GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-18 16:22:33 +01:00
Code Issues Projects Releases Packages Wiki Activity

Fix #97, #98, #99 by using new helper functions

Browse source 
Signed-off-by: Andreas Stieger <astieger@suse.com>
This commit is contained in:
Andreas Stieger 2015-11-17 16:16:24 +01:00
parent 49f78d715a
commit d2ba1d9f72
2 changed files with 14 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
tests/2_docker_daemon_configuration.sh
View file

@ -14,7 +14,7 @@ fi
# 2.2
check_2_2="2.2 - Restrict network traffic between containers"
get_command_line_args docker | grep "icc=false" >/dev/null 2>&1
get_docker_effective_command_line_args '--icc' | grep "false" >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_2_2"
else
@ -23,7 +23,7 @@ fi
# 2.3
check_2_3="2.3 - Set the logging level"
get_command_line_args docker | grep "log-level=\"debug\"" >/dev/null 2>&1
get_docker_effective_command_line_args '-l' | grep "debug" >/dev/null 2>&1
if [ $? -eq 0 ]; then
warn "$check_2_3"
else
@ -32,7 +32,7 @@ fi
# 2.4
check_2_4="2.4 - Allow Docker to make changes to iptables"
get_command_line_args docker | grep "iptables=false" >/dev/null 2>&1
get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1
if [ $? -eq 0 ]; then
warn "$check_2_4"
else
@ -41,7 +41,7 @@ fi
# 2.5
check_2_5="2.5 - Do not use insecure registries"
get_command_line_args docker | grep "insecure-registry" >/dev/null 2>&1
get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1
if [ $? -eq 0 ]; then
warn "$check_2_5"
else
@ -50,7 +50,7 @@ fi
# 2.6
check_2_6="2.6 - Setup a local registry mirror"
get_command_line_args docker | grep "registry-mirror" >/dev/null 2>&1
get_docker_effective_command_line_args '--registry-mirror' | grep "registry-mirror" >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_2_6"
else
@ -69,7 +69,7 @@ fi
# 2.8
check_2_8="2.8 - Do not bind Docker to another IP/Port or a Unix socket"
get_command_line_args docker | grep "\-H" >/dev/null 2>&1
get_docker_effective_command_line_args '-H' | grep "\-H" >/dev/null 2>&1
if [ $? -eq 0 ]; then
info "$check_2_8"
info " * Docker daemon running with -H"
@ -79,7 +79,7 @@ fi
# 2.9
check_2_9="2.9 - Configure TLS authentication for Docker daemon"
get_command_line_args docker | tr "-" "\n" | grep -E '^(H|host)' | grep -vE '(unix|fd)://' >/dev/null 2>&1
get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1
if [ $? -eq 0 ]; then
get_command_line_args docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1
if [ $? -eq 0 ]; then
@ -96,7 +96,7 @@ fi
# 2.10
check_2_10="2.10 - Set default ulimit as appropriate"
get_command_line_args docker | grep "default-ulimit" >/dev/null 2>&1
get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1
if [ $? -eq 0 ]; then
pass "$check_2_10"
else

12
tests/3_docker_daemon_configuration_files.sh
View file

@ -292,7 +292,7 @@ fi
# 3.19
check_3_19="3.19 - Verify that TLS CA certificate file ownership is set to root:root"
tlscacert=$(get_command_line_args docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -f "$tlscacert" ]; then
if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
pass "$check_3_19"
@ -307,7 +307,7 @@ fi
# 3.20
check_3_20="3.20 - Verify that TLS CA certificate file permissions are set to 444"
tlscacert=$(get_command_line_args docker | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -f "$tlscacert" ]; then
perms=$(ls -ld "$tlscacert" | awk '{print $1}')
if [ "$perms" = "-r--r--r--" ]; then
@ -323,7 +323,7 @@ fi
# 3.21
check_3_21="3.21 - Verify that Docker server certificate file ownership is set to root:root"
tlscert=$(get_command_line_args docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -f "$tlscert" ]; then
if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
pass "$check_3_21"
@ -338,7 +338,7 @@ fi
# 3.22
check_3_22="3.22 - Verify that Docker server certificate file permissions are set to 444"
tlscert=$(get_command_line_args docker | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -f "$tlscert" ]; then
perms=$(ls -ld "$tlscert" | awk '{print $1}')
if [ "$perms" = "-r--r--r--" ]; then
@ -354,7 +354,7 @@ fi
# 3.23
check_3_23="3.23 - Verify that Docker server key file ownership is set to root:root"
tlskey=$(get_command_line_args docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -f "$tlskey" ]; then
if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
pass "$check_3_23"
@ -369,7 +369,7 @@ fi
# 3.24
check_3_24="3.24 - Verify that Docker server key file permissions are set to 400"
tlskey=$(get_command_line_args docker | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -f "$tlskey" ]; then
perms=$(ls -ld "$tlskey" | awk '{print $1}')
if [ "$perms" = "-r--------" ]; then