GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-18 16:22:33 +01:00
Code Issues Projects Releases Packages Wiki Activity

Improve docker-bench-security json output

Browse source 
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm 2018-07-11 18:02:12 -07:00
parent bbf43c88e1
commit ec7d8ce690
11 changed files with 1006 additions and 427 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
docker-bench-security.sh
View file

@ -141,10 +141,8 @@ main () {
printf "\n"
info "Checks: $totalChecks"
info "Score: $currentScore"
integerjson "checks" "$totalChecks"
integerjson "score" "$currentScore"
endjson "$(date +%s)"
endjson "$totalChecks" "$currentScore" "$(date +%s)"
}
main "$@"

8
functions_lib.sh
View file

@ -15,6 +15,7 @@ host_configuration() {
check_1_11
check_1_12
check_1_13
check_1_end
}
docker_daemon_configuration() {
@ -37,6 +38,7 @@ docker_daemon_configuration() {
check_2_16
check_2_17
check_2_18
check_2_end
}
docker_daemon_files() {
@ -61,6 +63,7 @@ docker_daemon_files() {
check_3_18
check_3_19
check_3_20
check_3_end
}
container_images() {
@ -76,6 +79,7 @@ container_images() {
check_4_9
check_4_10
check_4_11
check_4_end
}
container_runtime() {
@ -112,12 +116,14 @@ container_runtime() {
check_5_29
check_5_30
check_5_31
check_5_end
}
docker_security_operations() {
check_6
check_6_1
check_6_2
check_6_end
}
docker_swarm_configuration() {
@ -131,11 +137,13 @@ docker_swarm_configuration() {
check_7_8
check_7_9
check_7_10
check_7_end
}
community_checks() {
check_c
check_c_1
check_c_end
}
# CIS

34
output_lib.sh
View file

@ -30,17 +30,43 @@ yell () {
}
beginjson () {
printf "{\n \"dockerbenchsecurity\": \"%s\",\n \"start\": %s," "$1" "$2" | tee "$logger.json" 2>/dev/null 1>&2
printf "{\n \"dockerbenchsecurity\": \"%s\",\n \"start\": %s,\n \"tests\": [" "$1" "$2" | tee "$logger.json" 2>/dev/null 1>&2
}
endjson (){
printf "\n \"end\": %s \n}\n" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2
printf "\n ], \"checks\": %s, \"score\": %s, \"end\": %s \n}\n" "$1" "$2" "$3" | tee -a "$logger.json" 2>/dev/null 1>&2
}
logjson (){
printf "\n \"%s\": \"%s\"," "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
}
integerjson (){
printf "\n \"%s\": %s," "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
SSEP=
SEP=
startsectionjson() {
printf "%s\n {\"id\": \"%s\", \"desc\": \"%s\", \"results\": [" "$SSEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
SEP=
SSEP=","
}
endsectionjson() {
printf "\n ]}" | tee -a "$logger.json" 2>/dev/null 1>&2
}
starttestjson() {
printf "%s\n {\"id\": \"%s\", \"desc\": \"%s\", " "$SEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
SEP=","
}
resulttestjson() {
if [ $# -eq 1 ]; then
printf "\"result\": \"%s\"}" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2
elif [ $# -eq 2 ]; then
# Result also contains details
printf "\"result\": \"%s\", \"details\": \"%s\"}" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
else
# Result also includes details and a list of items. Add that directly to details and to an array property "items"
itemsJson=$(printf "["; ISEP=""; for item in $3; do printf "%s\"%s\"" "$ISEP" "$item"; ISEP=","; done; printf "]")
printf "\"result\": \"%s\", \"details\": \"%s: %s\", \"items\": %s}" "$1" "$2" "$3" "$itemsJson" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
}

191
tests/1_host_configuration.sh
View file

@ -2,41 +2,57 @@
check_1() {
logit ""
info "1 - Host Configuration"
id_1="1"
desc_1="Host Configuration"
check_1="$id_1 - $desc_1"
info "$check_1"
startsectionjson "$id_1" "$desc_1"
}
# 1.1
check_1_1() {
check_1_1="1.1 - Ensure a separate partition for containers has been created"
id_1_1="1.1"
desc_1_1="Ensure a separate partition for containers has been created"
check_1_1="$id_1_1 - $desc_1_1"
starttestjson "$id_1_1" "$desc_1_1"
totalChecks=$((totalChecks + 1))
if grep /var/lib/docker /etc/fstab >/dev/null 2>&1; then
pass "$check_1_1"
logjson "1.1" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif mountpoint -q -- /var/lib/docker >/dev/null 2>&1; then
pass "$check_1_1"
logjson "1.1" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_1"
logjson "1.1" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
}
# 1.2
check_1_2() {
check_1_2="1.2 - Ensure the container host has been Hardened"
id_1_2="1.2"
desc_1_2="Ensure the container host has been Hardened"
check_1_2="$id_1_2 - $desc_1_2"
starttestjson "$id_1_2" "$desc_1_2"
totalChecks=$((totalChecks + 1))
note "$check_1_2"
logjson "1.2" "INFO"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
}
# 1.3
check_1_3() {
check_1_3="1.3 - Ensure Docker is up to date"
id_1_3="1.3"
desc_1_3="Ensure Docker is up to date"
check_1_3="$id_1_3 - $desc_1_3"
starttestjson "$id_1_3" "$desc_1_3"
totalChecks=$((totalChecks + 1))
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,')
@ -46,316 +62,361 @@ check_1_3() {
info "$check_1_3"
info " * Using $docker_version, verify is it up to date as deemed necessary"
info " * Your operating system vendor may provide support and security maintenance for Docker"
logjson "1.3" "INFO"
resulttestjson "INFO" "Using $docker_version"
currentScore=$((currentScore + 0))
else
pass "$check_1_3"
info " * Using $docker_version which is current"
info " * Check with your operating system vendor for support and security maintenance for Docker"
logjson "1.3" "PASS"
resulttestjson "PASS" "Using $docker_version"
currentScore=$((currentScore + 0))
fi
}
# 1.4
check_1_4() {
check_1_4="1.4 - Ensure only trusted users are allowed to control Docker daemon"
id_1_4="1.4"
desc_1_4="Ensure only trusted users are allowed to control Docker daemon"
check_1_4="$id_1_4 - $desc_1_4"
starttestjson "$id_1_4" "$desc_1_4"
totalChecks=$((totalChecks + 1))
docker_users=$(getent group docker)
info "$check_1_4"
for u in $docker_users; do
info " * $u"
logjson "1.4" "INFO: $u"
done
resulttestjson "INFO" "users" "$docker_users"
currentScore=$((currentScore + 0))
}
# 1.5
check_1_5() {
check_1_5="1.5 - Ensure auditing is configured for the Docker daemon"
id_1_5="1.5"
desc_1_5="Ensure auditing is configured for the Docker daemon"
check_1_5="$id_1_5 - $desc_1_5"
starttestjson "$id_1_5" "$desc_1_5"
totalChecks=$((totalChecks + 1))
file="/usr/bin/docker "
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_5"
logjson "1.5" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_5"
logjson "1.5" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_5"
logjson "1.5" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_5"
logjson "1.5" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
}
# 1.6
check_1_6() {
check_1_6="1.6 - Ensure auditing is configured for Docker files and directories - /var/lib/docker"
id_1_6="1.6"
desc_1_6="Ensure auditing is configured for Docker files and directories - /var/lib/docker"
check_1_6="$id_1_6 - $desc_1_6"
starttestjson "$id_1_6" "$desc_1_6"
totalChecks=$((totalChecks + 1))
directory="/var/lib/docker"
if [ -d "$directory" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $directory >/dev/null 2>&1; then
pass "$check_1_6"
logjson "1.6" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_6"
logjson "1.6" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_6"
logjson "1.6" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_6"
logjson "1.6" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_6"
info " * Directory not found"
logjson "1.6" "INFO"
resulttestjson "INFO" "Directory not found"
currentScore=$((currentScore + 0))
fi
}
# 1.7
check_1_7() {
check_1_7="1.7 - Ensure auditing is configured for Docker files and directories - /etc/docker"
id_1_7="1.7"
desc_1_7="Ensure auditing is configured for Docker files and directories - /etc/docker"
check_1_7="$id_1_7 - $desc_1_7"
starttestjson "$id_1_7" "$desc_1_7"
totalChecks=$((totalChecks + 1))
directory="/etc/docker"
if [ -d "$directory" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $directory >/dev/null 2>&1; then
pass "$check_1_7"
logjson "1.7" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_7"
logjson "1.7" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_7"
logjson "1.7" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_7"
logjson "1.7" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_7"
info " * Directory not found"
logjson "1.7" "INFO"
resulttestjson "INFO" "Directory not found"
currentScore=$((currentScore + 0))
fi
}
# 1.8
check_1_8() {
check_1_8="1.8 - Ensure auditing is configured for Docker files and directories - docker.service"
id_1_8="1.8"
desc_1_8="Ensure auditing is configured for Docker files and directories - docker.service"
check_1_8="$id_1_8 - $desc_1_8"
starttestjson "$id_1_8" "$desc_1_8"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.service)"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_8"
logjson "1.8" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_8"
logjson "1.8" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_8"
logjson "1.8" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_8"
logjson "1.8" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_8"
info " * File not found"
logjson "1.8" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 1.9
check_1_9() {
check_1_9="1.9 - Ensure auditing is configured for Docker files and directories - docker.socket"
id_1_9="1.9"
desc_1_9="Ensure auditing is configured for Docker files and directories - docker.socket"
check_1_9="$id_1_9 - $desc_1_9"
starttestjson "$id_1_9" "$desc_1_9"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.socket)"
if [ -e "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_9"
logjson "1.9" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_9"
logjson "1.9" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_9"
logjson "1.9" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_9"
logjson "1.9" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_9"
info " * File not found"
logjson "1.9" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 1.10
check_1_10() {
check_1_10="1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker"
id_1_10="1.10"
desc_1_10="Ensure auditing is configured for Docker files and directories - /etc/default/docker"
check_1_10="$id_1_10 - $desc_1_10"
starttestjson "$id_1_10" "$desc_1_10"
totalChecks=$((totalChecks + 1))
file="/etc/default/docker"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_10"
logjson "1.10" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_10"
logjson "1.10" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_10"
logjson "1.10" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_10"
logjson "1.10" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_10"
info " * File not found"
logjson "1.10" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 1.11
check_1_11() {
check_1_11="1.11 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json"
id_1_11="1.11"
desc_1_11="Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json"
check_1_11="$id_1_11 - $desc_1_11"
starttestjson "$id_1_11" "$desc_1_11"
totalChecks=$((totalChecks + 1))
file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_11"
logjson "1.11" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_11"
logjson "1.11" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_11"
logjson "1.11" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_11"
logjson "1.11" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_11"
info " * File not found"
logjson "1.11" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 1.12
check_1_12() {
check_1_12="1.12 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd"
id_1_12="1.12"
desc_1_12="Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd"
check_1_12="$id_1_12 - $desc_1_12"
starttestjson "$id_1_12" "$desc_1_12"
totalChecks=$((totalChecks + 1))
file="/usr/bin/docker-containerd"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_12"
logjson "1.12" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_12"
logjson "1.12" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_12"
logjson "1.12" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_12"
logjson "1.12" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_12"
info " * File not found"
logjson "1.12" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 1.13
check_1_13() {
check_1_13="1.13 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc"
id_1_13="1.13"
desc_1_13="Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc"
check_1_13="$id_1_13 - $desc_1_13"
starttestjson "$id_1_13" "$desc_1_13"
totalChecks=$((totalChecks + 1))
file="/usr/bin/docker-runc"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_13"
logjson "1.13" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_13"
logjson "1.13" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_13"
logjson "1.13" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_13"
logjson "1.13" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_13"
info " * File not found"
logjson "1.13" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
check_1_end() {
endsectionjson
}

