() { @@ -1131,19 +1128,19 @@ check_5_30() { warn " * Namespace shared: $c" hostns_shared_containers="$hostns_shared_containers $c" fail=1 - else - warn " * Namespace shared: $c" - hostns_shared_containers="$hostns_shared_containers $c" + continue fi + warn " * Namespace shared: $c" + hostns_shared_containers="$hostns_shared_containers $c" fi done # We went through all the containers and found none with host's user namespace shared if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers sharing host user namespace" "$hostns_shared_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers sharing host user namespace" "$hostns_shared_containers" } check_5_31() { @@ -1168,19 +1165,19 @@ check_5_31() { warn " * Docker socket shared: $c" docker_sock_containers="$docker_sock_containers $c" fail=1 - else - warn " * Docker socket shared: $c" - docker_sock_containers="$docker_sock_containers $c" + continue fi + warn " * Docker socket shared: $c" + docker_sock_containers="$docker_sock_containers $c" fi done # We went through all the containers and found none with docker.sock shared if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Containers sharing docker socket" "$docker_sock_containers" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Containers sharing docker socket" "$docker_sock_containers" } check_5_end() { diff --git a/tests/7_docker_swarm_configuration.sh b/tests/7_docker_swarm_configuration.sh index 2188160..f7faab6 100644 --- a/tests/7_docker_swarm_configuration.sh +++ b/tests/7_docker_swarm_configuration.sh @@ -20,10 +20,10 @@ check_7_1() { if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi + warn -s "$check" + logcheckresult "WARN" } check_7_2() { @@ -39,14 +39,14 @@ check_7_2() { if [ "$managernodes" -eq 1 ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi - else - pass -s "$check (Swarm mode not enabled)" - logcheckresult "PASS" + warn -s "$check" + logcheckresult "WARN" + return fi + pass -s "$check (Swarm mode not enabled)" + logcheckresult "PASS" } check_7_3() { @@ -62,14 +62,14 @@ check_7_3() { if [ $? -eq 1 ]; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi - else - pass -s "$check (Swarm mode not enabled)" - logcheckresult "PASS" + warn -s "$check" + logcheckresult "WARN" + return fi + pass -s "$check (Swarm mode not enabled)" + logcheckresult "PASS" } check_7_4() { @@ -96,11 +96,11 @@ check_7_4() { done # We went through all the networks and found none that are unencrypted if [ $fail -eq 0 ]; then - pass -s "$check" - logcheckresult "PASS" - else - logcheckresult "WARN" "Unencrypted overlay networks:" "$unencrypted_networks" + pass -s "$check" + logcheckresult "PASS" + return fi + logcheckresult "WARN" "Unencrypted overlay networks:" "$unencrypted_networks" } check_7_5() { @@ -115,14 +115,14 @@ check_7_5() { if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then pass -c "$check" logcheckresult "PASS" - else - info -c "$check" - logcheckresult "INFO" + return fi - else - pass -c "$check (Swarm mode not enabled)" - logcheckresult "PASS" + info -c "$check" + logcheckresult "INFO" + return fi + pass -c "$check (Swarm mode not enabled)" + logcheckresult "PASS" } check_7_6() { @@ -137,14 +137,14 @@ check_7_6() { if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then warn -s "$check" logcheckresult "WARN" - else - pass -s "$check" - logcheckresult "PASS" + return fi - else - pass -s "$check (Swarm mode not enabled)" - logcheckresult "PASS" + pass -s "$check" + logcheckresult "PASS" + return fi + pass -s "$check (Swarm mode not enabled)" + logcheckresult "PASS" } check_7_7() { @@ -158,10 +158,10 @@ check_7_7() { if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then note -c "$check" logcheckresult "NOTE" - else - pass -c "$check (Swarm mode not enabled)" - logcheckresult "PASS" + return fi + pass -c "$check (Swarm mode not enabled)" + logcheckresult "PASS" } check_7_8() { @@ -176,14 +176,14 @@ check_7_8() { if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then pass -c "$check" logcheckresult "PASS" - else - info -c "$check" - logcheckresult "INFO" + return fi - else - pass -c "$check (Swarm mode not enabled)" - logcheckresult "PASS" + info -c "$check" + logcheckresult "INFO" + return fi + pass -c "$check (Swarm mode not enabled)" + logcheckresult "PASS" } check_7_9() { @@ -197,10 +197,10 @@ check_7_9() { if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then info -c "$check" logcheckresult "INFO" - else - pass -c "$check (Swarm mode not enabled)" - logcheckresult "PASS" + return fi + pass -c "$check (Swarm mode not enabled)" + logcheckresult "PASS" } check_7_10() { @@ -214,10 +214,10 @@ check_7_10() { if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then info -c "$check" logcheckresult "INFO" - else - pass -c "$check (Swarm mode not enabled)" - logcheckresult "PASS" + return fi + pass -c "$check (Swarm mode not enabled)" + logcheckresult "PASS" } check_7_end() { diff --git a/tests/8_docker_enterprise_configuration.sh b/tests/8_docker_enterprise_configuration.sh index e151a1f..aef9d23 100644 --- a/tests/8_docker_enterprise_configuration.sh +++ b/tests/8_docker_enterprise_configuration.sh @@ -10,11 +10,10 @@ check_8() { } check_product_license() { + enterprise_license=1 if docker version | grep -Eqi '^Server.*Community$|Version.*-ce$'; then info " * Community Engine license, skipping section 8" enterprise_license=0 - else - enterprise_license=1 fi } diff --git a/tests/99_community_checks.sh b/tests/99_community_checks.sh index 5f26ceb..e0ad438 100644 --- a/tests/99_community_checks.sh +++ b/tests/99_community_checks.sh @@ -19,13 +19,15 @@ check_c_1() { if docker info --format='{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>&2; then pass -s "$check" logcheckresult "PASS" - elif docker info --format='{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>&2; then + return + fi + if docker info --format='{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>&2; then info -c "$check" logcheckresult "INFO" - else - warn -s "$check" - logcheckresult "WARN" + return fi + warn -s "$check" + logcheckresult "WARN" } check_c_1_1() { @@ -39,13 +41,15 @@ check_c_1_1() { if docker info --format='{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>&2; then pass -c "$check" logcheckresult "PASS" - elif docker info --format='{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>&2; then + return + fi + if docker info --format='{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>&2; then info -c "$check" logcheckresult "INFO" - else - warn -c "$check" - logcheckresult "WARN" + return fi + warn -c "$check" + logcheckresult "WARN" } check_c_2() { @@ -63,19 +67,21 @@ check_c_2() { if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then + return + fi + if get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then pass -s "$check" logcheckresult "PASS" - else - warn -s "$check" - logcheckresult "WARN" + return fi - else - local desc="$desc (Deprecated)" - local check="$id - $desc" - info -c "$check" - logcheckresult "INFO" + warn -s "$check" + logcheckresult "WARN" + return fi + local desc="$desc (Deprecated)" + local check="$id - $desc" + info -c "$check" + logcheckresult "INFO" } check_c_end() {