GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-18 16:22:33 +01:00
Code Issues Projects Releases Packages Wiki Activity

Bug fixing and improving source code readability

Browse source
This commit is contained in:
Razvan Stoica 2021-03-29 15:22:14 +03:00
parent 86985f854f
commit d0443cc817
12 changed files with 1028 additions and 783 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
docker-bench-security.sh
View file

@ -24,19 +24,7 @@ readonly myname
export PATH="$PATH:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/" export PATH="$PATH:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/"
# Check for required program(s) # Check for required program(s)
req_progs='awk docker grep stat tee tail wc xargs truncate sed' req_programs 'awk docker grep stat tee tail wc xargs truncate sed'
for p in $req_progs; do
command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; }
done
if command -v ss >/dev/null 2>&1; then
netbin=ss
elif command -v netstat >/dev/null 2>&1; then
netbin=netstat
else
echo "ss or netstat command not found."
exit 1
fi
# Ensure we can connect to docker daemon # Ensure we can connect to docker daemon
if ! docker ps -q >/dev/null 2>&1; then if ! docker ps -q >/dev/null 2>&1; then
@ -85,6 +73,7 @@ fi
logger="log/${myname}.log" logger="log/${myname}.log"
limit=0 limit=0
printremediation="1" printremediation="1"
globalRemediation=""
# Get the flags # Get the flags
# If you add an option here, please # If you add an option here, please
@ -130,7 +119,6 @@ beginjson "$version" "$(date +%s)"
# Load all the tests from tests/ and run them # Load all the tests from tests/ and run them
main () { main () {
logit "\n${bldylw}Section A - Check results${txtrsr}" logit "\n${bldylw}Section A - Check results${txtrsr}"
globalRemediation=""
# Get configuration location # Get configuration location
get_docker_configuration_file get_docker_configuration_file

49
functions/helper_lib.sh
View file

@ -6,6 +6,23 @@ abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; es
# Audit rules default path # Audit rules default path
auditrules="/etc/audit/audit.rules" auditrules="/etc/audit/audit.rules"
# Check for required program(s)
req_programs() {
for p in $1; do
command -v "$p" >/dev/null 2>&1 || { printf "Required program not found: %s\n" "$p"; exit 1; }
done
if command -v ss >/dev/null 2>&1; then
netbin=ss
return
fi
if command -v netstat >/dev/null 2>&1; then
netbin=netstat
return
fi
echo "ss or netstat command not found."
exit 1
}
# Compares versions of software of the format X.Y.Z # Compares versions of software of the format X.Y.Z
do_version_check() { do_version_check() {
[ "$1" = "$2" ] && return 10 [ "$1" = "$2" ] && return 10
@ -23,9 +40,8 @@ do_version_check() {
[ "$ver2front" = "$2" ] || [ -z "$ver2back" ] && ver2back=0 [ "$ver2front" = "$2" ] || [ -z "$ver2back" ] && ver2back=0
do_version_check "$ver1back" "$ver2back" do_version_check "$ver1back" "$ver2back"
return $? return $?
else
[ "$1" -gt "$2" ] && return 11 || return 9
fi fi
[ "$1" -gt "$2" ] && return 11 || return 9
} }
# Extracts commandline args from the newest running processes named like the first parameter # Extracts commandline args from the newest running processes named like the first parameter
@ -45,10 +61,9 @@ get_command_line_args() {
get_docker_cumulative_command_line_args() { get_docker_cumulative_command_line_args() {
OPTION="$1" OPTION="$1"
line_arg="dockerd"
if ! get_command_line_args "docker daemon" >/dev/null 2>&1 ; then if ! get_command_line_args "docker daemon" >/dev/null 2>&1 ; then
line_arg="docker daemon" line_arg="docker daemon"
else
line_arg="dockerd"
fi fi
get_command_line_args "$line_arg" | get_command_line_args "$line_arg" |
@ -88,11 +103,13 @@ get_docker_configuration_file() {
if [ -f "$FILE" ]; then if [ -f "$FILE" ]; then
CONFIG_FILE="$FILE" CONFIG_FILE="$FILE"
elif [ -f '/etc/docker/daemon.json' ]; then return
CONFIG_FILE='/etc/docker/daemon.json'
else
CONFIG_FILE='/dev/null'
fi fi
if [ -f '/etc/docker/daemon.json' ]; then
CONFIG_FILE='/etc/docker/daemon.json'
return
fi
CONFIG_FILE='/dev/null'
} }
get_docker_configuration_file_args() { get_docker_configuration_file_args() {
@ -108,13 +125,17 @@ get_service_file() {
if [ -f "/etc/systemd/system/$SERVICE" ]; then if [ -f "/etc/systemd/system/$SERVICE" ]; then
echo "/etc/systemd/system/$SERVICE" echo "/etc/systemd/system/$SERVICE"
elif [ -f "/lib/systemd/system/$SERVICE" ]; then return
echo "/lib/systemd/system/$SERVICE"
elif systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then
systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
else
echo "/usr/lib/systemd/system/$SERVICE"
fi fi
if [ -f "/lib/systemd/system/$SERVICE" ]; then
echo "/lib/systemd/system/$SERVICE"
return
fi
if systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then
systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
return
fi
echo "/usr/lib/systemd/system/$SERVICE"
} }
yell_info() { yell_info() {

63
functions/output_lib.sh
View file

@ -87,8 +87,8 @@ note () {
if [ "$noteCountCheck" = "true" ]; then if [ "$noteCountCheck" = "true" ]; then
printf "%b\n" "${bldylw}[NOTE]${txtrst} $2" | tee -a "$logger" printf "%b\n" "${bldylw}[NOTE]${txtrst} $2" | tee -a "$logger"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
return return
fi fi
printf "%b\n" "${bldylw}[NOTE]${txtrst} $1" | tee -a "$logger" printf "%b\n" "${bldylw}[NOTE]${txtrst} $1" | tee -a "$logger"
} }
@ -125,37 +125,38 @@ starttestjson() {
SEP="," SEP=","
} }
log_to_json() {
if [ $# -eq 1 ]; then
printf "\"result\": \"%s\"" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2
return
fi
if [ $# -eq 2 ] && [ $# -ne 1 ]; then
# Result also contains details
printf "\"result\": \"%s\",\n \"details\": \"%s\"" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
return
fi
# Result also includes details and a list of items. Add that directly to details and to an array property "items"
# Also limit the number of items to $limit, if $limit is non-zero
truncItems=$3
if [ $limit != 0 ]; then
truncItems=""
ITEM_COUNT=0
for item in $3; do
truncItems="$truncItems $item"
ITEM_COUNT=$((ITEM_COUNT + 1));
if [ "$ITEM_COUNT" == "$limit" ]; then
truncItems="$truncItems (truncated)"
break;
fi
done
fi
itemsJson=$(printf "[\n "; ISEP=""; ITEMCOUNT=0; for item in $truncItems; do printf "%s\"%s\"" "$ISEP" "$item"; ISEP=","; done; printf "\n ]")
printf "\"result\": \"%s\",\n \"details\": \"%s: %s\",\n \"items\": %s" "$1" "$2" "$truncItems" "$itemsJson" | tee -a "$logger.json" 2>/dev/null 1>&2
}
logcheckresult() { logcheckresult() {
# Log to JSON # Log to JSON
if [ $# -eq 1 ]; then log_to_json "$@"
printf "\"result\": \"%s\"" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
if [ $# -eq 2 ] && [ $# -ne 1 ]; then
# Result also contains details
printf "\"result\": \"%s\",\n \"details\": \"%s\"" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
if [ $# -ne 2 ] && [ $# -ne 1 ]; then
# Result also includes details and a list of items. Add that directly to details and to an array property "items"
# Also limit the number of items to $limit, if $limit is non-zero
if [ $limit != 0 ]; then
truncItems=""
ITEM_COUNT=0
for item in $3; do
truncItems="$truncItems $item"
ITEM_COUNT=$((ITEM_COUNT + 1));
if [ "$ITEM_COUNT" == "$limit" ]; then
truncItems="$truncItems (truncated)"
break;
fi
done
else
truncItems=$3
fi
itemsJson=$(printf "[\n "; ISEP=""; ITEMCOUNT=0; for item in $truncItems; do printf "%s\"%s\"" "$ISEP" "$item"; ISEP=","; done; printf "\n ]")
printf "\"result\": \"%s\",\n \"details\": \"%s: %s\",\n \"items\": %s" "$1" "$2" "$truncItems" "$itemsJson" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
# Log remediation measure to JSON # Log remediation measure to JSON
if [ -n "$remediation" ] && [ "$1" != "PASS" ] && [ "$printremediation" = "1" ]; then if [ -n "$remediation" ] && [ "$1" != "PASS" ] && [ "$printremediation" = "1" ]; then

194
functions/output_lib.sh.save Normal file
View file

@ -0,0 +1,194 @@
#!/bin/sh
bldred='\033[1;31m' # Bold Red
bldgrn='\033[1;32m' # Bold Green
bldblu='\033[1;34m' # Bold Blue
bldylw='\033[1;33m' # Bold Yellow
txtrst='\033[0m'
if [ -n "$nocolor"
] && [ "$nocolor" = "nocolor" ]; then
bldred=''
bldgrn=''
bldblu=''
bldylw=''
txtrst=''
fi
logit () {
printf "%b\n" "$1" | tee -a "$logger"
}
info () {
local infoCountCheck
while getopts c args
do
case $args in
c) infoCountCheck="true" ;;
*) exit 1 ;;
esac
done
if [ "$infoCountCheck" = "true" ]; then
printf "%b\n" "${bldblu}[INFO]${txtrst} $2" | tee -a "$logger"
totalChecks=$((totalChecks + 1))
return
fi
printf "%b\n" "${bldblu}[INFO]${txtrst} $1" | tee -a "$logger"
}
pass () {
local passScored
while getopts sc args
do
case $args in
s) passScored="true" ;;
c) passCountCheck="true" ;;
*) exit 1 ;;
esac
done
if [ "$passScored" = "true" ] || [ "$passCountCheck" = "true" ]; then
printf "%b\n" "${bldgrn}[PASS]${txtrst} $2" | tee -a "$logger"
totalChecks=$((totalChecks + 1))
fi
if [ "$passScored" = "true" ]; then
currentScore=$((currentScore + 1))
fi
if [ "$passScored" != "true" ] && [ "$passCountCheck" != "true" ]; then
printf "%b\n" "${bldgrn}[PASS]${txtrst} $1" | tee -a "$logger"
fi
}
warn () {
local warnScored
while getopts s args
do
case $args in
s) warnScored="true" ;;
*) exit 1 ;;
esac
done
if [ "$warnScored" = "true" ]; then
printf "%b\n" "${bldred}[WARN]${txtrst} $2" | tee -a "$logger"
totalChecks=$((totalChecks + 1))
currentScore=$((currentScore - 1))
return
fi
printf "%b\n" "${bldred}[WARN]${txtrst} $1" | tee -a "$logger"
}
note () {
local noteCountCheck
while getopts c args
do
case $args in
c) noteCountCheck="true" ;;
*) exit 1 ;;
esac
done
if [ "$noteCountCheck" = "true" ]; then
printf "%b\n" "${bldylw}[NOTE]${txtrst} $2" | tee -a "$logger"
totalChecks=$((totalChecks + 1))
return
fi
printf "%b\n" "${bldylw}[NOTE]${txtrst} $1" | tee -a "$logger"
}
yell () {
printf "%b\n" "${bldylw}$1${txtrst}\n"
}
appendjson () {
if [ -s "$logger.json" ]; then
tail -n 1 "$logger.json" | wc -c | xargs -I {} truncate "$logger.json" -s -{}
printf "},\n" | tee -a "$logger.json" 2>/dev/null 1>&2
return
fi
printf "[" | tee -a "$logger.json" 2>/dev/null 1>&2
}
beginjson () {
printf "{\n \"dockerbenchsecurity\": \"%s\",\n \"start\": %s,\n \"tests\": [" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
}
endjson (){
printf "\n ], \"checks\": %s, \"score\": %s, \"end\": %s\n}]" "$1" "$2" "$3" | tee -a "$logger.json" 2>/dev/null 1>&2
}
logjson (){
printf "\n \"%s\": \"%s\"," "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
}
SSEP=
SEP=
startsectionjson() {
printf "%s\n {\"id\": \"%s\", \"desc\": \"%s\", \"results\": [" "$SSEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
SEP=
SSEP=","
}
endsectionjson() {
printf "\n ]}" | tee -a "$logger.json" 2>/dev/null 1>&2
}
starttestjson() {
printf "%s\n {\"id\": \"%s\", \"desc\": \"%s\", " "$SEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
SEP=","
}
logcheckresult() {
# Log to JSON
if [ $# -eq 1 ]; then
printf "\"result\": \"%s\"" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
if [ $# -eq 2 ] && [ $# -ne 1 ]; then
# Result also contains details
printf "\"result\": \"%s\", \"details\": \"%s\"" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
if [ $# -ne 2 ] && [ $# -ne 1 ]; then
# Result also includes details and a list of items. Add that directly to details and to an array property "items"
# Also limit the number of items to $limit, if $limit is non-zero
if [ $limit != 0 ]; then
truncItems=""
ITEM_COUNT=0
for item in $3; do
truncItems="$truncItems $item"
ITEM_COUNT=$((ITEM_COUNT + 1));
if [ "$ITEM_COUNT" == "$limit" ]; then
truncItems="$truncItems (truncated)"
break;
fi
done
else
truncItems=$3
fi
itemsJson=$(printf "["; ISEP=""; ITEMCOUNT=0; for item in $truncItems; do printf "%s\"%s\"" "$ISEP" "$item"; ISEP=","; done; printf "]")
printf "\"result\": \"%s\", \"details\": \"%s: %s\", \"items\": %s" "$1" "$2" "$truncItems" "$itemsJson" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
# Log remediation measure to JSON
if [ -n "$remediation" ] && [ "$1" != "PASS" ] && [ "$printremediation" = "1" ]; then
printf ", \"remediation\": \"%s\"" "$remediation" | tee -a "$logger.json" 2>/dev/null 1>&2
if [ -n "$remediationImpact" ]; then
printf ", \"remediation-impact\": \"%s\"" "$remediationImpact" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
fi
printf "}" | tee -a "$logger.json" 2>/dev/null 1>&2
# Save remediation measure for print log to stdout
if [ -n "$remediation" ] && [ "$1" != "PASS" ]; then
if [ -n "${checkHeader}" ]; then
if [ -n "${addSpaceHeader}" ]; then
globalRemediation="${globalRemediation}\n"
fi
globalRemediation="${globalRemediation}\n${bldblu}[INFO]${txtrst} ${checkHeader}"
checkHeader=""
addSpaceHeader="1"
fi
globalRemediation="${globalRemediation}\n${bldblu}[INFO]${txtrst} ${id} - ${remediation}"
if [ -n "${remediationImpact}" ]; then
globalRemediation="${globalRemediation} Impact: ${remediationImpact}"
fi
fi
}

261
tests/1_host_configuration.sh
View file

@ -41,16 +41,15 @@ check_1_1_2() {
docker_current_version="$(date +%y.%m.0 -d @$(( $(date +%s) - 2592000)))" docker_current_version="$(date +%y.%m.0 -d @$(( $(date +%s) - 2592000)))"
do_version_check "$docker_current_version" "$docker_version" do_version_check "$docker_current_version" "$docker_version"
if [ $? -eq 11 ]; then if [ $? -eq 11 ]; then
info -c "$check"
info " * Using $docker_version, verify is it up to date as deemed necessary"
info " * Your operating system vendor may provide support and security maintenance for Docker"
logcheckresult "INFO" "Using $docker_version"
else
pass -c "$check" pass -c "$check"
info " * Using $docker_version which is current" info " * Using $docker_version, verify is it up to date as deemed necessary"
info " * Check with your operating system vendor for support and security maintenance for Docker" logcheckresult "INFO" "Using $docker_version"
logcheckresult "PASS" "Using $docker_version" return
fi fi
pass -c "$check"
info " * Using $docker_version which is current"
info " * Check with your operating system vendor for support and security maintenance for Docker"
logcheckresult "PASS" "Using $docker_version"
} }
check_1_2() { check_1_2() {
@ -76,10 +75,10 @@ check_1_2_1() {
if mountpoint -q -- "$docker_root_dir" >/dev/null 2>&1; then if mountpoint -q -- "$docker_root_dir" >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
warn -s "$check"
logcheckresult "WARN"
} }
check_1_2_2() { check_1_2_2() {
@ -90,10 +89,9 @@ check_1_2_2() {
local check="$id - $desc" local check="$id - $desc"
starttestjson "$id" "$desc" starttestjson "$id" "$desc"
docker_users=$(grep 'docker' /etc/group)
if command -v getent >/dev/null 2>&1; then if command -v getent >/dev/null 2>&1; then
docker_users=$(getent group docker) docker_users=$(getent group docker)
else
docker_users=$(grep 'docker' /etc/group)
fi fi
docker_users=$(printf "%s" "$docker_users" | awk -F: '{print $4}') docker_users=$(printf "%s" "$docker_users" | awk -F: '{print $4}')
@ -101,10 +99,9 @@ check_1_2_2() {
if [ -n "$dockertrustusers" ]; then if [ -n "$dockertrustusers" ]; then
for u in $(printf "%s" "$docker_users" | sed "s/,/ /g"); do for u in $(printf "%s" "$docker_users" | sed "s/,/ /g"); do
if ! printf "%s" "$dockertrustusers" | grep -q "$u" ; then if ! printf "%s" "$dockertrustusers" | grep -q "$u" ; then
doubtfulusers="$u"
if [ -n "${doubtfulusers}" ]; then if [ -n "${doubtfulusers}" ]; then
doubtfulusers="${doubtfulusers},$u" doubtfulusers="${doubtfulusers},$u"
else
doubtfulusers="$u"
fi fi
fi fi
done done
@ -139,17 +136,19 @@ check_1_2_3() {
if auditctl -l | grep "$file" >/dev/null 2>&1; then if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check" warn -s "$check"
logcheckresult "WARN" logcheckresult "WARN"
return
fi fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
} }
check_1_2_4() { check_1_2_4() {
@ -166,22 +165,24 @@ check_1_2_4() {
if auditctl -l | grep $directory >/dev/null 2>&1; then if auditctl -l | grep $directory >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check" warn -s "$check"
logcheckresult "WARN" logcheckresult "WARN"
return
fi fi
else if grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
info -c "$check" pass -s "$check"
info " * Directory not found" logcheckresult "PASS"
logcheckresult "INFO" "Directory not found" return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi fi
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
} }
check_1_2_5() { check_1_2_5() {
@ -198,22 +199,24 @@ check_1_2_5() {
if auditctl -l | grep $directory >/dev/null 2>&1; then if auditctl -l | grep $directory >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check" warn -s "$check"
logcheckresult "WARN" logcheckresult "WARN"
return
fi fi
else if grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
info -c "$check" pass -s "$check"
info " * Directory not found" logcheckresult "PASS"
logcheckresult "INFO" "Directory not found" return
fi fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
} }
check_1_2_6() { check_1_2_6() {
@ -231,22 +234,24 @@ check_1_2_6() {
if auditctl -l | grep "$file" >/dev/null 2>&1; then if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check" warn -s "$check"
logcheckresult "WARN" logcheckresult "WARN"
return
fi fi
else if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
info -c "$check" pass -s "$check"
info " * File not found" logcheckresult "PASS"
logcheckresult "INFO" "File not found" return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
} }
check_1_2_7() { check_1_2_7() {
@ -264,22 +269,24 @@ check_1_2_7() {
if auditctl -l | grep "$file" >/dev/null 2>&1; then if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check" warn -s "$check"
logcheckresult "WARN" logcheckresult "WARN"
return
fi fi
else if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
info -c "$check" pass -s "$check"
info " * File not found" logcheckresult "PASS"
logcheckresult "INFO" "File not found" return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
} }
check_1_2_8() { check_1_2_8() {
@ -296,22 +303,24 @@ check_1_2_8() {
if auditctl -l | grep $file >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check" warn -s "$check"
logcheckresult "WARN" logcheckresult "WARN"
return
fi fi
else if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
info -c "$check" pass -s "$check"
info " * File not found" logcheckresult "PASS"
logcheckresult "INFO" "File not found" return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
} }
check_1_2_9() { check_1_2_9() {
@ -328,22 +337,24 @@ check_1_2_9() {
if auditctl -l | grep $file >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check" warn -s "$check"
logcheckresult "WARN" logcheckresult "WARN"
return
fi fi
else if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
info -c "$check" pass -s "$check"
info " * File not found" logcheckresult "PASS"
logcheckresult "INFO" "File not found" return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
} }
check_1_2_10() { check_1_2_10() {
@ -360,22 +371,24 @@ check_1_2_10() {
if auditctl -l | grep $file >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check" warn -s "$check"
logcheckresult "WARN" logcheckresult "WARN"
return
fi fi
else if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
info -c "$check" pass -s "$check"
info " * File not found" logcheckresult "PASS"
logcheckresult "INFO" "File not found" return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
} }
check_1_2_11() { check_1_2_11() {
@ -392,22 +405,24 @@ check_1_2_11() {
if auditctl -l | grep $file >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check" warn -s "$check"
logcheckresult "WARN" logcheckresult "WARN"
return
fi fi
else if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
info -c "$check" pass -s "$check"
info " * File not found" logcheckresult "PASS"
logcheckresult "INFO" "File not found" return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
} }
check_1_2_12() { check_1_2_12() {
@ -424,22 +439,24 @@ check_1_2_12() {
if auditctl -l | grep $file >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check" warn -s "$check"
logcheckresult "WARN" logcheckresult "WARN"
return
fi fi
else if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
info -c "$check" pass -s "$check"
info " * File not found" logcheckresult "PASS"
logcheckresult "INFO" "File not found" return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
} }
check_1_end() { check_1_end() {

212
tests/2_docker_daemon_configuration.sh
View file

@ -20,13 +20,15 @@ check_2_1() {
if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then return
fi
if get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
warn -s "$check"
logcheckresult "WARN"
} }
check_2_2() { check_2_2() {
@ -41,25 +43,29 @@ check_2_2() {
if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then return
fi
if [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
elif get_docker_effective_command_line_args '-l'; then warn -s "$check"
logcheckresult "WARN"
return
fi
if get_docker_effective_command_line_args '-l'; then
if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
else warn -s "$check"
pass -s "$check" logcheckresult "WARN"
logcheckresult "PASS" return
fi fi
pass -s "$check"
logcheckresult "PASS"
} }
check_2_3() { check_2_3() {
@ -73,13 +79,15 @@ check_2_3() {
if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then
warn -s "$check" warn -s "$check"
logcheckresult "WARN" logcheckresult "WARN"
elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then return
fi
if get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then
warn -s "$check" warn -s "$check"
logcheckresult "WARN" logcheckresult "WARN"
else return
pass -s "$check"
logcheckresult "PASS"
fi fi
pass -s "$check"
logcheckresult "PASS"
} }
check_2_4() { check_2_4() {
@ -93,18 +101,20 @@ check_2_4() {
if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then
warn -s "$check" warn -s "$check"
logcheckresult "WARN" logcheckresult "WARN"
elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then return
fi
if ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
else warn -s "$check"
pass -s "$check" logcheckresult "WARN"
logcheckresult "PASS" return
fi fi
pass -s "$check"
logcheckresult "PASS"
} }
check_2_5() { check_2_5() {
@ -118,10 +128,10 @@ check_2_5() {
if docker info 2>/dev/null | grep -e "^\sStorage Driver:\s*aufs\s*$" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "^\sStorage Driver:\s*aufs\s*$" >/dev/null 2>&1; then
warn -s "$check" warn -s "$check"
logcheckresult "WARN" logcheckresult "WARN"
else return
pass -s "$check"
logcheckresult "PASS"
fi fi
pass -s "$check"
logcheckresult "PASS"
} }
check_2_6() { check_2_6() {
@ -138,21 +148,23 @@ check_2_6() {
[ $(get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify') >/dev/null 2>&1 ]; then [ $(get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify') >/dev/null 2>&1 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
elif [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \ return
fi
if [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \
[ $(get_docker_cumulative_command_line_args '--tls' | grep 'tls$') >/dev/null 2>&1 ]; then [ $(get_docker_cumulative_command_line_args '--tls' | grep 'tls$') >/dev/null 2>&1 ]; then
warn -s "$check" warn -s "$check"
warn " * Docker daemon currently listening on TCP with TLS, but no verification" warn " * Docker daemon currently listening on TCP with TLS, but no verification"
logcheckresult "WARN" "Docker daemon currently listening on TCP with TLS, but no verification" logcheckresult "WARN" "Docker daemon currently listening on TCP with TLS, but no verification"
else return
warn -s "$check"
warn " * Docker daemon currently listening on TCP without TLS"
logcheckresult "WARN" "Docker daemon currently listening on TCP without TLS"
fi fi
else warn -s "$check"
info -c "$check" warn " * Docker daemon currently listening on TCP without TLS"
info " * Docker daemon not listening on TCP" logcheckresult "WARN" "Docker daemon currently listening on TCP without TLS"
logcheckresult "INFO" "Docker daemon not listening on TCP" return
fi fi
info -c "$check"
info " * Docker daemon not listening on TCP"
logcheckresult "INFO" "Docker daemon not listening on TCP"
} }
check_2_7() { check_2_7() {
@ -166,14 +178,16 @@ check_2_7() {
if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then
pass -c "$check" pass -c "$check"
logcheckresult "PASS" logcheckresult "PASS"
elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then return
fi
if get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
pass -c "$check" pass -c "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
info -c "$check"
info " * Default ulimit doesn't appear to be set"
logcheckresult "INFO" "Default ulimit doesn't appear to be set"
fi fi
info -c "$check"
info " * Default ulimit doesn't appear to be set"
logcheckresult "INFO" "Default ulimit doesn't appear to be set"
} }
check_2_8() { check_2_8() {
@ -187,13 +201,15 @@ check_2_8() {
if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then return
fi
if get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
warn -s "$check"
logcheckresult "WARN"
} }
check_2_9() { check_2_9() {
@ -208,14 +224,16 @@ check_2_9() {
warn -s "$check" warn -s "$check"
info " * Confirm cgroup usage" info " * Confirm cgroup usage"
logcheckresult "WARN" "Confirm cgroup usage" logcheckresult "WARN" "Confirm cgroup usage"
elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then return
fi
if get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
warn -s "$check" warn -s "$check"
info " * Confirm cgroup usage" info " * Confirm cgroup usage"
logcheckresult "WARN" "Confirm cgroup usage" logcheckresult "WARN" "Confirm cgroup usage"
else return
pass -s "$check"
logcheckresult "PASS"
fi fi
pass -s "$check"
logcheckresult "PASS"
} }
check_2_10() { check_2_10() {
@ -229,13 +247,15 @@ check_2_10() {
if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then
warn -s "$check" warn -s "$check"
logcheckresult "WARN" logcheckresult "WARN"
elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then return
fi
if get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
warn -s "$check" warn -s "$check"
logcheckresult "WARN" logcheckresult "WARN"
else return
pass -s "$check"
logcheckresult "PASS"
fi fi
pass -s "$check"
logcheckresult "PASS"
} }
check_2_11() { check_2_11() {
@ -249,13 +269,15 @@ check_2_11() {
if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then return
fi
if get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
warn -s "$check"
logcheckresult "WARN"
} }
check_2_12() { check_2_12() {
@ -269,10 +291,10 @@ check_2_12() {
if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then
warn -s "$check" warn -s "$check"
logcheckresult "WARN" logcheckresult "WARN"
else return
pass -s "$check"
logcheckresult "PASS"
fi fi
pass -s "$check"
logcheckresult "PASS"
} }
check_2_13() { check_2_13() {
@ -286,18 +308,20 @@ check_2_13() {
if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
pass -s "$check (Incompatible with swarm mode)"
logcheckresult "PASS"
elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
else
warn -s "$check"
logcheckresult "WARN"
fi
fi fi
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
pass -s "$check (Incompatible with swarm mode)"
logcheckresult "PASS"
return
fi
if get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
} }
check_2_14() { check_2_14() {
@ -311,13 +335,15 @@ check_2_14() {
if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then return
fi
if get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
warn -s "$check"
logcheckresult "WARN"
} }
check_2_15() { check_2_15() {
@ -331,10 +357,10 @@ check_2_15() {
if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then
pass -c "$check" pass -c "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
info -c "$check"
logcheckresult "INFO"
fi fi
info -c "$check"
logcheckresult "INFO"
} }
check_2_16() { check_2_16() {
@ -352,16 +378,16 @@ check_2_16() {
if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
else warn -s "$check"
local desc="$desc (Deprecated)" logcheckresult "WARN"
local check="$id - $desc" return
info -c "$desc"
logcheckresult "INFO"
fi fi
local desc="$desc (Deprecated)"
local check="$id - $desc"
info -c "$desc"
logcheckresult "INFO"
} }
check_2_17() { check_2_17() {
@ -375,13 +401,15 @@ check_2_17() {
if get_docker_effective_command_line_args '--no-new-privileges' | grep "no-new-privileges" >/dev/null 2>&1; then if get_docker_effective_command_line_args '--no-new-privileges' | grep "no-new-privileges" >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
elif get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then return
fi
if get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
warn -s "$check"
logcheckresult "WARN"
} }
check_2_end() { check_2_end() {

366
tests/3_docker_daemon_configuration_files.sh
View file

@ -22,16 +22,16 @@ check_3_1() {
if [ "$(stat -c %u%g $file)" -eq 00 ]; then if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
fi fi
else warn -s "$check"
info -c "$check" warn " * Wrong ownership for $file"
info " * File not found" logcheckresult "WARN" "Wrong ownership for $file"
logcheckresult "INFO" "File not found" return
fi fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
} }
check_3_2() { check_3_2() {
@ -47,16 +47,16 @@ check_3_2() {
if [ "$(stat -c %a $file)" -le 644 ]; then if [ "$(stat -c %a $file)" -le 644 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
fi fi
else warn -s "$check"
info -c "$check" warn " * Wrong permissions for $file"
info " * File not found" logcheckresult "WARN" "Wrong permissions for $file"
logcheckresult "INFO" "File not found" return
fi fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
} }
check_3_3() { check_3_3() {
@ -72,16 +72,16 @@ check_3_3() {
if [ "$(stat -c %u%g $file)" -eq 00 ]; then if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
fi fi
else warn -s "$check"
info -c "$check" warn " * Wrong ownership for $file"
info " * File not found" logcheckresult "WARN" "Wrong ownership for $file"
logcheckresult "INFO" "File not found" return
fi fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
} }
check_3_4() { check_3_4() {
@ -97,16 +97,16 @@ check_3_4() {
if [ "$(stat -c %a $file)" -le 644 ]; then if [ "$(stat -c %a $file)" -le 644 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
fi fi
else warn -s "$check"
info -c "$check" warn " * Wrong permissions for $file"
info " * File not found" logcheckresult "WARN" "Wrong permissions for $file"
logcheckresult "INFO" "File not found" return
fi fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
} }
check_3_5() { check_3_5() {
@ -122,16 +122,16 @@ check_3_5() {
if [ "$(stat -c %u%g $directory)" -eq 00 ]; then if [ "$(stat -c %u%g $directory)" -eq 00 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
warn " * Wrong ownership for $directory"
logcheckresult "WARN" "Wrong ownership for $directory"
fi fi
else warn -s "$check"
info -c "$check" warn " * Wrong ownership for $directory"
info " * Directory not found" logcheckresult "WARN" "Wrong ownership for $directory"
logcheckresult "INFO" "Directory not found" return
fi fi
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
} }
check_3_6() { check_3_6() {
@ -147,16 +147,16 @@ check_3_6() {
if [ "$(stat -c %a $directory)" -le 755 ]; then if [ "$(stat -c %a $directory)" -le 755 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
warn " * Wrong permissions for $directory"
logcheckresult "WARN" "Wrong permissions for $directory"
fi fi
else warn -s "$check"
info -c "$check" warn " * Wrong permissions for $directory"
info " * Directory not found" logcheckresult "WARN" "Wrong permissions for $directory"
logcheckresult "INFO" "Directory not found" return
fi fi
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
} }
check_3_7() { check_3_7() {
@ -180,15 +180,15 @@ check_3_7() {
warn -s "$check" warn -s "$check"
warn " * Wrong ownership for $directory" warn " * Wrong ownership for $directory"
logcheckresult "WARN" "Wrong ownership for $directory" logcheckresult "WARN" "Wrong ownership for $directory"
else return
pass -s "$check"
logcheckresult "PASS"
fi fi
else pass -s "$check"
info -c "$check" logcheckresult "PASS"
info " * Directory not found" return
logcheckresult "INFO" "Directory not found"
fi fi
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
} }
check_3_8() { check_3_8() {
@ -212,15 +212,15 @@ check_3_8() {
warn -s "$check" warn -s "$check"
warn " * Wrong permissions for $directory" warn " * Wrong permissions for $directory"
logcheckresult "WARN" "Wrong permissions for $directory" logcheckresult "WARN" "Wrong permissions for $directory"
else return
pass -s "$check"
logcheckresult "PASS"
fi fi
else pass -s "$check"
info -c "$check" logcheckresult "PASS"
info " * Directory not found" return
logcheckresult "INFO" "Directory not found"
fi fi
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
} }
check_3_9() { check_3_9() {
@ -231,25 +231,24 @@ check_3_9() {
local check="$id - $desc" local check="$id - $desc"
starttestjson "$id" "$desc" starttestjson "$id" "$desc"
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then
tlscacert=$(get_docker_configuration_file_args 'tlscacert') tlscacert=$(get_docker_configuration_file_args 'tlscacert')
else
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi fi
if [ -f "$tlscacert" ]; then if [ -f "$tlscacert" ]; then
if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
warn " * Wrong ownership for $tlscacert"
logcheckresult "WARN" "Wrong ownership for $tlscacert"
fi fi
else warn -s "$check"
info -c "$check" warn " * Wrong ownership for $tlscacert"
info " * No TLS CA certificate found" logcheckresult "WARN" "Wrong ownership for $tlscacert"
logcheckresult "INFO" "No TLS CA certificate found" return
fi fi
info -c "$check"
info " * No TLS CA certificate found"
logcheckresult "INFO" "No TLS CA certificate found"
} }
check_3_10() { check_3_10() {
@ -260,25 +259,24 @@ check_3_10() {
local check="$id - $desc" local check="$id - $desc"
starttestjson "$id" "$desc" starttestjson "$id" "$desc"
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then
tlscacert=$(get_docker_configuration_file_args 'tlscacert') tlscacert=$(get_docker_configuration_file_args 'tlscacert')
else
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi fi
if [ -f "$tlscacert" ]; then if [ -f "$tlscacert" ]; then
if [ "$(stat -c %a $tlscacert)" -le 444 ]; then if [ "$(stat -c %a $tlscacert)" -le 444 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
warn " * Wrong permissions for $tlscacert"
logcheckresult "WARN" "Wrong permissions for $tlscacert"
fi fi
else warn -s "$check"
info -c "$check" warn " * Wrong permissions for $tlscacert"
info " * No TLS CA certificate found" logcheckresult "WARN" "Wrong permissions for $tlscacert"
logcheckresult "INFO" "No TLS CA certificate found" return
fi fi
info -c "$check"
info " * No TLS CA certificate found"
logcheckresult "INFO" "No TLS CA certificate found"
} }
check_3_11() { check_3_11() {
@ -289,25 +287,24 @@ check_3_11() {
local check="$id - $desc" local check="$id - $desc"
starttestjson "$id" "$desc" starttestjson "$id" "$desc"
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then
tlscert=$(get_docker_configuration_file_args 'tlscert') tlscert=$(get_docker_configuration_file_args 'tlscert')
else
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi fi
if [ -f "$tlscert" ]; then if [ -f "$tlscert" ]; then
if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
warn " * Wrong ownership for $tlscert"
logcheckresult "WARN" "Wrong ownership for $tlscert"
fi fi
else warn -s "$check"
info -c "$check" warn " * Wrong ownership for $tlscert"
info " * No TLS Server certificate found" logcheckresult "WARN" "Wrong ownership for $tlscert"
logcheckresult "INFO" "No TLS Server certificate found" return
fi fi
info -c "$check"
info " * No TLS Server certificate found"
logcheckresult "INFO" "No TLS Server certificate found"
} }
check_3_12() { check_3_12() {
@ -318,25 +315,24 @@ check_3_12() {
local check="$id - $desc" local check="$id - $desc"
starttestjson "$id" "$desc" starttestjson "$id" "$desc"
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then
tlscert=$(get_docker_configuration_file_args 'tlscert') tlscert=$(get_docker_configuration_file_args 'tlscert')
else
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi fi
if [ -f "$tlscert" ]; then if [ -f "$tlscert" ]; then
if [ "$(stat -c %a $tlscert)" -le 444 ]; then if [ "$(stat -c %a $tlscert)" -le 444 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
warn " * Wrong permissions for $tlscert"
logcheckresult "WARN" "Wrong permissions for $tlscert"
fi fi
else warn -s "$check"
info -c "$check" warn " * Wrong permissions for $tlscert"
info " * No TLS Server certificate found" logcheckresult "WARN" "Wrong permissions for $tlscert"
logcheckresult "INFO" "No TLS Server certificate found" return
fi fi
info -c "$check"
info " * No TLS Server certificate found"
logcheckresult "INFO" "No TLS Server certificate found"
} }
check_3_13() { check_3_13() {
@ -347,25 +343,24 @@ check_3_13() {
local check="$id - $desc" local check="$id - $desc"
starttestjson "$id" "$desc" starttestjson "$id" "$desc"
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then
tlskey=$(get_docker_configuration_file_args 'tlskey') tlskey=$(get_docker_configuration_file_args 'tlskey')
else
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi fi
if [ -f "$tlskey" ]; then if [ -f "$tlskey" ]; then
if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
warn " * Wrong ownership for $tlskey"
logcheckresult "WARN" "Wrong ownership for $tlskey"
fi fi
else warn -s "$check"
info -c "$check" warn " * Wrong ownership for $tlskey"
info " * No TLS Key found" logcheckresult "WARN" "Wrong ownership for $tlskey"
logcheckresult "INFO" "No TLS Key found" return
fi fi
info -c "$check"
info " * No TLS Key found"
logcheckresult "INFO" "No TLS Key found"
} }
check_3_14() { check_3_14() {
@ -376,25 +371,24 @@ check_3_14() {
local check="$id - $desc" local check="$id - $desc"
starttestjson "$id" "$desc" starttestjson "$id" "$desc"
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then
tlskey=$(get_docker_configuration_file_args 'tlskey') tlskey=$(get_docker_configuration_file_args 'tlskey')
else
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi fi
if [ -f "$tlskey" ]; then if [ -f "$tlskey" ]; then
if [ "$(stat -c %a $tlskey)" -eq 400 ]; then if [ "$(stat -c %a $tlskey)" -eq 400 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
warn " * Wrong permissions for $tlskey"
logcheckresult "WARN" "Wrong permissions for $tlskey"
fi fi
else warn -s "$check"
info -c "$check" warn " * Wrong permissions for $tlskey"
info " * No TLS Key found" logcheckresult "WARN" "Wrong permissions for $tlskey"
logcheckresult "INFO" "No TLS Key found" return
fi fi
info -c "$check"
info " * No TLS Key found"
logcheckresult "INFO" "No TLS Key found"
} }
check_3_15() { check_3_15() {
@ -410,16 +404,16 @@ check_3_15() {
if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
fi fi
else warn -s "$check"
info -c "$check" warn " * Wrong ownership for $file"
info " * File not found" logcheckresult "WARN" "Wrong ownership for $file"
logcheckresult "INFO" "File not found" return
fi fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
} }
check_3_16() { check_3_16() {
@ -435,16 +429,16 @@ check_3_16() {
if [ "$(stat -c %a $file)" -le 660 ]; then if [ "$(stat -c %a $file)" -le 660 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
fi fi
else warn -s "$check"
info -c "$check" warn " * Wrong permissions for $file"
info " * File not found" logcheckresult "WARN" "Wrong permissions for $file"
logcheckresult "INFO" "File not found" return
fi fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
} }
check_3_17() { check_3_17() {
@ -460,16 +454,16 @@ check_3_17() {
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
fi fi
else warn -s "$check"
info -c "$check" warn " * Wrong ownership for $file"
info " * File not found" logcheckresult "WARN" "Wrong ownership for $file"
logcheckresult "INFO" "File not found" return
fi fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
} }
check_3_18() { check_3_18() {
@ -485,16 +479,16 @@ check_3_18() {
if [ "$(stat -c %a $file)" -le 644 ]; then if [ "$(stat -c %a $file)" -le 644 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
fi fi
else warn -s "$check"
info -c "$check" warn " * Wrong permissions for $file"
info " * File not found" logcheckresult "WARN" "Wrong permissions for $file"
logcheckresult "INFO" "File not found" return
fi fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
} }
check_3_19() { check_3_19() {
@ -510,16 +504,16 @@ check_3_19() {
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
fi fi
else warn -s "$check"
info -c "$check" warn " * Wrong ownership for $file"
info " * File not found" logcheckresult "WARN" "Wrong ownership for $file"
logcheckresult "INFO" "File not found" return
fi fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
} }
check_3_20() { check_3_20() {
@ -535,16 +529,16 @@ check_3_20() {
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
fi fi
else warn -s "$check"
info -c "$check" warn " * Wrong ownership for $file"
info " * File not found" logcheckresult "WARN" "Wrong ownership for $file"
logcheckresult "INFO" "File not found" return
fi fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
} }
check_3_21() { check_3_21() {
@ -560,16 +554,16 @@ check_3_21() {
if [ "$(stat -c %a $file)" -le 644 ]; then if [ "$(stat -c %a $file)" -le 644 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
fi fi
else warn -s "$check"
info -c "$check" warn " * Wrong permissions for $file"
info " * File not found" logcheckresult "WARN" "Wrong permissions for $file"
logcheckresult "INFO" "File not found" return
fi fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
} }
check_3_22() { check_3_22() {
@ -585,16 +579,16 @@ check_3_22() {
if [ "$(stat -c %a $file)" -le 644 ]; then if [ "$(stat -c %a $file)" -le 644 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
fi fi
else warn -s "$check"
info -c "$check" warn " * Wrong permissions for $file"
info " * File not found" logcheckresult "WARN" "Wrong permissions for $file"
logcheckresult "INFO" "File not found" return
fi fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
} }
check_3_end() { check_3_end() {

78
tests/4_container_images.sh
View file

@ -22,37 +22,37 @@ check_4_1() {
info -c "$check" info -c "$check"
info " * No containers running" info " * No containers running"
logcheckresult "INFO" "No containers running" logcheckresult "INFO" "No containers running"
else return
# We have some containers running, set failure flag to 0. Check for Users.
fail=0
# Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$'
'
root_containers=""
for c in $containers; do
user=$(docker inspect --format 'User={{.Config.User}}' "$c")
if [ "$user" = "User=0" ] || [ "$user" = "User=root" ] || [ "$user" = "User=" ] || [ "$user" = "User=[]" ] || [ "$user" = "User=<no value>" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Running as root: $c"
root_containers="$root_containers $c"
fail=1
else
warn " * Running as root: $c"
root_containers="$root_containers $c"
fi
fi
done
# We went through all the containers and found none running as root
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
else
logcheckresult "WARN" "running as root" "$root_containers"
fi
fi fi
# We have some containers running, set failure flag to 0. Check for Users.
fail=0
# Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$'
'
root_containers=""
for c in $containers; do
user=$(docker inspect --format 'User={{.Config.User}}' "$c")
if [ "$user" = "User=0" ] || [ "$user" = "User=root" ] || [ "$user" = "User=" ] || [ "$user" = "User=[]" ] || [ "$user" = "User=<no value>" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Running as root: $c"
root_containers="$root_containers $c"
fail=1
continue
fi
warn " * Running as root: $c"
root_containers="$root_containers $c"
fi
done
# We went through all the containers and found none running as root
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "running as root" "$root_containers"
# Make the loop separator go back to space # Make the loop separator go back to space
set +f; unset IFS set +f; unset IFS
} }
@ -104,10 +104,10 @@ check_4_5() {
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
warn -s "$check"
logcheckresult "WARN"
} }
check_4_6() { check_4_6() {
@ -139,9 +139,9 @@ check_4_6() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Images w/o HEALTHCHECK" "$no_health_images"
fi fi
logcheckresult "WARN" "Images w/o HEALTHCHECK" "$no_health_images"
} }
check_4_7() { check_4_7() {
@ -170,9 +170,9 @@ check_4_7() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -c "$check" pass -c "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "INFO" "Update instructions found" "$update_images"
fi fi
logcheckresult "INFO" "Update instructions found" "$update_images"
} }
check_4_8() { check_4_8() {
@ -214,9 +214,9 @@ check_4_9() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -c "$check" pass -c "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "INFO" "Images using ADD" "$add_images"
fi fi
logcheckresult "INFO" "Images using ADD" "$add_images"
} }
check_4_10() { check_4_10() {

437
tests/5_container_runtime.sh
View file

@ -13,11 +13,11 @@ check_running_containers() {
# If containers is empty, there are no running containers # If containers is empty, there are no running containers
if [ -z "$containers" ]; then if [ -z "$containers" ]; then
info " * No containers running, skipping Section 5" info " * No containers running, skipping Section 5"
else return
# Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$'
'
fi fi
# Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$'
'
} }
check_5_1() { check_5_1() {
@ -42,21 +42,21 @@ check_5_1() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn -s "$check" warn -s "$check"
warn " * No AppArmorProfile Found: $c" warn " * No AppArmorProfile Found: $c"
no_apparmor_containers="$no_apparmor_containers $c" no_apparmor_containers="$no_apparmor_containers $c"
fail=1 fail=1
else continue
warn " * No AppArmorProfile Found: $c"
no_apparmor_containers="$no_apparmor_containers $c"
fi fi
warn " * No AppArmorProfile Found: $c"
no_apparmor_containers="$no_apparmor_containers $c"
fi fi
done done
# We went through all the containers and found none without AppArmor # We went through all the containers and found none without AppArmor
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers with no AppArmorProfile" "$no_apparmor_containers"
fi fi
logcheckresult "WARN" "Containers with no AppArmorProfile" "$no_apparmor_containers"
} }
check_5_2() { check_5_2() {
@ -81,21 +81,21 @@ check_5_2() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn -s "$check" warn -s "$check"
warn " * No SecurityOptions Found: $c" warn " * No SecurityOptions Found: $c"
no_securityoptions_containers="$no_securityoptions_containers $c" no_securityoptions_containers="$no_securityoptions_containers $c"
fail=1 fail=1
else continue
warn " * No SecurityOptions Found: $c"
no_securityoptions_containers="$no_securityoptions_containers $c"
fi fi
warn " * No SecurityOptions Found: $c"
no_securityoptions_containers="$no_securityoptions_containers $c"
fi fi
done done
# We went through all the containers and found none without SELinux # We went through all the containers and found none without SELinux
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers with no SecurityOptions" "$no_securityoptions_containers"
fi fi
logcheckresult "WARN" "Containers with no SecurityOptions" "$no_securityoptions_containers"
} }
check_5_3() { check_5_3() {
@ -123,21 +123,21 @@ check_5_3() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn -s "$check" warn -s "$check"
warn " * Capabilities added: $caps to $c" warn " * Capabilities added: $caps to $c"
caps_containers="$caps_containers $c" caps_containers="$caps_containers $c"
fail=1 fail=1
else continue
warn " * Capabilities added: $caps to $c"
caps_containers="$caps_containers $c"
fi fi
warn " * Capabilities added: $caps to $c"
caps_containers="$caps_containers $c"
fi fi
done done
# We went through all the containers and found none with extra capabilities # We went through all the containers and found none with extra capabilities
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Capabilities added for containers" "$caps_containers"
fi fi
logcheckresult "WARN" "Capabilities added for containers" "$caps_containers"
} }
check_5_4() { check_5_4() {
@ -162,21 +162,21 @@ check_5_4() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn -s "$check" warn -s "$check"
warn " * Container running in Privileged mode: $c" warn " * Container running in Privileged mode: $c"
privileged_containers="$privileged_containers $c" privileged_containers="$privileged_containers $c"
fail=1 fail=1
else continue
warn " * Container running in Privileged mode: $c"
privileged_containers="$privileged_containers $c"
fi fi
warn " * Container running in Privileged mode: $c"
privileged_containers="$privileged_containers $c"
fi fi
done done
# We went through all the containers and found no privileged containers # We went through all the containers and found no privileged containers
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers running in privileged mode" "$privileged_containers"
fi fi
logcheckresult "WARN" "Containers running in privileged mode" "$privileged_containers"
} }
check_5_5() { check_5_5() {
@ -204,10 +204,9 @@ check_5_5() {
fail=0 fail=0
sensitive_mount_containers="" sensitive_mount_containers=""
for c in $containers; do for c in $containers; do
volumes=$(docker inspect --format '{{ .Mounts }}' "$c")
if docker inspect --format '{{ .VolumesRW }}' "$c" 2>/dev/null 1>&2; then if docker inspect --format '{{ .VolumesRW }}' "$c" 2>/dev/null 1>&2; then
volumes=$(docker inspect --format '{{ .VolumesRW }}' "$c") volumes=$(docker inspect --format '{{ .VolumesRW }}' "$c")
else
volumes=$(docker inspect --format '{{ .Mounts }}' "$c")
fi fi
# Go over each directory in sensitive dir and see if they exist in the volumes # Go over each directory in sensitive dir and see if they exist in the volumes
for v in $sensitive_dirs; do for v in $sensitive_dirs; do
@ -220,22 +219,22 @@ check_5_5() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn -s "$check" warn -s "$check"
warn " * Sensitive directory $v mounted in: $c" warn " * Sensitive directory $v mounted in: $c"
sensitive_mount_containers="$sensitive_mount_containers $c:$v" sensitive_mount_containers="$sensitive_mount_containers $c:$v"
fail=1 fail=1
else continue
warn " * Sensitive directory $v mounted in: $c"
sensitive_mount_containers="$sensitive_mount_containers $c:$v"
fi fi
warn " * Sensitive directory $v mounted in: $c"
sensitive_mount_containers="$sensitive_mount_containers $c:$v"
fi fi
done done
done done
# We went through all the containers and found none with sensitive mounts # We went through all the containers and found none with sensitive mounts
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers with sensitive directories mounted" "$sensitive_mount_containers"
fi fi
logcheckresult "WARN" "Containers with sensitive directories mounted" "$sensitive_mount_containers"
} }
check_5_6() { check_5_6() {
@ -261,12 +260,12 @@ check_5_6() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn -s "$check" warn -s "$check"
warn " * Container running sshd: $c" warn " * Container running sshd: $c"
ssh_exec_containers="$ssh_exec_containers $c" ssh_exec_containers="$ssh_exec_containers $c"
fail=1 fail=1
printcheck=1 printcheck=1
else else
warn " * Container running sshd: $c" warn " * Container running sshd: $c"
ssh_exec_containers="$ssh_exec_containers $c" ssh_exec_containers="$ssh_exec_containers $c"
fi fi
fi fi
@ -284,11 +283,11 @@ check_5_6() {
done done
# We went through all the containers and found none with sshd # We went through all the containers and found none with sshd
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers with sshd/docker exec failures" "$ssh_exec_containers"
fi fi
logcheckresult "WARN" "Containers with sshd/docker exec failures" "$ssh_exec_containers"
} }
check_5_7() { check_5_7() {
@ -311,27 +310,27 @@ check_5_7() {
# iterate through port range (line delimited) # iterate through port range (line delimited)
for port in $ports; do for port in $ports; do
if [ -n "$port" ] && [ "$port" -lt 1024 ]; then if [ -n "$port" ] && [ "$port" -lt 1024 ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn -s "$check" warn -s "$check"
warn " * Privileged Port in use: $port in $c" warn " * Privileged Port in use: $port in $c"
privileged_port_containers="$privileged_port_containers $c:$port" privileged_port_containers="$privileged_port_containers $c:$port"
fail=1 fail=1
else continue
warn " * Privileged Port in use: $port in $c"
privileged_port_containers="$privileged_port_containers $c:$port"
fi fi
warn " * Privileged Port in use: $port in $c"
privileged_port_containers="$privileged_port_containers $c:$port"
fi fi
done done
done done
# We went through all the containers and found no privileged ports # We went through all the containers and found no privileged ports
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers using privileged ports" "$privileged_port_containers"
fi fi
logcheckresult "WARN" "Containers using privileged ports" "$privileged_port_containers"
} }
check_5_8() { check_5_8() {
@ -372,21 +371,21 @@ check_5_9() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn -s "$check" warn -s "$check"
warn " * Container running with networking mode 'host': $c" warn " * Container running with networking mode 'host': $c"
net_host_containers="$net_host_containers $c" net_host_containers="$net_host_containers $c"
fail=1 fail=1
else continue
warn " * Container running with networking mode 'host': $c"
net_host_containers="$net_host_containers $c"
fi fi
warn " * Container running with networking mode 'host': $c"
net_host_containers="$net_host_containers $c"
fi fi
done done
# We went through all the containers and found no Network Mode host # We went through all the containers and found no Network Mode host
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers running with networking mode 'host'" "$net_host_containers"
fi fi
logcheckresult "WARN" "Containers running with networking mode 'host'" "$net_host_containers"
} }
check_5_10() { check_5_10() {
@ -404,10 +403,9 @@ check_5_10() {
fail=0 fail=0
mem_unlimited_containers="" mem_unlimited_containers=""
for c in $containers; do for c in $containers; do
memory=$(docker inspect --format '{{ .HostConfig.Memory }}' "$c")
if docker inspect --format '{{ .Config.Memory }}' "$c" 2> /dev/null 1>&2; then if docker inspect --format '{{ .Config.Memory }}' "$c" 2> /dev/null 1>&2; then
memory=$(docker inspect --format '{{ .Config.Memory }}' "$c") memory=$(docker inspect --format '{{ .Config.Memory }}' "$c")
else
memory=$(docker inspect --format '{{ .HostConfig.Memory }}' "$c")
fi fi
if [ "$memory" = "0" ]; then if [ "$memory" = "0" ]; then
@ -415,21 +413,21 @@ check_5_10() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn -s "$check" warn -s "$check"
warn " * Container running without memory restrictions: $c" warn " * Container running without memory restrictions: $c"
mem_unlimited_containers="$mem_unlimited_containers $c" mem_unlimited_containers="$mem_unlimited_containers $c"
fail=1 fail=1
else continue
warn " * Container running without memory restrictions: $c"
mem_unlimited_containers="$mem_unlimited_containers $c"
fi fi
warn " * Container running without memory restrictions: $c"
mem_unlimited_containers="$mem_unlimited_containers $c"
fi fi
done done
# We went through all the containers and found no lack of Memory restrictions # We went through all the containers and found no lack of Memory restrictions
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Container running without memory restrictions" "$mem_unlimited_containers"
fi fi
logcheckresult "WARN" "Container running without memory restrictions" "$mem_unlimited_containers"
} }
check_5_11() { check_5_11() {
@ -447,10 +445,9 @@ check_5_11() {
fail=0 fail=0
cpu_unlimited_containers="" cpu_unlimited_containers=""
for c in $containers; do for c in $containers; do
shares=$(docker inspect --format '{{ .HostConfig.CpuShares }}' "$c")
if docker inspect --format '{{ .Config.CpuShares }}' "$c" 2> /dev/null 1>&2; then if docker inspect --format '{{ .Config.CpuShares }}' "$c" 2> /dev/null 1>&2; then
shares=$(docker inspect --format '{{ .Config.CpuShares }}' "$c") shares=$(docker inspect --format '{{ .Config.CpuShares }}' "$c")
else
shares=$(docker inspect --format '{{ .HostConfig.CpuShares }}' "$c")
fi fi
if [ "$shares" = "0" ]; then if [ "$shares" = "0" ]; then
@ -460,19 +457,19 @@ check_5_11() {
warn " * Container running without CPU restrictions: $c" warn " * Container running without CPU restrictions: $c"
cpu_unlimited_containers="$cpu_unlimited_containers $c" cpu_unlimited_containers="$cpu_unlimited_containers $c"
fail=1 fail=1
else continue
warn " * Container running without CPU restrictions: $c"
cpu_unlimited_containers="$cpu_unlimited_containers $c"
fi fi
warn " * Container running without CPU restrictions: $c"
cpu_unlimited_containers="$cpu_unlimited_containers $c"
fi fi
done done
# We went through all the containers and found no lack of CPUShare restrictions # We went through all the containers and found no lack of CPUShare restrictions
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers running without CPU restrictions" "$cpu_unlimited_containers"
fi fi
logcheckresult "WARN" "Containers running without CPU restrictions" "$cpu_unlimited_containers"
} }
check_5_12() { check_5_12() {
@ -497,21 +494,21 @@ check_5_12() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn -s "$check" warn -s "$check"
warn " * Container running with root FS mounted R/W: $c" warn " * Container running with root FS mounted R/W: $c"
fsroot_mount_containers="$fsroot_mount_containers $c" fsroot_mount_containers="$fsroot_mount_containers $c"
fail=1 fail=1
else continue
warn " * Container running with root FS mounted R/W: $c"
fsroot_mount_containers="$fsroot_mount_containers $c"
fi fi
warn " * Container running with root FS mounted R/W: $c"
fsroot_mount_containers="$fsroot_mount_containers $c"
fi fi
done done
# We went through all the containers and found no R/W FS mounts # We went through all the containers and found no R/W FS mounts
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers running with root FS mounted R/W" "$fsroot_mount_containers"
fi fi
logcheckresult "WARN" "Containers running with root FS mounted R/W" "$fsroot_mount_containers"
} }
check_5_13() { check_5_13() {
@ -537,20 +534,20 @@ check_5_13() {
warn " * Port being bound to wildcard IP: $ip in $c" warn " * Port being bound to wildcard IP: $ip in $c"
incoming_unbound_containers="$incoming_unbound_containers $c:$ip" incoming_unbound_containers="$incoming_unbound_containers $c:$ip"
fail=1 fail=1
else continue
warn " * Port being bound to wildcard IP: $ip in $c"
incoming_unbound_containers="$incoming_unbound_containers $c:$ip"
fi fi
warn " * Port being bound to wildcard IP: $ip in $c"
incoming_unbound_containers="$incoming_unbound_containers $c:$ip"
fi fi
done done
done done
# We went through all the containers and found no ports bound to 0.0.0.0 # We went through all the containers and found no ports bound to 0.0.0.0
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers with port bound to wildcard IP" "$incoming_unbound_containers"
fi fi
logcheckresult "WARN" "Containers with port bound to wildcard IP" "$incoming_unbound_containers"
} }
check_5_14() { check_5_14() {
@ -575,21 +572,21 @@ check_5_14() {
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn -s "$check" warn -s "$check"
warn " * MaximumRetryCount is not set to 5: $c" warn " * MaximumRetryCount is not set to 5: $c"
maxretry_unset_containers="$maxretry_unset_containers $c" maxretry_unset_containers="$maxretry_unset_containers $c"
fail=1 fail=1
else continue
warn " * MaximumRetryCount is not set to 5: $c"
maxretry_unset_containers="$maxretry_unset_containers $c"
fi fi
warn " * MaximumRetryCount is not set to 5: $c"
maxretry_unset_containers="$maxretry_unset_containers $c"
fi fi
done done
# We went through all the containers and they all had MaximumRetryCount=5 # We went through all the containers and they all had MaximumRetryCount=5
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5" "$maxretry_unset_containers"
fi fi
logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5" "$maxretry_unset_containers"
} }
check_5_15() { check_5_15() {
@ -616,19 +613,19 @@ check_5_15() {
warn " * Host PID namespace being shared with: $c" warn " * Host PID namespace being shared with: $c"
pidns_shared_containers="$pidns_shared_containers $c" pidns_shared_containers="$pidns_shared_containers $c"
fail=1 fail=1
else continue
warn " * Host PID namespace being shared with: $c"
pidns_shared_containers="$pidns_shared_containers $c"
fi fi
warn " * Host PID namespace being shared with: $c"
pidns_shared_containers="$pidns_shared_containers $c"
fi fi
done done
# We went through all the containers and found none with PidMode as host # We went through all the containers and found none with PidMode as host
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers sharing host PID namespace" "$pidns_shared_containers"
fi fi
logcheckresult "WARN" "Containers sharing host PID namespace" "$pidns_shared_containers"
} }
check_5_16() { check_5_16() {
@ -655,19 +652,19 @@ check_5_16() {
warn " * Host IPC namespace being shared with: $c" warn " * Host IPC namespace being shared with: $c"
ipcns_shared_containers="$ipcns_shared_containers $c" ipcns_shared_containers="$ipcns_shared_containers $c"
fail=1 fail=1
else continue
warn " * Host IPC namespace being shared with: $c"
ipcns_shared_containers="$ipcns_shared_containers $c"
fi fi
warn " * Host IPC namespace being shared with: $c"
ipcns_shared_containers="$ipcns_shared_containers $c"
fi fi
done done
# We went through all the containers and found none with IPCMode as host # We went through all the containers and found none with IPCMode as host
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers sharing host IPC namespace" "$ipcns_shared_containers"
fi fi
logcheckresult "WARN" "Containers sharing host IPC namespace" "$ipcns_shared_containers"
} }
check_5_17() { check_5_17() {
@ -694,19 +691,19 @@ check_5_17() {
info " * Container has devices exposed directly: $c" info " * Container has devices exposed directly: $c"
hostdev_exposed_containers="$hostdev_exposed_containers $c" hostdev_exposed_containers="$hostdev_exposed_containers $c"
fail=1 fail=1
else continue
info " * Container has devices exposed directly: $c"
hostdev_exposed_containers="$hostdev_exposed_containers $c"
fi fi
info " * Container has devices exposed directly: $c"
hostdev_exposed_containers="$hostdev_exposed_containers $c"
fi fi
done done
# We went through all the containers and found none with devices # We went through all the containers and found none with devices
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -c "$check" pass -c "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "INFO" "Containers with host devices exposed directly" "$hostdev_exposed_containers"
fi fi
logcheckresult "INFO" "Containers with host devices exposed directly" "$hostdev_exposed_containers"
} }
check_5_18() { check_5_18() {
@ -733,19 +730,19 @@ check_5_18() {
info " * Container no default ulimit override: $c" info " * Container no default ulimit override: $c"
no_ulimit_containers="$no_ulimit_containers $c" no_ulimit_containers="$no_ulimit_containers $c"
fail=1 fail=1
else continue
info " * Container no default ulimit override: $c"
no_ulimit_containers="$no_ulimit_containers $c"
fi fi
info " * Container no default ulimit override: $c"
no_ulimit_containers="$no_ulimit_containers $c"
fi fi
done done
# We went through all the containers and found none without Ulimits # We went through all the containers and found none without Ulimits
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -c "$check" pass -c "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "INFO" "Containers with no default ulimit override" "$no_ulimit_containers"
fi fi
logcheckresult "INFO" "Containers with no default ulimit override" "$no_ulimit_containers"
} }
check_5_19() { check_5_19() {
@ -771,19 +768,19 @@ check_5_19() {
warn " * Mount propagation mode is shared: $c" warn " * Mount propagation mode is shared: $c"
mountprop_shared_containers="$mountprop_shared_containers $c" mountprop_shared_containers="$mountprop_shared_containers $c"
fail=1 fail=1
else continue
warn " * Mount propagation mode is shared: $c"
mountprop_shared_containers="$mountprop_shared_containers $c"
fi fi
warn " * Mount propagation mode is shared: $c"
mountprop_shared_containers="$mountprop_shared_containers $c"
fi fi
done done
# We went through all the containers and found none with shared propagation mode # We went through all the containers and found none with shared propagation mode
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers with shared mount propagation" "$mountprop_shared_containers"
fi fi
logcheckresult "WARN" "Containers with shared mount propagation" "$mountprop_shared_containers"
} }
check_5_20() { check_5_20() {
@ -810,19 +807,19 @@ check_5_20() {
warn " * Host UTS namespace being shared with: $c" warn " * Host UTS namespace being shared with: $c"
utcns_shared_containers="$utcns_shared_containers $c" utcns_shared_containers="$utcns_shared_containers $c"
fail=1 fail=1
else continue
warn " * Host UTS namespace being shared with: $c"
utcns_shared_containers="$utcns_shared_containers $c"
fi fi
warn " * Host UTS namespace being shared with: $c"
utcns_shared_containers="$utcns_shared_containers $c"
fi fi
done done
# We went through all the containers and found none with UTSMode as host # We went through all the containers and found none with UTSMode as host
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers sharing host UTS namespace" "$utcns_shared_containers"
fi fi
logcheckresult "WARN" "Containers sharing host UTS namespace" "$utcns_shared_containers"
} }
check_5_21() { check_5_21() {
@ -856,11 +853,11 @@ check_5_21() {
done done
# We went through all the containers and found none with default secomp profile disabled # We went through all the containers and found none with default secomp profile disabled
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers with default seccomp profile disabled" "$seccomp_disabled_containers"
fi fi
logcheckresult "WARN" "Containers with default seccomp profile disabled" "$seccomp_disabled_containers"
} }
check_5_22() { check_5_22() {
@ -919,19 +916,19 @@ check_5_24() {
warn " * Confirm cgroup usage: $c" warn " * Confirm cgroup usage: $c"
unexpected_cgroup_containers="$unexpected_cgroup_containers $c" unexpected_cgroup_containers="$unexpected_cgroup_containers $c"
fail=1 fail=1
else continue
warn " * Confirm cgroup usage: $c"
unexpected_cgroup_containers="$unexpected_cgroup_containers $c"
fi fi
warn " * Confirm cgroup usage: $c"
unexpected_cgroup_containers="$unexpected_cgroup_containers $c"
fi fi
done done
# We went through all the containers and found none with UTSMode as host # We went through all the containers and found none with UTSMode as host
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers using unexpected cgroup" "$unexpected_cgroup_containers"
fi fi
logcheckresult "WARN" "Containers using unexpected cgroup" "$unexpected_cgroup_containers"
} }
check_5_25() { check_5_25() {
@ -955,19 +952,19 @@ check_5_25() {
warn " * Privileges not restricted: $c" warn " * Privileges not restricted: $c"
addprivs_containers="$addprivs_containers $c" addprivs_containers="$addprivs_containers $c"
fail=1 fail=1
else continue
warn " * Privileges not restricted: $c"
addprivs_containers="$addprivs_containers $c"
fi fi
warn " * Privileges not restricted: $c"
addprivs_containers="$addprivs_containers $c"
fi fi
done done
# We went through all the containers and found none with capability to acquire additional privileges # We went through all the containers and found none with capability to acquire additional privileges
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers without restricted privileges" "$addprivs_containers"
fi fi
logcheckresult "WARN" "Containers without restricted privileges" "$addprivs_containers"
} }
check_5_26() { check_5_26() {
@ -991,18 +988,18 @@ check_5_26() {
warn " * Health check not set: $c" warn " * Health check not set: $c"
nohealthcheck_containers="$nohealthcheck_containers $c" nohealthcheck_containers="$nohealthcheck_containers $c"
fail=1 fail=1
else continue
warn " * Health check not set: $c"
nohealthcheck_containers="$nohealthcheck_containers $c"
fi fi
warn " * Health check not set: $c"
nohealthcheck_containers="$nohealthcheck_containers $c"
fi fi
done done
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers without health check" "$nohealthcheck_containers"
fi fi
logcheckresult "WARN" "Containers without health check" "$nohealthcheck_containers"
} }
check_5_27() { check_5_27() {
@ -1045,19 +1042,19 @@ check_5_28() {
warn " * PIDs limit not set: $c" warn " * PIDs limit not set: $c"
nopids_limit_containers="$nopids_limit_containers $c" nopids_limit_containers="$nopids_limit_containers $c"
fail=1 fail=1
else continue
warn " * PIDs limit not set: $c"
nopids_limit_containers="$nopids_limit_containers $c"
fi fi
warn " * PIDs limit not set: $c"
nopids_limit_containers="$nopids_limit_containers $c"
fi fi
done done
# We went through all the containers and found all with PIDs limit # We went through all the containers and found all with PIDs limit
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers without PIDs cgroup limit" "$nopids_limit_containers"
fi fi
logcheckresult "WARN" "Containers without PIDs cgroup limit" "$nopids_limit_containers"
} }
check_5_29() { check_5_29() {
@ -1080,33 +1077,33 @@ check_5_29() {
docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" | \ docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" | \
sed -e 's/^ //' -e 's/ /\n/g' 2>/dev/null) sed -e 's/^ //' -e 's/ /\n/g' 2>/dev/null)
if [ -n "$docker0Containers" ]; then if [ -n "$docker0Containers" ]; then
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
info -c "$check" info -c "$check"
fail=1 fail=1
fi
for c in $docker0Containers; do
if [ -z "$exclude" ]; then
cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g')
else
pattern=$(echo "$exclude" | sed 's/,/|/g')
cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g' | grep -Ev "$pattern" )
fi
if [ -n "$cName" ]; then
info " * Container in docker0 network: $cName"
docker_network_containers="$docker_network_containers $c:$cName"
fi
done
fi fi
for c in $docker0Containers; do
if [ -z "$exclude" ]; then
cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g')
else
pattern=$(echo "$exclude" | sed 's/,/|/g')
cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g' | grep -Ev "$pattern" )
fi
if [ -n "$cName" ]; then
info " * Container in docker0 network: $cName"
docker_network_containers="$docker_network_containers $c:$cName"
fi
done
fi
fi fi
done done
# We went through all the containers and found none in docker0 network # We went through all the containers and found none in docker0 network
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -c "$check" pass -c "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "INFO" "Containers using docker0 network" "$docker_network_containers"
fi fi
logcheckresult "INFO" "Containers using docker0 network" "$docker_network_containers"
} }
check_5_30() { check_5_30() {
@ -1131,19 +1128,19 @@ check_5_30() {
warn " * Namespace shared: $c" warn " * Namespace shared: $c"
hostns_shared_containers="$hostns_shared_containers $c" hostns_shared_containers="$hostns_shared_containers $c"
fail=1 fail=1
else continue
warn " * Namespace shared: $c"
hostns_shared_containers="$hostns_shared_containers $c"
fi fi
warn " * Namespace shared: $c"
hostns_shared_containers="$hostns_shared_containers $c"
fi fi
done done
# We went through all the containers and found none with host's user namespace shared # We went through all the containers and found none with host's user namespace shared
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers sharing host user namespace" "$hostns_shared_containers"
fi fi
logcheckresult "WARN" "Containers sharing host user namespace" "$hostns_shared_containers"
} }
check_5_31() { check_5_31() {
@ -1168,19 +1165,19 @@ check_5_31() {
warn " * Docker socket shared: $c" warn " * Docker socket shared: $c"
docker_sock_containers="$docker_sock_containers $c" docker_sock_containers="$docker_sock_containers $c"
fail=1 fail=1
else continue
warn " * Docker socket shared: $c"
docker_sock_containers="$docker_sock_containers $c"
fi fi
warn " * Docker socket shared: $c"
docker_sock_containers="$docker_sock_containers $c"
fi fi
done done
# We went through all the containers and found none with docker.sock shared # We went through all the containers and found none with docker.sock shared
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Containers sharing docker socket" "$docker_sock_containers"
fi fi
logcheckresult "WARN" "Containers sharing docker socket" "$docker_sock_containers"
} }
check_5_end() { check_5_end() {

92
tests/7_docker_swarm_configuration.sh
View file

@ -20,10 +20,10 @@ check_7_1() {
if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
warn -s "$check"
logcheckresult "WARN"
} }
check_7_2() { check_7_2() {
@ -39,14 +39,14 @@ check_7_2() {
if [ "$managernodes" -eq 1 ]; then if [ "$managernodes" -eq 1 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
else warn -s "$check"
pass -s "$check (Swarm mode not enabled)" logcheckresult "WARN"
logcheckresult "PASS" return
fi fi
pass -s "$check (Swarm mode not enabled)"
logcheckresult "PASS"
} }
check_7_3() { check_7_3() {
@ -62,14 +62,14 @@ check_7_3() {
if [ $? -eq 1 ]; then if [ $? -eq 1 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
else warn -s "$check"
pass -s "$check (Swarm mode not enabled)" logcheckresult "WARN"
logcheckresult "PASS" return
fi fi
pass -s "$check (Swarm mode not enabled)"
logcheckresult "PASS"
} }
check_7_4() { check_7_4() {
@ -96,11 +96,11 @@ check_7_4() {
done done
# We went through all the networks and found none that are unencrypted # We went through all the networks and found none that are unencrypted
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
logcheckresult "WARN" "Unencrypted overlay networks:" "$unencrypted_networks"
fi fi
logcheckresult "WARN" "Unencrypted overlay networks:" "$unencrypted_networks"
} }
check_7_5() { check_7_5() {
@ -115,14 +115,14 @@ check_7_5() {
if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then
pass -c "$check" pass -c "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
info -c "$check"
logcheckresult "INFO"
fi fi
else info -c "$check"
pass -c "$check (Swarm mode not enabled)" logcheckresult "INFO"
logcheckresult "PASS" return
fi fi
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
} }
check_7_6() { check_7_6() {
@ -137,14 +137,14 @@ check_7_6() {
if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then
warn -s "$check" warn -s "$check"
logcheckresult "WARN" logcheckresult "WARN"
else return
pass -s "$check"
logcheckresult "PASS"
fi fi
else pass -s "$check"
pass -s "$check (Swarm mode not enabled)" logcheckresult "PASS"
logcheckresult "PASS" return
fi fi
pass -s "$check (Swarm mode not enabled)"
logcheckresult "PASS"
} }
check_7_7() { check_7_7() {
@ -158,10 +158,10 @@ check_7_7() {
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
note -c "$check" note -c "$check"
logcheckresult "NOTE" logcheckresult "NOTE"
else return
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
fi fi
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
} }
check_7_8() { check_7_8() {
@ -176,14 +176,14 @@ check_7_8() {
if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then
pass -c "$check" pass -c "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
info -c "$check"
logcheckresult "INFO"
fi fi
else info -c "$check"
pass -c "$check (Swarm mode not enabled)" logcheckresult "INFO"
logcheckresult "PASS" return
fi fi
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
} }
check_7_9() { check_7_9() {
@ -197,10 +197,10 @@ check_7_9() {
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
info -c "$check" info -c "$check"
logcheckresult "INFO" logcheckresult "INFO"
else return
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
fi fi
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
} }
check_7_10() { check_7_10() {
@ -214,10 +214,10 @@ check_7_10() {
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
info -c "$check" info -c "$check"
logcheckresult "INFO" logcheckresult "INFO"
else return
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
fi fi
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
} }
check_7_end() { check_7_end() {

3
tests/8_docker_enterprise_configuration.sh
View file

@ -10,11 +10,10 @@ check_8() {
} }
check_product_license() { check_product_license() {
enterprise_license=1
if docker version | grep -Eqi '^Server.*Community$|Version.*-ce$'; then if docker version | grep -Eqi '^Server.*Community$|Version.*-ce$'; then
info " * Community Engine license, skipping section 8" info " * Community Engine license, skipping section 8"
enterprise_license=0 enterprise_license=0
else
enterprise_license=1
fi fi
} }

40
tests/99_community_checks.sh
View file

@ -19,13 +19,15 @@ check_c_1() {
if docker info --format='{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>&2; then if docker info --format='{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>&2; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
elif docker info --format='{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>&2; then return
fi
if docker info --format='{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>&2; then
info -c "$check" info -c "$check"
logcheckresult "INFO" logcheckresult "INFO"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
warn -s "$check"
logcheckresult "WARN"
} }
check_c_1_1() { check_c_1_1() {
@ -39,13 +41,15 @@ check_c_1_1() {
if docker info --format='{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>&2; then if docker info --format='{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>&2; then
pass -c "$check" pass -c "$check"
logcheckresult "PASS" logcheckresult "PASS"
elif docker info --format='{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>&2; then return
fi
if docker info --format='{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>&2; then
info -c "$check" info -c "$check"
logcheckresult "INFO" logcheckresult "INFO"
else return
warn -c "$check"
logcheckresult "WARN"
fi fi
warn -c "$check"
logcheckresult "WARN"
} }
check_c_2() { check_c_2() {
@ -63,19 +67,21 @@ check_c_2() {
if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then return
fi
if get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then
pass -s "$check" pass -s "$check"
logcheckresult "PASS" logcheckresult "PASS"
else return
warn -s "$check"
logcheckresult "WARN"
fi fi
else warn -s "$check"
local desc="$desc (Deprecated)" logcheckresult "WARN"
local check="$id - $desc" return
info -c "$check"
logcheckresult "INFO"
fi fi
local desc="$desc (Deprecated)"
local check="$id - $desc"
info -c "$check"
logcheckresult "INFO"
} }
check_c_end() { check_c_end() {