GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-19 00:32:34 +01:00
Code Issues Projects Releases Packages Wiki Activity

update chap 3 to cis 1.11

Browse source 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
This commit is contained in:
Thomas Sjögren 2016-04-14 22:57:25 +02:00
parent 9911abbc2d
commit e3da5eacf0
1 changed files with 124 additions and 214 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

338
tests/3_docker_daemon_configuration_files.sh
View file

@ -34,8 +34,8 @@ else
fi fi
# 3.3 # 3.3
check_3_3="3.3 - Verify that docker-registry.service file ownership is set to root:root" check_3_3="3.3 - Verify that docker.socket file ownership is set to root:root"
file="$(get_systemd_service_file docker-registry.service)" file="$(get_systemd_service_file docker.socket)"
if [ -f "$file" ]; then if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_3" pass "$check_3_3"
@ -49,8 +49,8 @@ else
fi fi
# 3.4 # 3.4
check_3_4="3.4 - Verify that docker-registry.service file permissions are set to 644" check_3_4="3.4 - Verify that docker.socket file permissions are set to 644"
file="$(get_systemd_service_file docker-registry.service)" file="$(get_systemd_service_file docker.socket)"
if [ -f "$file" ]; then if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_4" pass "$check_3_4"
@ -64,189 +64,39 @@ else
fi fi
# 3.5 # 3.5
check_3_5="3.5 - Verify that docker.socket file ownership is set to root:root" check_3_5="3.5 - Verify that /etc/docker directory ownership is set to root:root"
file="$(get_systemd_service_file docker.socket)"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_5"
else
warn "$check_3_5"
warn " * Wrong ownership for $file"
fi
else
info "$check_3_5"
info " * File not found"
fi
# 3.6
check_3_6="3.6 - Verify that docker.socket file permissions are set to 644"
file="$(get_systemd_service_file docker.socket)"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_6"
else
warn "$check_3_6"
warn " * Wrong permissions for $file"
fi
else
info "$check_3_6"
info " * File not found"
fi
# 3.7
check_3_7="3.7 - Verify that Docker environment file ownership is set to root:root "
file="/etc/sysconfig/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_7"
else
warn "$check_3_7"
warn " * Wrong ownership for $file"
fi
else
info "$check_3_7"
info " * File not found"
fi
# 3.8
check_3_8="3.8 - Verify that Docker environment file permissions are set to 644"
file="/etc/sysconfig/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_8"
else
warn "$check_3_8"
warn " * Wrong permissions for $file"
fi
else
info "$check_3_8"
info " * File not found"
fi
# 3.9
check_3_9="3.9 - Verify that docker-network environment file ownership is set to root:root"
file="/etc/sysconfig/docker-network"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_9"
else
warn "$check_3_9"
warn " * Wrong ownership for $file"
fi
else
info "$check_3_9"
info " * File not found"
fi
# 3.10
check_3_10="3.10 - Verify that docker-network environment file permissions are set to 644"
file="/etc/sysconfig/docker-network"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_10"
else
warn "$check_3_10"
warn " * Wrong permissions for $file"
fi
else
info "$check_3_10"
info " * File not found"
fi
# 3.11
check_3_11="3.11 - Verify that docker-registry environment file ownership is set to root:root"
file="/etc/sysconfig/docker-registry"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_11"
else
warn "$check_3_11"
warn " * Wrong ownership for $file"
fi
else
info "$check_3_11"
info " * File not found"
fi
# 3.12
check_3_12="3.12 - Verify that docker-registry environment file permissions are set to 644"
file="/etc/sysconfig/docker-registry"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_12"
else
warn "$check_3_12"
warn " * Wrong permissions for $file"
fi
else
info "$check_3_12"
info " * File not found"
fi
# 3.13
check_3_13="3.13 - Verify that docker-storage environment file ownership is set to root:root"
file="/etc/sysconfig/docker-storage"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_13"
else
warn "$check_3_13"
warn " * Wrong ownership for $file"
fi
else
info "$check_3_13"
info " * File not found"
fi
# 3.14
check_3_14="3.14 - Verify that docker-storage environment file permissions are set to 644"
file="/etc/sysconfig/docker-storage"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_14"
else
warn "$check_3_14"
warn " * Wrong permissions for $file"
fi
else
info "$check_3_14"
info " * File not found"
fi
# 3.15
check_3_15="3.15 - Verify that /etc/docker directory ownership is set to root:root"
directory="/etc/docker" directory="/etc/docker"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
if [ "$(stat -c %u%g $directory)" -eq 00 ]; then if [ "$(stat -c %u%g $directory)" -eq 00 ]; then
pass "$check_3_15" pass "$check_3_5"
else else
warn "$check_3_15" warn "$check_3_5"
warn " * Wrong ownership for $directory" warn " * Wrong ownership for $directory"
fi fi
else else
info "$check_3_15" info "$check_3_5"
info " * Directory not found" info " * Directory not found"
fi fi
# 3.16 # 3.6
check_3_16="3.16 - Verify that /etc/docker directory permissions are set to 755" check_3_6="3.6 - Verify that /etc/docker directory permissions are set to 755"
directory="/etc/docker" directory="/etc/docker"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
if [ "$(stat -c %a $directory)" -eq 755 ]; then if [ "$(stat -c %a $directory)" -eq 755 ]; then
pass "$check_3_16" pass "$check_3_6"
elif [ "$(stat -c %a $directory)" -eq 700 ]; then elif [ "$(stat -c %a $directory)" -eq 700 ]; then
pass "$check_3_16" pass "$check_3_6"
else else
warn "$check_3_16" warn "$check_3_6"
warn " * Wrong permissions for $directory" warn " * Wrong permissions for $directory"
fi fi
else else
info "$check_3_16" info "$check_3_6"
info " * Directory not found" info " * Directory not found"
fi fi
# 3.17 # 3.7
check_3_17="3.17 - Verify that registry certificate file ownership is set to root:root" check_3_7="3.7 - Verify that registry certificate file ownership is set to root:root"
directory="/etc/docker/certs.d/" directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
fail=0 fail=0
@ -258,18 +108,18 @@ if [ -d "$directory" ]; then
fi fi
done done
if [ $fail -eq 1 ]; then if [ $fail -eq 1 ]; then
warn "$check_3_17" warn "$check_3_7"
warn " * Wrong ownership for $directory" warn " * Wrong ownership for $directory"
else else
pass "$check_3_17" pass "$check_3_7"
fi fi
else else
info "$check_3_17" info "$check_3_7"
info " * Directory not found" info " * Directory not found"
fi fi
# 3.18 # 3.8
check_3_18="3.18 - Verify that registry certificate file permissions are set to 444" check_3_8="3.8 - Verify that registry certificate file permissions are set to 444"
directory="/etc/docker/certs.d/" directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then if [ -d "$directory" ]; then
fail=0 fail=0
@ -280,135 +130,195 @@ if [ -d "$directory" ]; then
fi fi
done done
if [ $fail -eq 1 ]; then if [ $fail -eq 1 ]; then
warn "$check_3_18" warn "$check_3_8"
warn " * Wrong permissions for $directory" warn " * Wrong permissions for $directory"
else else
pass "$check_3_18" pass "$check_3_8"
fi fi
else else
info "$check_3_18" info "$check_3_8"
info " * Directory not found" info " * Directory not found"
fi fi
# 3.19 # 3.9
check_3_19="3.19 - Verify that TLS CA certificate file ownership is set to root:root" check_3_9="3.9 - Verify that TLS CA certificate file ownership is set to root:root"
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -f "$tlscacert" ]; then if [ -f "$tlscacert" ]; then
if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
pass "$check_3_19" pass "$check_3_9"
else else
warn "$check_3_19" warn "$check_3_9"
warn " * Wrong ownership for $tlscacert" warn " * Wrong ownership for $tlscacert"
fi fi
else else
info "$check_3_19" info "$check_3_9"
info " * No TLS CA certificate found" info " * No TLS CA certificate found"
fi fi
# 3.20 # 3.10
check_3_20="3.20 - Verify that TLS CA certificate file permissions are set to 444" check_3_10="3.10 - Verify that TLS CA certificate file permissions are set to 444"
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -f "$tlscacert" ]; then if [ -f "$tlscacert" ]; then
perms=$(ls -ld "$tlscacert" | awk '{print $1}') perms=$(ls -ld "$tlscacert" | awk '{print $1}')
if [ "$perms" = "-r--r--r--" ]; then if [ "$perms" = "-r--r--r--" ]; then
pass "$check_3_20" pass "$check_3_10"
else else
warn "$check_3_20" warn "$check_3_10"
warn " * Wrong permissions for $tlscacert" warn " * Wrong permissions for $tlscacert"
fi fi
else else
info "$check_3_20" info "$check_3_10"
info " * No TLS CA certificate found" info " * No TLS CA certificate found"
fi fi
# 3.21 # 3.11
check_3_21="3.21 - Verify that Docker server certificate file ownership is set to root:root" check_3_11="3.11 - Verify that Docker server certificate file ownership is set to root:root"
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -f "$tlscert" ]; then if [ -f "$tlscert" ]; then
if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
pass "$check_3_21" pass "$check_3_11"
else else
warn "$check_3_21" warn "$check_3_11"
warn " * Wrong ownership for $tlscert" warn " * Wrong ownership for $tlscert"
fi fi
else else
info "$check_3_21" info "$check_3_11"
info " * No TLS Server certificate found" info " * No TLS Server certificate found"
fi fi
# 3.22 # 3.12
check_3_22="3.22 - Verify that Docker server certificate file permissions are set to 444" check_3_12="3.12 - Verify that Docker server certificate file permissions are set to 444"
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -f "$tlscert" ]; then if [ -f "$tlscert" ]; then
perms=$(ls -ld "$tlscert" | awk '{print $1}') perms=$(ls -ld "$tlscert" | awk '{print $1}')
if [ "$perms" = "-r--r--r--" ]; then if [ "$perms" = "-r--r--r--" ]; then
pass "$check_3_22" pass "$check_3_12"
else else
warn "$check_3_22" warn "$check_3_12"
warn " * Wrong permissions for $tlscert" warn " * Wrong permissions for $tlscert"
fi fi
else else
info "$check_3_22" info "$check_3_12"
info " * No TLS Server certificate found" info " * No TLS Server certificate found"
fi fi
# 3.23 # 3.13
check_3_23="3.23 - Verify that Docker server key file ownership is set to root:root" check_3_13="3.13 - Verify that Docker server key file ownership is set to root:root"
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -f "$tlskey" ]; then if [ -f "$tlskey" ]; then
if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
pass "$check_3_23" pass "$check_3_13"
else else
warn "$check_3_23" warn "$check_3_13"
warn " * Wrong ownership for $tlskey" warn " * Wrong ownership for $tlskey"
fi fi
else else
info "$check_3_23" info "$check_3_13"
info " * No TLS Key found" info " * No TLS Key found"
fi fi
# 3.24 # 3.14
check_3_24="3.24 - Verify that Docker server key file permissions are set to 400" check_3_14="3.14 - Verify that Docker server key file permissions are set to 400"
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -f "$tlskey" ]; then if [ -f "$tlskey" ]; then
perms=$(ls -ld "$tlskey" | awk '{print $1}') perms=$(ls -ld "$tlskey" | awk '{print $1}')
if [ "$perms" = "-r--------" ]; then if [ "$perms" = "-r--------" ]; then
pass "$check_3_24" pass "$check_3_14"
else else
warn "$check_3_24" warn "$check_3_14"
warn " * Wrong permissions for $tlskey" warn " * Wrong permissions for $tlskey"
fi fi
else else
info "$check_3_24" info "$check_3_14"
info " * No TLS Key found" info " * No TLS Key found"
fi fi
# 3.25 # 3.15
check_3_25="3.25 - Verify that Docker socket file ownership is set to root:docker" check_3_15="3.15 - Verify that Docker socket file ownership is set to root:docker"
file="/var/run/docker.sock" file="/var/run/docker.sock"
if [ -S "$file" ]; then if [ -S "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then
pass "$check_3_25" pass "$check_3_15"
else else
warn "$check_3_25" warn "$check_3_15"
warn " * Wrong ownership for $file" warn " * Wrong ownership for $file"
fi fi
else else
info "$check_3_25" info "$check_3_15"
info " * File not found" info " * File not found"
fi fi
# 3.26 # 3.16
check_3_26="3.26 - Verify that Docker socket file permissions are set to 660" check_3_16="3.16 - Verify that Docker socket file permissions are set to 660"
file="/var/run/docker.sock" file="/var/run/docker.sock"
if [ -S "$file" ]; then if [ -S "$file" ]; then
if [ "$(stat -c %a $file)" -eq 660 ]; then if [ "$(stat -c %a $file)" -eq 660 ]; then
pass "$check_3_26" pass "$check_3_16"
else else
warn "$check_3_26" warn "$check_3_16"
warn " * Wrong permissions for $file" warn " * Wrong permissions for $file"
fi fi
else else
info "$check_3_26" info "$check_3_16"
info " * File not found"
fi
# 3.17
check_3_17="3.17 - Verify that daemon.json file ownership is set to root:root"
file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass "$check_3_17"
else
warn "$check_3_17"
warn " * Wrong ownership for $file"
fi
else
info "$check_3_17"
info " * File not found"
fi
# 3.18
check_3_18="3.18 - Verify that daemon.json file permissions are set to 644"
file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_18"
else
warn "$check_3_18"
warn " * Wrong permissions for $file"
fi
else
info "$check_3_18"
info " * File not found"
fi
# 3.19
check_3_19="3.19 - Verify that /etc/default/docker file ownership is set to root:root"
file="/etc/default/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass "$check_3_19"
else
warn "$check_3_19"
warn " * Wrong ownership for $file"
fi
else
info "$check_3_19"
info " * File not found"
fi
# 3.20
check_3_20="3.20 - Verify that /etc/default/docker file permissions are set to 644"
file="/etc/default/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 ]; then
pass "$check_3_20"
else
warn "$check_3_20"
warn " * Wrong permissions for $file"
fi
else
info "$check_3_20"
info " * File not found" info " * File not found"
fi fi