236
tests/2_docker_daemon_configuration.sh
View file

@ -2,262 +2,314 @@
check_2() {
logit "\n"
info "2 - Docker daemon configuration"
id_2="2"
desc_2="Docker daemon configuration"
check_2="id_2 - $desc_2"
info "$check_2"
startsectionjson "$id_2" "$desc_2"
}
# 2.1
check_2_1() {
check_2_1="2.1 - Ensure network traffic is restricted between containers on the default bridge"
id_2_1="2.1"
desc_2_1="Ensure network traffic is restricted between containers on the default bridge"
check_2_1="$id_2_1 - $desc_2_1"
starttestjson "$id_2_1" "$desc_2_1"
totalChecks=$((totalChecks + 1))
if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then
pass "$check_2_1"
logjson "2.1" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then
pass "$check_2_1"
logjson "2.1" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_1"
logjson "2.1" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
}
# 2.2
check_2_2() {
check_2_2="2.2 - Ensure the logging level is set to 'info'"
id_2_2="2.2"
desc_2_2="Ensure the logging level is set to 'info'"
check_2_2="$id_2_2 - $desc_2_2"
starttestjson "$id_2_2" "$desc_2_2"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then
if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then
pass "$check_2_2"
logjson "2.2" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then
pass "$check_2_2"
logjson "2.2" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_2"
logjson "2.2" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif get_docker_effective_command_line_args '-l'; then
if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then
pass "$check_2_2"
logjson "2.2" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_2"
logjson "2.2" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
pass "$check_2_2"
logjson "2.2" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
}
# 2.3
check_2_3() {
check_2_3="2.3 - Ensure Docker is allowed to make changes to iptables"
id_2_3="2.3"
desc_2_3="Ensure Docker is allowed to make changes to iptables"
check_2_3="$id_2_3 - $desc_2_3"
starttestjson "$id_2_3" "$desc_2_3"
totalChecks=$((totalChecks + 1))
if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then
warn "$check_2_3"
logjson "2.3" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then
warn "$check_2_3"
logjson "2.3" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
else
pass "$check_2_3"
logjson "2.3" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
}
# 2.4
check_2_4() {
check_2_4="2.4 - Ensure insecure registries are not used"
id_2_4="2.4"
desc_2_4="Ensure insecure registries are not used"
check_2_4="$id_2_4 - $desc_2_4"
starttestjson "$id_2_4" "$desc_2_4"
totalChecks=$((totalChecks + 1))
if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then
warn "$check_2_4"
logjson "2.4" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then
pass "$check_2_4"
logjson "2.4" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_4"
logjson "2.4" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
pass "$check_2_4"
logjson "2.4" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
}
# 2.5
check_2_5() {
check_2_5="2.5 - Ensure aufs storage driver is not used"
id_2_5="2.5"
desc_2_5="Ensure aufs storage driver is not used"
check_2_5="$id_2_5 - $desc_2_5"
starttestjson "$id_2_5" "$desc_2_5"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1; then
warn "$check_2_5"
logjson "2.5" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
else
pass "$check_2_5"
logjson "2.5" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
}
# 2.6
check_2_6() {
check_2_6="2.6 - Ensure TLS authentication for Docker daemon is configured"
id_2_6="2.6"
desc_2_6="Ensure TLS authentication for Docker daemon is configured"
check_2_6="$id_2_6 - $desc_2_6"
starttestjson "$id_2_6" "$desc_2_6"
totalChecks=$((totalChecks + 1))
if [ grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2 ] || \
[ $(get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://') >/dev/null 2>&1 ]; then
if [ $(get_docker_configuration_file_args '"tlsverify":' | grep 'true') ] || \
[ $(get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify') >/dev/null 2>&1 ]; then
pass "$check_2_6"
logjson "2.6" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \
[ $(get_docker_cumulative_command_line_args '--tls' | grep 'tls$') >/dev/null 2>&1 ]; then
warn "$check_2_6"
warn " * Docker daemon currently listening on TCP with TLS, but no verification"
logjson "2.6" "WARN"
resulttestjson "WARN" "Docker daemon currently listening on TCP with TLS, but no verification"
currentScore=$((currentScore - 1))
else
warn "$check_2_6"
warn " * Docker daemon currently listening on TCP without TLS"
logjson "2.6" "WARN"
resulttestjson "WARN" "Docker daemon currently listening on TCP without TLS"
currentScore=$((currentScore - 1))
fi
else
info "$check_2_6"
info " * Docker daemon not listening on TCP"
logjson "2.6" "INFO"
resulttestjson "INFO" "Docker daemon not listening on TCP"
currentScore=$((currentScore + 0))
fi
}
# 2.7
check_2_7() {
check_2_7="2.7 - Ensure the default ulimit is configured appropriately"
id_2_7="2.7"
desc_2_7="Ensure the default ulimit is configured appropriately"
check_2_7="$id_2_7 - $desc_2_7"
starttestjson "$id_2_7" "$desc_2_7"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then
pass "$check_2_7"
logjson "2.7" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
pass "$check_2_7"
logjson "2.7" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
info "$check_2_7"
info " * Default ulimit doesn't appear to be set"
logjson "2.7" "INFO"
resulttestjson "INFO" "Default ulimit doesn't appear to be set"
currentScore=$((currentScore + 0))
fi
}
# 2.8
check_2_8() {
check_2_8="2.8 - Enable user namespace support"
id_2_8="2.8"
desc_2_8="Enable user namespace support"
check_2_8="$id_2_8 - $desc_2_8"
starttestjson "$id_2_8" "$desc_2_8"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then
pass "$check_2_8"
logjson "2.8" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
pass "$check_2_8"
logjson "2.8" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_8"
logjson "2.8" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
}
# 2.9
check_2_9() {
check_2_9="2.9 - Ensure the default cgroup usage has been confirmed"
id_2_9="2.9"
desc_2_9="Ensure the default cgroup usage has been confirmed"
check_2_9="$id_2_9 - $desc_2_9"
starttestjson "$id_2_9" "$desc_2_9"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'cgroup-parent' | grep -v '""'; then
warn "$check_2_9"
info " * Confirm cgroup usage"
logjson "2.9" "INFO"
resulttestjson "WARN" "Confirm cgroup usage"
currentScore=$((currentScore + 0))
elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
warn "$check_2_9"
info " * Confirm cgroup usage"
logjson "2.9" "INFO"
resulttestjson "WARN" "Confirm cgroup usage"
currentScore=$((currentScore + 0))
else
pass "$check_2_9"
logjson "2.9" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
}
# 2.10
check_2_10() {
check_2_10="2.10 - Ensure base device size is not changed until needed"
id_2_10="2.10"
desc_2_10="Ensure base device size is not changed until needed"
check_2_10="$id_2_10 - $desc_2_10"
starttestjson "$id_2_10" "$desc_2_10"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then
warn "$check_2_10"
logjson "2.10" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
warn "$check_2_10"
logjson "2.10" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
else
pass "$check_2_10"
logjson "2.10" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
}
# 2.11
check_2_11() {
check_2_11="2.11 - Ensure that authorization for Docker client commands is enabled"
id_2_11="2.11"
desc_2_11="Ensure that authorization for Docker client commands is enabled"
check_2_11="$id_2_11 - $desc_2_11"
starttestjson "$id_2_11" "$desc_2_11"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then
pass "$check_2_11"
logjson "2.11" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
pass "$check_2_11"
logjson "2.11" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_11"
logjson "2.11" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
}
# 2.12
check_2_12() {
check_2_12="2.12 - Ensure centralized and remote logging is configured"
id_2_12="2.12"
desc_2_12="Ensure centralized and remote logging is configured"
check_2_12="$id_2_12 - $desc_2_12"
starttestjson "$id_2_12" "$desc_2_12"
totalChecks=$((totalChecks + 1))
if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then
warn "$check_2_12"
logjson "2.12" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
else
pass "$check_2_12"
logjson "2.12" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
}
@ -267,48 +319,58 @@ check_2_13() {
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,.')
totalChecks=$((totalChecks + 1))
id_2_13="2.13"
desc_2_13="Ensure operations on legacy registry (v1) are Disabled"
check_2_13="$id_2_13 - $desc_2_13"
starttestjson "$id_2_13" "$desc_2_13"
if [ "$docker_version" -lt 1712 ]; then
check_2_13="2.13 - Ensure operations on legacy registry (v1) are Disabled"
if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then
pass "$check_2_13"
logjson "2.13" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then
pass "$check_2_13"
logjson "2.13" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_13"
logjson "2.13" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
check_2_13="2.13 - Ensure operations on legacy registry (v1) are Disabled (Deprecated)"
desc_2_13="$desc_2_13 (Deprecated)"
check_2_13="$id_2_13 - $desc_2_13"
info "$check_2_13"
logjson "2.13" "info"
resulttestjson "INFO"
fi
}
# 2.14
check_2_14() {
check_2_14="2.14 - Ensure live restore is Enabled"
id_2_14="2.14"
desc_2_14="Ensure live restore is Enabled"
check_2_14="$id_2_14 - $desc_2_14"
starttestjson "$id_2_14" "$desc_2_14"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then
pass "$check_2_14"
logjson "2.14" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
pass "$check_2_14 (Incompatible with swarm mode)"
logjson "2.14" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then
pass "$check_2_14"
logjson "2.14" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_14"
logjson "2.14" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
fi
@ -316,68 +378,88 @@ check_2_14() {
# 2.15
check_2_15() {
check_2_15="2.15 - Ensure Userland Proxy is Disabled"
id_2_15="2.15"
desc_2_15="Ensure Userland Proxy is Disabled"
check_2_15="$id_2_15 - $desc_2_15"
starttestjson "$id_2_15" "$desc_2_15"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then
pass "$check_2_15"
logjson "2.15" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
pass "$check_2_15"
logjson "2.15" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_15"
logjson "2.15" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
}
# 2.16
check_2_16() {
check_2_16="2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed"
id_2_16="2.16"
desc_2_16="Ensure daemon-wide custom seccomp profile is applied, if needed"
check_2_16="$id_2_16 - $desc_2_16"
starttestjson "$id_2_16" "$desc_2_16"
totalChecks=$((totalChecks + 1))
if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then
pass "$check_2_16"
logjson "2.16" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
info "$check_2_16"
logjson "2.16" "INFO"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
fi
}
# 2.17
check_2_17() {
check_2_17="2.17 - Ensure experimental features are avoided in production"
id_2_17="2.17"
desc_2_17="Ensure experimental features are avoided in production"
check_2_17="$id_2_17 - $desc_2_17"
starttestjson "$id_2_17" "$desc_2_17"
totalChecks=$((totalChecks + 1))
if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then
pass "$check_2_17"
logjson "2.17" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_17"
logjson "2.17" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
}
# 2.18
check_2_18() {
check_2_18="2.18 - Ensure containers are restricted from acquiring new privileges"
id_2_18="2.18"
desc_2_18="Ensure containers are restricted from acquiring new privileges"
check_2_18="$id_2_18 - $desc_2_18"
starttestjson "$id_2_18" "$desc_2_18"
totalChecks=$((totalChecks + 1))
if get_docker_effective_command_line_args '--no-new-privileges' | grep "no-new-privileges" >/dev/null 2>&1; then
pass "$check_2_18"
logjson "2.18" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then
pass "$check_2_18"
logjson "2.18" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_18"
logjson "2.18" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
}
check_2_end() {
endsectionjson
}

250
tests/3_docker_daemon_configuration_files.sh
View file

@ -2,156 +2,188 @@
check_3() {
logit "\n"
info "3 - Docker daemon configuration files"
id_3="3"
desc_3="Docker daemon configuration files"
check_3="$id_3 - $desc_3"
info "$check_3"
startsectionjson "$id_3" "$desc_3"
}
# 3.1
check_3_1() {
check_3_1="3.1 - Ensure that docker.service file ownership is set to root:root"
id_3_1="3.1"
desc_3_1="Ensure that docker.service file ownership is set to root:root"
check_3_1="$id_3_1 - $desc_3_1"
starttestjson "$id_3_1" "$desc_3_1"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.service)"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_1"
logjson "3.1" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_1"
warn " * Wrong ownership for $file"
logjson "3.1" "WARN"
resulttestjson "WARN" "Wrong ownership for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_1"
info " * File not found"
logjson "3.1" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 3.2
check_3_2() {
check_3_2="3.2 - Ensure that docker.service file permissions are set to 644 or more restrictive"
id_3_2="3.2"
desc_3_2="Ensure that docker.service file permissions are set to 644 or more restrictive"
check_3_2="$id_3_2 - $desc_3_2"
starttestjson "$id_3_2" "$desc_3_2"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.service)"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_2"
logjson "3.2" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_2"
warn " * Wrong permissions for $file"
logjson "3.2" "WARN"
resulttestjson "WARN" "Wrong permissions for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_2"
info " * File not found"
logjson "3.2" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 3.3
check_3_3() {
check_3_3="3.3 - Ensure that docker.socket file ownership is set to root:root"
id_3_3="3.3"
desc_3_3="Ensure that docker.socket file ownership is set to root:root"
check_3_3="$id_3_3 - $desc_3_3"
starttestjson "$id_3_3" "$desc_3_3"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.socket)"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_3"
logjson "3.3" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_3"
warn " * Wrong ownership for $file"
logjson "3.3" "WARN"
resulttestjson "WARN" "Wrong ownership for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_3"
info " * File not found"
logjson "3.3" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 3.4
check_3_4() {
check_3_4="3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive"
id_3_4="3.4"
desc_3_4="Ensure that docker.socket file permissions are set to 644 or more restrictive"
check_3_4="$id_3_4 - $desc_3_4"
starttestjson "$id_3_4" "$desc_3_4"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.socket)"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_4"
logjson "3.4" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_4"
warn " * Wrong permissions for $file"
logjson "3.4" "WARN"
resulttestjson "WARN" "Wrong permissions for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_4"
info " * File not found"
logjson "3.4" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 3.5
check_3_5() {
check_3_5="3.5 - Ensure that /etc/docker directory ownership is set to root:root"
id_3_5="3.5"
desc_3_5="Ensure that /etc/docker directory ownership is set to root:root"
check_3_5="$id_3_5 - $desc_3_5"
starttestjson "$id_3_5" "$desc_3_5"
totalChecks=$((totalChecks + 1))
directory="/etc/docker"
if [ -d "$directory" ]; then
if [ "$(stat -c %u%g $directory)" -eq 00 ]; then
pass "$check_3_5"
logjson "3.5" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_5"
warn " * Wrong ownership for $directory"
logjson "3.5" "WARN"
resulttestjson "WARN" "Wrong ownership for $directory"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_5"
info " * Directory not found"
logjson "3.5" "INFO"
resulttestjson "INFO" "Directory not found"
currentScore=$((currentScore + 0))
fi
}
# 3.6
check_3_6() {
check_3_6="3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive"
id_3_6="3.6"
desc_3_6="Ensure that /etc/docker directory permissions are set to 755 or more restrictive"
check_3_6="$id_3_6 - $desc_3_6"
starttestjson "$id_3_6" "$desc_3_6"
totalChecks=$((totalChecks + 1))
directory="/etc/docker"
if [ -d "$directory" ]; then
if [ "$(stat -c %a $directory)" -eq 755 -o "$(stat -c %a $directory)" -eq 700 ]; then
pass "$check_3_6"
logjson "3.6" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_6"
warn " * Wrong permissions for $directory"
logjson "3.6" "WARN"
resulttestjson "WARN" "Wrong permissions for $directory"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_6"
info " * Directory not found"
logjson "3.6" "INFO"
resulttestjson "INFO" "Directory not found"
currentScore=$((currentScore + 0))
fi
}
# 3.7
check_3_7() {
check_3_7="3.7 - Ensure that registry certificate file ownership is set to root:root"
id_3_7="3.7"
desc_3_7="Ensure that registry certificate file ownership is set to root:root"
check_3_7="$id_3_7 - $desc_3_7"
starttestjson "$id_3_7" "$desc_3_7"
totalChecks=$((totalChecks + 1))
directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then
@ -165,24 +197,28 @@ check_3_7() {
if [ $fail -eq 1 ]; then
warn "$check_3_7"
warn " * Wrong ownership for $directory"
logjson "3.7" "WARN"
resulttestjson "WARN" "Wrong ownership for $directory"
currentScore=$((currentScore - 1))
else
pass "$check_3_7"
logjson "3.7" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
else
info "$check_3_7"
info " * Directory not found"
logjson "3.7" "INFO"
resulttestjson "INFO" "Directory not found"
currentScore=$((currentScore + 0))
fi
}
# 3.8
check_3_8() {
check_3_8="3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive"
id_3_8="3.8"
desc_3_8="Ensure that registry certificate file permissions are set to 444 or more restrictive"
check_3_8="$id_3_8 - $desc_3_8"
starttestjson "$id_3_8" "$desc_3_8"
totalChecks=$((totalChecks + 1))
directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then
@ -196,24 +232,28 @@ check_3_8() {
if [ $fail -eq 1 ]; then
warn "$check_3_8"
warn " * Wrong permissions for $directory"
logjson "3.8" "WARN"
resulttestjson "WARN" "Wrong permissions for $directory"
currentScore=$((currentScore - 1))
else
pass "$check_3_8"
logjson "3.8" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
else
info "$check_3_8"
info " * Directory not found"
logjson "3.8" "INFO"
resulttestjson "INFO" "Directory not found"
currentScore=$((currentScore + 0))
fi
}
# 3.9
check_3_9() {
check_3_9="3.9 - Ensure that TLS CA certificate file ownership is set to root:root"
id_3_9="3.9"
desc_3_9="Ensure that TLS CA certificate file ownership is set to root:root"
check_3_9="$id_3_9 - $desc_3_9"
starttestjson "$id_3_9" "$desc_3_9"
totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then
tlscacert=$(get_docker_configuration_file_args 'tlscacert')
@ -223,25 +263,29 @@ check_3_9() {
if [ -f "$tlscacert" ]; then
if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
pass "$check_3_9"
logjson "3.9" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_9"
warn " * Wrong ownership for $tlscacert"
logjson "3.9" "WARN"
resulttestjson "WARN" "Wrong ownership for $tlscacert"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_9"
info " * No TLS CA certificate found"
logjson "3.9" "INFO"
resulttestjson "INFO" "No TLS CA certificate found"
currentScore=$((currentScore + 0))
fi
}
# 3.10
check_3_10() {
check_3_10="3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive"
id_3_10="3.10"
desc_3_10="Ensure that TLS CA certificate file permissions are set to 444 or more restrictive"
check_3_10="$id_3_10 - $desc_3_10"
starttestjson "$id_3_10" "$desc_3_10"
totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then
tlscacert=$(get_docker_configuration_file_args 'tlscacert')
@ -251,25 +295,29 @@ check_3_10() {
if [ -f "$tlscacert" ]; then
if [ "$(stat -c %a $tlscacert)" -eq 444 -o "$(stat -c %a $tlscacert)" -eq 400 ]; then
pass "$check_3_10"
logjson "3.10" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_10"
warn " * Wrong permissions for $tlscacert"
logjson "3.10" "WARN"
resulttestjson "WARN" "Wrong permissions for $tlscacert"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_10"
info " * No TLS CA certificate found"
logjson "3.10" "INFO"
resulttestjson "INFO" "No TLS CA certificate found"
currentScore=$((currentScore + 0))
fi
}
# 3.11
check_3_11() {
check_3_11="3.11 - Ensure that Docker server certificate file ownership is set to root:root"
id_3_11="3.11"
desc_3_11="Ensure that Docker server certificate file ownership is set to root:root"
check_3_11="$id_3_11 - $desc_3_11"
starttestjson "$id_3_11" "$desc_3_11"
totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then
tlscert=$(get_docker_configuration_file_args 'tlscert')
@ -279,25 +327,29 @@ check_3_11() {
if [ -f "$tlscert" ]; then
if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
pass "$check_3_11"
logjson "3.11" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_11"
warn " * Wrong ownership for $tlscert"
logjson "3.11" "WARN"
resulttestjson "WARN" "Wrong ownership for $tlscert"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_11"
info " * No TLS Server certificate found"
logjson "3.11" "INFO"
resulttestjson "INFO" "No TLS Server certificate found"
currentScore=$((currentScore + 0))
fi
}
# 3.12
check_3_12() {
check_3_12="3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive"
id_3_12="3.12"
desc_3_12="Ensure that Docker server certificate file permissions are set to 444 or more restrictive"
check_3_12="$id_3_12 - $desc_3_12"
starttestjson "$id_3_12" "$desc_3_12"
totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then
tlscert=$(get_docker_configuration_file_args 'tlscert')
@ -307,25 +359,29 @@ check_3_12() {
if [ -f "$tlscert" ]; then
if [ "$(stat -c %a $tlscert)" -eq 444 -o "$(stat -c %a $tlscert)" -eq 400 ]; then
pass "$check_3_12"
logjson "3.12" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_12"
warn " * Wrong permissions for $tlscert"
logjson "3.12" "WARN"
resulttestjson "WARN" "Wrong permissions for $tlscert"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_12"
info " * No TLS Server certificate found"
logjson "3.12" "INFO"
resulttestjson "INFO" "No TLS Server certificate found"
currentScore=$((currentScore + 0))
fi
}
# 3.13
check_3_13() {
check_3_13="3.13 - Ensure that Docker server certificate key file ownership is set to root:root"
id_3_13="3.13"
desc_3_13="Ensure that Docker server certificate key file ownership is set to root:root"
check_3_13="$id_3_13 - $desc_3_13"
starttestjson "$id_3_13" "$desc_3_13"
totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then
tlskey=$(get_docker_configuration_file_args 'tlskey')
@ -335,25 +391,29 @@ check_3_13() {
if [ -f "$tlskey" ]; then
if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
pass "$check_3_13"
logjson "3.13" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_13"
warn " * Wrong ownership for $tlskey"
logjson "3.13" "WARN"
resulttestjson "WARN" "Wrong ownership for $tlskey"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_13"
info " * No TLS Key found"
logjson "3.13" "INFO"
resulttestjson "INFO" "No TLS Key found"
currentScore=$((currentScore + 0))
fi
}
# 3.14
check_3_14() {
check_3_14="3.14 - Ensure that Docker server certificate key file permissions are set to 400"
id_3_14="3.14"
desc_3_14="Ensure that Docker server certificate key file permissions are set to 400"
check_3_14="$id_3_14 - $desc_3_14"
starttestjson "$id_3_14" "$desc_3_14"
totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then
tlskey=$(get_docker_configuration_file_args 'tlskey')
@ -363,162 +423,190 @@ check_3_14() {
if [ -f "$tlskey" ]; then
if [ "$(stat -c %a $tlskey)" -eq 400 ]; then
pass "$check_3_14"
logjson "3.14" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_14"
warn " * Wrong permissions for $tlskey"
logjson "3.14" "WARN"
resulttestjson "WARN" "Wrong permissions for $tlskey"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_14"
info " * No TLS Key found"
logjson "3.14" "INFO"
resulttestjson "INFO" "No TLS Key found"
currentScore=$((currentScore + 0))
fi
}
# 3.15
check_3_15() {
check_3_15="3.15 - Ensure that Docker socket file ownership is set to root:docker"
id_3_15="3.15"
desc_3_15="Ensure that Docker socket file ownership is set to root:docker"
check_3_15="$id_3_15 - $desc_3_15"
starttestjson "$id_3_15" "$desc_3_15"
totalChecks=$((totalChecks + 1))
file="/var/run/docker.sock"
if [ -S "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then
pass "$check_3_15"
logjson "3.15" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_15"
warn " * Wrong ownership for $file"
logjson "3.15" "WARN"
resulttestjson "WARN" "Wrong ownership for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_15"
info " * File not found"
logjson "3.15" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 3.16
check_3_16() {
check_3_16="3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive"
id_3_16="3.16"
desc_3_16="Ensure that Docker socket file permissions are set to 660 or more restrictive"
check_3_16="$id_3_16 - $desc_3_16"
starttestjson "$id_3_16" "$desc_3_16"
totalChecks=$((totalChecks + 1))
file="/var/run/docker.sock"
if [ -S "$file" ]; then
if [ "$(stat -c %a $file)" -eq 660 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_16"
logjson "3.16" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_16"
warn " * Wrong permissions for $file"
logjson "3.16" "WARN"
resulttestjson "WARN" "Wrong permissions for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_16"
info " * File not found"
logjson "3.16" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 3.17
check_3_17() {
check_3_17="3.17 - Ensure that daemon.json file ownership is set to root:root"
id_3_17="3.17"
desc_3_17="Ensure that daemon.json file ownership is set to root:root"
check_3_17="$id_3_17 - $desc_3_17"
starttestjson "$id_3_17" "$desc_3_17"
totalChecks=$((totalChecks + 1))
file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass "$check_3_17"
logjson "3.17" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_17"
warn " * Wrong ownership for $file"
logjson "3.17" "WARN"
resulttestjson "WARN" "Wrong ownership for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_17"
info " * File not found"
logjson "3.17" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 3.18
check_3_18() {
check_3_18="3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive"
id_3_18="3.18"
desc_3_18="Ensure that daemon.json file permissions are set to 644 or more restrictive"
check_3_18="$id_3_18 - $desc_3_18"
starttestjson "$id_3_18" "$desc_3_18"
totalChecks=$((totalChecks + 1))
file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 640 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_18"
logjson "3.18" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_18"
warn " * Wrong permissions for $file"
logjson "3.18" "WARN"
resulttestjson "WARN" "Wrong permissions for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_18"
info " * File not found"
logjson "3.18" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 3.19
check_3_19() {
check_3_19="3.19 - Ensure that /etc/default/docker file ownership is set to root:root"
id_3_19="3.19"
desc_3_19="Ensure that /etc/default/docker file ownership is set to root:root"
check_3_19="$id_3_19 - $desc_3_19"
starttestjson "$id_3_19" "$desc_3_19"
totalChecks=$((totalChecks + 1))
file="/etc/default/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass "$check_3_19"
logjson "3.19" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_19"
warn " * Wrong ownership for $file"
logjson "3.19" "WARN"
resulttestjson "WARN" "Wrong ownership for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_19"
info " * File not found"
logjson "3.19" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 3.20
check_3_20() {
check_3_20="3.20 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive"
id_3_20="3.20"
desc_3_20="Ensure that /etc/default/docker file permissions are set to 644 or more restrictive"
check_3_20="$id_3_20 - $desc_3_20"
starttestjson "$id_3_20" "$desc_3_20"
totalChecks=$((totalChecks + 1))
file="/etc/default/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_20"
logjson "3.20" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_20"
warn " * Wrong permissions for $file"
logjson "3.20" "WARN"
resulttestjson "WARN" "Wrong permissions for $file"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_20"
info " * File not found"
logjson "3.20" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
check_3_end() {
endsectionjson
}

123
tests/4_container_images.sh
View file

@ -4,19 +4,27 @@ images=$(docker images -q)
check_4() {
logit "\n"
info "4 - Container Images and Build File"
id_4="4"
desc_4="Container Images and Build File"
check_4="$id_4 - $desc_4"
info "$check_4"
startsectionjson "$id_4" "$desc_4"
}
# 4.1
check_4_1() {
check_4_1="4.1 - Ensure a user for the container has been created"
id_4_1="4.1"
desc_4_1="Ensure a user for the container has been created"
check_4_1="$id_4_1 - $desc_4_1"
starttestjson "$id_4_1" "$desc_4_1"
totalChecks=$((totalChecks + 1))
# If container_users is empty, there are no running containers
if [ -z "$containers" ]; then
info "$check_4_1"
info " * No containers running"
logjson "4.1" "INFO"
resulttestjson "INFO" "No containers running"
currentScore=$((currentScore + 0))
else
# We have some containers running, set failure flag to 0. Check for Users.
@ -24,6 +32,7 @@ check_4_1() {
# Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$'
'
root_containers=""
for c in $containers; do
user=$(docker inspect --format 'User={{.Config.User}}' "$c")
@ -32,20 +41,21 @@ check_4_1() {
if [ $fail -eq 0 ]; then
warn "$check_4_1"
warn " * Running as root: $c"
logjson "4.1" "WARN: $c"
root_containers="$root_containers $c"
fail=1
else
warn " * Running as root: $c"
logjson "4.1" "WARN: $c"
root_containers="$root_containers $c"
fi
fi
done
# We went through all the containers and found none running as root
if [ $fail -eq 0 ]; then
pass "$check_4_1"
logjson "4.1" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
resulttestjson "WARN" "running as root" "$root_containers"
currentScore=$((currentScore - 1))
fi
fi
@ -55,152 +65,201 @@ check_4_1() {
# 4.2
check_4_2() {
check_4_2="4.2 - Ensure that containers use trusted base images"
id_4_2="4.2"
desc_4_2="Ensure that containers use trusted base images"
check_4_2="$id_4_2 - $desc_4_2"
starttestjson "$id_4_2" "$desc_4_2"
totalChecks=$((totalChecks + 1))
note "$check_4_2"
logjson "4.2" "NOTE"
resulttestjson "NOTE"
currentScore=$((currentScore + 0))
}
# 4.3
check_4_3() {
check_4_3="4.3 - Ensure unnecessary packages are not installed in the container"
id_4_3="4.3"
desc_4_3="Ensure unnecessary packages are not installed in the container"
check_4_3="$id_4_3 - $desc_4_3"
starttestjson "$id_4_3" "$desc_4_3"
totalChecks=$((totalChecks + 1))
note "$check_4_3"
logjson "4.3" "NOTE"
resulttestjson "NOTE"
currentScore=$((currentScore + 0))
}
# 4.4
check_4_4() {
check_4_4="4.4 - Ensure images are scanned and rebuilt to include security patches"
id_4_4="4.4"
desc_4_4="Ensure images are scanned and rebuilt to include security patches"
check_4_4="$id_4_4 - $desc_4_4"
starttestjson "$id_4_4" "$desc_4_4"
totalChecks=$((totalChecks + 1))
note "$check_4_4"
logjson "4.4" "NOTE"
resulttestjson "NOTE"
currentScore=$((currentScore + 0))
}
# 4.5
check_4_5() {
check_4_5="4.5 - Ensure Content trust for Docker is Enabled"
id_4_5="4.5"
desc_4_5="Ensure Content trust for Docker is Enabled"
check_4_5="$id_4_5 - $desc_4_5"
starttestjson "$id_4_5" "$desc_4_5"
totalChecks=$((totalChecks + 1))
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
pass "$check_4_5"
logjson "4.5" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_4_5"
logjson "4.5" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
}
# 4.6
check_4_6() {
check_4_6="4.6 - Ensure HEALTHCHECK instructions have been added to the container image"
id_4_6="4.6"
desc_4_6="Ensure HEALTHCHECK instructions have been added to the container image"
check_4_6="$id_4_6 - $desc_4_6"
starttestjson "$id_4_6" "$desc_4_6"
totalChecks=$((totalChecks + 1))
fail=0
no_health_images=""
for img in $images; do
if docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1; then
if [ $fail -eq 0 ]; then
fail=1
warn "$check_4_6"
logjson "4.6" "WARN"
fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then
warn " * No Healthcheck found: $imgName"
logjson "4.6" "WARN: $imgName"
no_health_images="$no_health_images $imgName"
fi
fi
done
if [ $fail -eq 0 ]; then
pass "$check_4_6"
logjson "4.6" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
resulttestjson "WARN" "Images w/o HEALTHCHECK" "$no_health_images"
currentScore=$((currentScore - 1))
fi
}
# 4.7
check_4_7() {
check_4_7="4.7 - Ensure update instructions are not use alone in the Dockerfile"
id_4_7="4.7"
desc_4_7="Ensure update instructions are not use alone in the Dockerfile"
check_4_7="$id_4_7 - $desc_4_7"
starttestjson "$id_4_7" "$desc_4_7"
totalChecks=$((totalChecks + 1))
fail=0
update_images=""
for img in $images; do
if docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1; then
if [ $fail -eq 0 ]; then
fail=1
info "$check_4_7"
logjson "4.7" "INFO"
fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then
info " * Update instruction found: $imgName"
update_images="$update_images $imgName"
fi
fi
done
if [ $fail -eq 0 ]; then
pass "$check_4_7"
logjson "4.7" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 0))
else
resulttestjson "INFO" "Update instructions found" "$update_images"
currentScore=$((currentScore + 0))
fi
}
# 4.8
check_4_8() {
check_4_8="4.8 - Ensure setuid and setgid permissions are removed in the images"
id_4_8="4.8"
desc_4_8="Ensure setuid and setgid permissions are removed in the images"
check_4_8="$id_4_8 - $desc_4_8"
starttestjson "$id_4_8" "$desc_4_8"
totalChecks=$((totalChecks + 1))
note "$check_4_8"
logjson "4.8" "NOTE"
resulttestjson "NOTE"
currentScore=$((currentScore + 0))
}
# 4.9
check_4_9() {
check_4_9="4.9 - Ensure COPY is used instead of ADD in Dockerfile"
id_4_9="4.9"
desc_4_9="Ensure COPY is used instead of ADD in Dockerfile"
check_4_9="$id_4_9 - $desc_4_9"
starttestjson "$id_4_9" "$desc_4_9"
totalChecks=$((totalChecks + 1))
fail=0
add_images=""
for img in $images; do
docker history "$img" 2> /dev/null | grep 'ADD' >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ $fail -eq 0 ]; then
fail=1
info "$check_4_9"
logjson "4.9" "INFO"
fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then
info " * ADD in image history: $imgName"
logjson "4.9" "INFO: $imgName"
add_images="$add_images $imgName"
fi
currentScore=$((currentScore + 0))
fi
done
if [ $fail -eq 0 ]; then
pass "$check_4_9"
logjson "4.9" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
resulttestjson "WARN" "Images using ADD" "$add_images"
fi
}
# 4.10
check_4_10() {
check_4_10="4.10 - Ensure secrets are not stored in Dockerfiles"
id_4_10="4.10"
desc_4_10="Ensure secrets are not stored in Dockerfiles"
check_4_10="$id_4_10 - $desc_4_10"
starttestjson "$id_4_10" "$desc_4_10"
totalChecks=$((totalChecks + 1))
note "$check_4_10"
logjson "4.10" "NOTE"
resulttestjson "NOTE"
currentScore=$((currentScore + 0))
}
# 4.11
check_4_11() {
check_4_11="4.11 - Ensure verified packages are only Installed"
id_4_11="4.11"
desc_4_11="Ensure verified packages are only Installed"
check_4_11="$id_4_11 - $desc_4_11"
starttestjson "$id_4_11" "$desc_4_11"
totalChecks=$((totalChecks + 1))
note "$check_4_11"
logjson "4.11" "NOTE"
resulttestjson "NOTE"
currentScore=$((currentScore + 0))
}
check_4_end() {
endsectionjson
}

423
tests/5_container_runtime.sh
View file

File diff suppressed because it is too large Load diff

30
tests/6_docker_security_operations.sh
View file

@ -2,12 +2,20 @@
check_6() {
logit "\n"
info "6 - Docker Security Operations"
id_6="6"
desc_6="Docker Security Operations"
check_6="$id_6 - $desc_6"
info "$check_6"
startsectionjson "$id_6" "$desc_6"
}
# 6.1
check_6_1() {
check_6_1="6.1 - Avoid image sprawl"
id_6_1="6.1"
desc_6_1="Avoid image sprawl"
check_6_1="$id_6_1 - $desc_6_1"
starttestjson "$id_6_1" "$desc_6_1"
totalChecks=$((totalChecks + 1))
images=$(docker images -q | sort -u | wc -l | awk '{print $1}')
active_images=0
@ -23,26 +31,34 @@ check_6_1() {
if [ "$active_images" -lt "$((images / 2))" ]; then
info " * Only $active_images out of $images are in use"
logjson "6.1" "INFO: $active_images"
fi
resulttestjson "INFO" "$active_images active/$images in use"
currentScore=$((currentScore + 0))
}
# 6.2
check_6_2() {
check_6_2="6.2 - Avoid container sprawl"
id_6_2="6.2"
desc_6_2="Avoid container sprawl"
check_6_2="$id_6_2 - $desc_6_2"
starttestjson "$id_6_2" "$desc_6_2"
totalChecks=$((totalChecks + 1))
total_containers=$(docker info 2>/dev/null | grep "^Containers" | awk '{print $2}')
total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}')
running_containers=$(docker ps -q | wc -l | awk '{print $1}')
diff="$((total_containers - running_containers))"
if [ "$diff" -gt 25 ]; then
info "$check_6_2"
info " * There are currently a total of $total_containers containers, with only $running_containers of them currently running"
logjson "6.2" "INFO: $running_containers"
resulttestjson "INFO" "$total_containers total/$running_containers running"
else
info "$check_6_2"
info " * There are currently a total of $total_containers containers, with $running_containers of them currently running"
logjson "6.2" "INFO: $running_containers"
resulttestjson "INFO" "$total_containers total/$running_containers running"
fi
currentScore=$((currentScore + 0))
}
check_6_end() {
endsectionjson
}

120
tests/7_docker_swarm_configuration.sh
View file

@ -2,71 +2,91 @@
check_7() {
logit "\n"
info "7 - Docker Swarm Configuration"
id_7="7"
desc_7="Docker Swarm Configuration"
check_7="$id_7 - $desc_7"
info "$check_7"
startsectionjson "$id_7" "$desc_7"
}
# 7.1
check_7_1() {
check_7_1="7.1 - Ensure swarm mode is not Enabled, if not needed"
id_7_1="7.1"
desc_7_1="Ensure swarm mode is not Enabled, if not needed"
check_7_1="$id_7_1 - $desc_7_1"
starttestjson "$id_7_1" "$desc_7_1"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
pass "$check_7_1"
logjson "7.1" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_7_1"
logjson "7.1" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
}
# 7.2
check_7_2() {
check_7_2="7.2 - Ensure the minimum number of manager nodes have been created in a swarm"
id_7_2="7.2"
desc_7_2="Ensure the minimum number of manager nodes have been created in a swarm"
check_7_2="$id_7_2 - $desc_7_2"
starttestjson "$id_7_2" "$desc_7_2"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
managernodes=$(docker node ls | grep -c "Leader")
if [ "$managernodes" -le 1 ]; then
pass "$check_7_2"
logjson "7.2" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_7_2"
logjson "7.2" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
pass "$check_7_2 (Swarm mode not enabled)"
logjson "7.2" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
}
# 7.3
check_7_3() {
check_7_3="7.3 - Ensure swarm services are binded to a specific host interface"
id_7_3="7.3"
desc_7_3="Ensure swarm services are binded to a specific host interface"
check_7_3="$id_7_3 - $desc_7_3"
starttestjson "$id_7_3" "$desc_7_3"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
ss -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1
if [ $? -eq 1 ]; then
pass "$check_7_3"
logjson "7.3" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_7_3"
logjson "7.3" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
pass "$check_7_3 (Swarm mode not enabled)"
logjson "7.3" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
}
# 7.4
check_7_4(){
check_7_4="7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network"
id_7_4="7.4"
desc_7_4="Ensure data exchanged between containers are encrypted on different nodes on the overlay network"
check_7_4="$id_7_4 - $desc_7_4"
starttestjson "$id_7_4" "$desc_7_4"
totalChecks=$((totalChecks + 1))
if docker network ls --filter driver=overlay --quiet | \
xargs docker network inspect --format '{{.Name}} {{ .Options }}' 2>/dev/null | \
@ -77,120 +97,148 @@ check_7_4(){
if docker network inspect --format '{{.Name}} {{ .Options }}' "$encnet" | \
grep -v 'encrypted:' 2>/dev/null 1>&2; then
warn " * Unencrypted overlay network: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
logjson "7.4" "WARN: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
resulttestjson "WARN" "Unencrypted overlay network: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
fi
done
else
pass "$check_7_4"
logjson "7.4" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
}
# 7.5
check_7_5() {
check_7_5="7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster"
id_7_5="7.5"
desc_7_5="Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster"
check_7_5="$id_7_5 - $desc_7_5"
starttestjson "$id_7_5" "$desc_7_5"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then
pass "$check_7_5"
logjson "7.5" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
info "$check_7_5"
logjson "7.5" "INFO"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
fi
else
pass "$check_7_5 (Swarm mode not enabled)"
logjson "7.5" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
}
# 7.6
check_7_6() {
check_7_6="7.6 - Ensure swarm manager is run in auto-lock mode"
id_7_6="7.6"
desc_7_6="Ensure swarm manager is run in auto-lock mode"
check_7_6="$id_7_6 - $desc_7_6"
starttestjson "$id_7_6" "$desc_7_6"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then
warn "$check_7_6"
logjson "7.6" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
else
pass "$check_7_6"
logjson "7.6" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
else
pass "$check_7_6 (Swarm mode not enabled)"
logjson "7.6" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
}
# 7.7
check_7_7() {
check_7_7="7.7 - Ensure swarm manager auto-lock key is rotated periodically"
id_7_7="7.7"
desc_7_7="Ensure swarm manager auto-lock key is rotated periodically"
check_7_7="$id_7_7 - $desc_7_7"
starttestjson "$id_7_7" "$desc_7_7"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
note "$check_7_7"
logjson "7.7" "NOTE"
resulttestjson "NOTE"
currentScore=$((currentScore + 0))
else
pass "$check_7_7 (Swarm mode not enabled)"
logjson "7.7" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
}
# 7.8
check_7_8() {
check_7_8="7.8 - Ensure node certificates are rotated as appropriate"
id_7_8="7.8"
desc_7_8="Ensure node certificates are rotated as appropriate"
check_7_8="$id_7_8 - $desc_7_8"
starttestjson "$id_7_8" "$desc_7_8"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then
pass "$check_7_8"
logjson "7.8" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
info "$check_7_8"
logjson "7.8" "INFO"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
fi
else
pass "$check_7_8 (Swarm mode not enabled)"
logjson "7.8" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
}
# 7.9
check_7_9() {
check_7_9="7.9 - Ensure CA certificates are rotated as appropriate"
id_7_9="7.9"
desc_7_9="Ensure CA certificates are rotated as appropriate"
check_7_9="$id_7_9 - $desc_7_9"
starttestjson "$id_7_9" "$desc_7_9"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
info "$check_7_9"
logjson "7.9" "INFO"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
else
pass "$check_7_9 (Swarm mode not enabled)"
logjson "7.9" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
}
# 7.10
check_7_10() {
check_7_10="7.10 - Ensure management plane traffic has been separated from data plane traffic"
id_7_10="7.10"
desc_7_10="Ensure management plane traffic has been separated from data plane traffic"
check_7_10="$id_7_10 - $desc_7_10"
starttestjson "$id_7_10" "$desc_7_10"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
info "$check_7_10"
logjson "7.10" "INFO"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
else
pass "$check_7_10 (Swarm mode not enabled)"
logjson "7.10" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
fi
}
check_7_end() {
endsectionjson
}

14
tests/99_community_checks.sh
View file

@ -1,7 +1,11 @@
#!/bin/sh
check_c() {
logit "\n"
info "99 - Community contributed checks"
id_99="99"
desc_99="Community contributed checks"
check_99="$id_99 - $desc_99"
info "$check_99"
startsectionjson "$id_99" "$desc_99"
}
# check_c_1
@ -10,9 +14,13 @@ check_c_1() {
totalChecks=$((totalChecks + 1))
if docker info --format='{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>&2; then
pass "$check_c_1"
logjson "c.1" "PASS"
resulttestjson "PASS"
else
warn "$check_c_1"
logjson "c.1" "WARN"
resulttestjson "WARN"
fi
}
check_c_end() {
endsectionjson
}