mirror of
https://github.com/docker/docker-bench-security.git
synced 2025-07-27 04:57:50 +00:00
Bug fixing and improving source code readability
This commit is contained in:
parent
86985f854f
commit
d0443cc817
12 changed files with 1028 additions and 783 deletions
|
@ -20,13 +20,15 @@ check_2_1() {
|
|||
if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then
|
||||
return
|
||||
fi
|
||||
if get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
else
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
return
|
||||
fi
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
}
|
||||
|
||||
check_2_2() {
|
||||
|
@ -41,25 +43,29 @@ check_2_2() {
|
|||
if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then
|
||||
return
|
||||
fi
|
||||
if [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
else
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
return
|
||||
fi
|
||||
elif get_docker_effective_command_line_args '-l'; then
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
return
|
||||
fi
|
||||
if get_docker_effective_command_line_args '-l'; then
|
||||
if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
else
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
return
|
||||
fi
|
||||
else
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
return
|
||||
fi
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
}
|
||||
|
||||
check_2_3() {
|
||||
|
@ -73,13 +79,15 @@ check_2_3() {
|
|||
if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then
|
||||
return
|
||||
fi
|
||||
if get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
else
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
return
|
||||
fi
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
}
|
||||
|
||||
check_2_4() {
|
||||
|
@ -93,18 +101,20 @@ check_2_4() {
|
|||
if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
|
||||
return
|
||||
fi
|
||||
if ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
|
||||
if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
else
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
return
|
||||
fi
|
||||
else
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
return
|
||||
fi
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
}
|
||||
|
||||
check_2_5() {
|
||||
|
@ -118,10 +128,10 @@ check_2_5() {
|
|||
if docker info 2>/dev/null | grep -e "^\sStorage Driver:\s*aufs\s*$" >/dev/null 2>&1; then
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
else
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
return
|
||||
fi
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
}
|
||||
|
||||
check_2_6() {
|
||||
|
@ -138,21 +148,23 @@ check_2_6() {
|
|||
[ $(get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify') >/dev/null 2>&1 ]; then
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
elif [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \
|
||||
return
|
||||
fi
|
||||
if [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \
|
||||
[ $(get_docker_cumulative_command_line_args '--tls' | grep 'tls$') >/dev/null 2>&1 ]; then
|
||||
warn -s "$check"
|
||||
warn " * Docker daemon currently listening on TCP with TLS, but no verification"
|
||||
logcheckresult "WARN" "Docker daemon currently listening on TCP with TLS, but no verification"
|
||||
else
|
||||
warn -s "$check"
|
||||
warn " * Docker daemon currently listening on TCP without TLS"
|
||||
logcheckresult "WARN" "Docker daemon currently listening on TCP without TLS"
|
||||
return
|
||||
fi
|
||||
else
|
||||
info -c "$check"
|
||||
info " * Docker daemon not listening on TCP"
|
||||
logcheckresult "INFO" "Docker daemon not listening on TCP"
|
||||
warn -s "$check"
|
||||
warn " * Docker daemon currently listening on TCP without TLS"
|
||||
logcheckresult "WARN" "Docker daemon currently listening on TCP without TLS"
|
||||
return
|
||||
fi
|
||||
info -c "$check"
|
||||
info " * Docker daemon not listening on TCP"
|
||||
logcheckresult "INFO" "Docker daemon not listening on TCP"
|
||||
}
|
||||
|
||||
check_2_7() {
|
||||
|
@ -166,14 +178,16 @@ check_2_7() {
|
|||
if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then
|
||||
pass -c "$check"
|
||||
logcheckresult "PASS"
|
||||
elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
|
||||
return
|
||||
fi
|
||||
if get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
|
||||
pass -c "$check"
|
||||
logcheckresult "PASS"
|
||||
else
|
||||
info -c "$check"
|
||||
info " * Default ulimit doesn't appear to be set"
|
||||
logcheckresult "INFO" "Default ulimit doesn't appear to be set"
|
||||
return
|
||||
fi
|
||||
info -c "$check"
|
||||
info " * Default ulimit doesn't appear to be set"
|
||||
logcheckresult "INFO" "Default ulimit doesn't appear to be set"
|
||||
}
|
||||
|
||||
check_2_8() {
|
||||
|
@ -187,13 +201,15 @@ check_2_8() {
|
|||
if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
|
||||
return
|
||||
fi
|
||||
if get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
else
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
return
|
||||
fi
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
}
|
||||
|
||||
check_2_9() {
|
||||
|
@ -208,14 +224,16 @@ check_2_9() {
|
|||
warn -s "$check"
|
||||
info " * Confirm cgroup usage"
|
||||
logcheckresult "WARN" "Confirm cgroup usage"
|
||||
elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
|
||||
return
|
||||
fi
|
||||
if get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
|
||||
warn -s "$check"
|
||||
info " * Confirm cgroup usage"
|
||||
logcheckresult "WARN" "Confirm cgroup usage"
|
||||
else
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
return
|
||||
fi
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
}
|
||||
|
||||
check_2_10() {
|
||||
|
@ -229,13 +247,15 @@ check_2_10() {
|
|||
if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
|
||||
return
|
||||
fi
|
||||
if get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
else
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
return
|
||||
fi
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
}
|
||||
|
||||
check_2_11() {
|
||||
|
@ -249,13 +269,15 @@ check_2_11() {
|
|||
if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
|
||||
return
|
||||
fi
|
||||
if get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
else
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
return
|
||||
fi
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
}
|
||||
|
||||
check_2_12() {
|
||||
|
@ -269,10 +291,10 @@ check_2_12() {
|
|||
if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
else
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
return
|
||||
fi
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
}
|
||||
|
||||
check_2_13() {
|
||||
|
@ -286,18 +308,20 @@ check_2_13() {
|
|||
if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
else
|
||||
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
|
||||
pass -s "$check (Incompatible with swarm mode)"
|
||||
logcheckresult "PASS"
|
||||
elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
else
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
fi
|
||||
return
|
||||
fi
|
||||
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
|
||||
pass -s "$check (Incompatible with swarm mode)"
|
||||
logcheckresult "PASS"
|
||||
return
|
||||
fi
|
||||
if get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
return
|
||||
fi
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
}
|
||||
|
||||
check_2_14() {
|
||||
|
@ -311,13 +335,15 @@ check_2_14() {
|
|||
if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
|
||||
return
|
||||
fi
|
||||
if get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
else
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
return
|
||||
fi
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
}
|
||||
|
||||
check_2_15() {
|
||||
|
@ -331,10 +357,10 @@ check_2_15() {
|
|||
if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then
|
||||
pass -c "$check"
|
||||
logcheckresult "PASS"
|
||||
else
|
||||
info -c "$check"
|
||||
logcheckresult "INFO"
|
||||
return
|
||||
fi
|
||||
info -c "$check"
|
||||
logcheckresult "INFO"
|
||||
}
|
||||
|
||||
check_2_16() {
|
||||
|
@ -352,16 +378,16 @@ check_2_16() {
|
|||
if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
else
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
return
|
||||
fi
|
||||
else
|
||||
local desc="$desc (Deprecated)"
|
||||
local check="$id - $desc"
|
||||
info -c "$desc"
|
||||
logcheckresult "INFO"
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
return
|
||||
fi
|
||||
local desc="$desc (Deprecated)"
|
||||
local check="$id - $desc"
|
||||
info -c "$desc"
|
||||
logcheckresult "INFO"
|
||||
}
|
||||
|
||||
check_2_17() {
|
||||
|
@ -375,13 +401,15 @@ check_2_17() {
|
|||
if get_docker_effective_command_line_args '--no-new-privileges' | grep "no-new-privileges" >/dev/null 2>&1; then
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
elif get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then
|
||||
return
|
||||
fi
|
||||
if get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then
|
||||
pass -s "$check"
|
||||
logcheckresult "PASS"
|
||||
else
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
return
|
||||
fi
|
||||
warn -s "$check"
|
||||
logcheckresult "WARN"
|
||||
}
|
||||
|
||||
check_2_end() {
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue