mirror of
https://github.com/docker/docker-bench-security.git
synced 2025-01-18 16:22:33 +01:00
Merge pull request #18 from konstruktoid/misc
docker version, correct number of images, clean 2.7 output, ...
This commit is contained in:
Diogo Mónica
commit
d48d691ec2
4 changed files with 18 additions and 6 deletions
|
|
@ -39,8 +39,8 @@ fi
|
||||||
|
|
||||||
# 1.6
|
# 1.6
|
||||||
check_1_6="1.6 - Keep Docker up to date"
|
check_1_6="1.6 - Keep Docker up to date"
|
||||||
|
docker_version=$(docker version | grep 'Server version' | awk '{print $3}')
|
||||||
do_version_check 1.6.2 $docker_version
|
do_version_check 1.6.2 $docker_version
|
||||||
docker version | grep 'Server version' | awk '{print $3}'
|
|
||||||
if [ $? -eq 11 ]; then
|
if [ $? -eq 11 ]; then
|
||||||
warn "$check_1_6"
|
warn "$check_1_6"
|
||||||
else
|
else
|
||||||
|
|
|
||||||
|
|
@ -60,7 +60,7 @@ fi
|
||||||
|
|
||||||
# 2.7
|
# 2.7
|
||||||
check_2_7="2.7 - Do not use the aufs storage driver"
|
check_2_7="2.7 - Do not use the aufs storage driver"
|
||||||
docker info 2>/dev/null| grep -e "^Storage Driver:\s*aufs\s*$"
|
docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1
|
||||||
if [ $? -eq 0 ]; then
|
if [ $? -eq 0 ]; then
|
||||||
warn "$check_2_7"
|
warn "$check_2_7"
|
||||||
else
|
else
|
||||||
|
|
|
||||||
|
|
@ -64,7 +64,7 @@ else
|
||||||
exec_check=$(docker exec "$c" ps -el 2>/dev/null)
|
exec_check=$(docker exec "$c" ps -el 2>/dev/null)
|
||||||
if [ $? -eq 255 ]; then
|
if [ $? -eq 255 ]; then
|
||||||
warn "$check_5_3"
|
warn "$check_5_3"
|
||||||
warn " * Docker exec fails: $c"
|
warn " * Docker exec fails: $c"
|
||||||
fail=1
|
fail=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
@ -172,10 +172,10 @@ else
|
||||||
|
|
||||||
fail=0
|
fail=0
|
||||||
for c in $containers; do
|
for c in $containers; do
|
||||||
docker exec "$c" ps -el 2>/dev/null
|
exec_check=$(docker exec "$c" ps -el 2>/dev/null)
|
||||||
if [ $? -eq 255 ]; then
|
if [ $? -eq 255 ]; then
|
||||||
warn "$check_5_7"
|
warn "$check_5_7"
|
||||||
warn " * Docker exec failed: $c"
|
warn " * Docker exec fails: $c"
|
||||||
fail=1
|
fail=1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -36,7 +36,15 @@ set +f; unset IFS
|
||||||
|
|
||||||
# 6.6
|
# 6.6
|
||||||
check_6_6="6.6 - Avoid image sprawl"
|
check_6_6="6.6 - Avoid image sprawl"
|
||||||
images=$(docker images | wc -l | awk '{print $1}')
|
images=$(docker images -q | wc -l | awk '{print $1}')
|
||||||
|
active_images=0
|
||||||
|
|
||||||
|
for c in $(docker inspect -f "{{.Image}}" $(docker ps -qa)); do
|
||||||
|
if [[ $(docker images --no-trunc -a | grep $c) ]]; then
|
||||||
|
((active_images++))
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
if [ "$images" -gt 100 ]; then
|
if [ "$images" -gt 100 ]; then
|
||||||
warn "$check_6_6"
|
warn "$check_6_6"
|
||||||
warn " * There are currently: $images images"
|
warn " * There are currently: $images images"
|
||||||
|
|
@ -45,6 +53,10 @@ else
|
||||||
info " * There are currently: $images images"
|
info " * There are currently: $images images"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
if [[ "$active_images" -lt "$((images / 2))" ]]; then
|
||||||
|
warn " * Only $active_images out of $images are in use"
|
||||||
|
fi
|
||||||
|
|
||||||
# 6.7
|
# 6.7
|
||||||
check_6_7="6.7 - Avoid container sprawl"
|
check_6_7="6.7 - Avoid container sprawl"
|
||||||
total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}')
|
total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}')
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue