GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-10-28 08:38:58 +00:00
Code Issues Projects Releases Packages Wiki Activity

Improve docker-bench-security json output

Browse source 
Add a test object for each test performed by the script. Each object has
an id N.M, a desc property describing the test, and the result. Some
tests include additional information about the test e.g. "No TLS
Certificate Found". That can be found in an optional details property of
the test object.

Also, some tests might also return a list of containers, images, users,
etc. This is included in an optional items property of the test object.

Instead of having all test results as top-level objects, break the test
results into sections. Each section has an id + description e.g. "1" and
"Host Configuration". The tests for that section are an array below that
object.

All of the additional json output is implemented by adding new functions
startsectionjson(), endsectionjson(), starttestjson(), and
resulttestjson() that take the id/desc/etc as arguments and print the
proper json properties. It also required adding an "end" test to each
script that calls endsectionjson().

Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
This commit is contained in:
Mark Stemm 2018-07-11 18:02:12 -07:00
commit ec7d8ce690
11 changed files with 1006 additions and 427 deletions

191
tests/1_host_configuration.sh
View file

@ -2,41 +2,57 @@
check_1() {
logit ""
info "1 - Host Configuration"
id_1="1"
desc_1="Host Configuration"
check_1="$id_1 - $desc_1"
info "$check_1"
startsectionjson "$id_1" "$desc_1"
}
# 1.1
check_1_1() {
check_1_1="1.1 - Ensure a separate partition for containers has been created"
id_1_1="1.1"
desc_1_1="Ensure a separate partition for containers has been created"
check_1_1="$id_1_1 - $desc_1_1"
starttestjson "$id_1_1" "$desc_1_1"
totalChecks=$((totalChecks + 1))
if grep /var/lib/docker /etc/fstab >/dev/null 2>&1; then
pass "$check_1_1"
logjson "1.1" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
elif mountpoint -q -- /var/lib/docker >/dev/null 2>&1; then
pass "$check_1_1"
logjson "1.1" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_1"
logjson "1.1" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
}
# 1.2
check_1_2() {
check_1_2="1.2 - Ensure the container host has been Hardened"
id_1_2="1.2"
desc_1_2="Ensure the container host has been Hardened"
check_1_2="$id_1_2 - $desc_1_2"
starttestjson "$id_1_2" "$desc_1_2"
totalChecks=$((totalChecks + 1))
note "$check_1_2"
logjson "1.2" "INFO"
resulttestjson "INFO"
currentScore=$((currentScore + 0))
}
# 1.3
check_1_3() {
check_1_3="1.3 - Ensure Docker is up to date"
id_1_3="1.3"
desc_1_3="Ensure Docker is up to date"
check_1_3="$id_1_3 - $desc_1_3"
starttestjson "$id_1_3" "$desc_1_3"
totalChecks=$((totalChecks + 1))
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,')
@ -46,316 +62,361 @@ check_1_3() {
info "$check_1_3"
info " * Using $docker_version, verify is it up to date as deemed necessary"
info " * Your operating system vendor may provide support and security maintenance for Docker"
logjson "1.3" "INFO"
resulttestjson "INFO" "Using $docker_version"
currentScore=$((currentScore + 0))
else
pass "$check_1_3"
info " * Using $docker_version which is current"
info " * Check with your operating system vendor for support and security maintenance for Docker"
logjson "1.3" "PASS"
resulttestjson "PASS" "Using $docker_version"
currentScore=$((currentScore + 0))
fi
}
# 1.4
check_1_4() {
check_1_4="1.4 - Ensure only trusted users are allowed to control Docker daemon"
id_1_4="1.4"
desc_1_4="Ensure only trusted users are allowed to control Docker daemon"
check_1_4="$id_1_4 - $desc_1_4"
starttestjson "$id_1_4" "$desc_1_4"
totalChecks=$((totalChecks + 1))
docker_users=$(getent group docker)
info "$check_1_4"
for u in $docker_users; do
info " * $u"
logjson "1.4" "INFO: $u"
done
resulttestjson "INFO" "users" "$docker_users"
currentScore=$((currentScore + 0))
}
# 1.5
check_1_5() {
check_1_5="1.5 - Ensure auditing is configured for the Docker daemon"
id_1_5="1.5"
desc_1_5="Ensure auditing is configured for the Docker daemon"
check_1_5="$id_1_5 - $desc_1_5"
starttestjson "$id_1_5" "$desc_1_5"
totalChecks=$((totalChecks + 1))
file="/usr/bin/docker "
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_5"
logjson "1.5" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_5"
logjson "1.5" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_5"
logjson "1.5" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_5"
logjson "1.5" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
}
# 1.6
check_1_6() {
check_1_6="1.6 - Ensure auditing is configured for Docker files and directories - /var/lib/docker"
id_1_6="1.6"
desc_1_6="Ensure auditing is configured for Docker files and directories - /var/lib/docker"
check_1_6="$id_1_6 - $desc_1_6"
starttestjson "$id_1_6" "$desc_1_6"
totalChecks=$((totalChecks + 1))
directory="/var/lib/docker"
if [ -d "$directory" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $directory >/dev/null 2>&1; then
pass "$check_1_6"
logjson "1.6" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_6"
logjson "1.6" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_6"
logjson "1.6" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_6"
logjson "1.6" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_6"
info " * Directory not found"
logjson "1.6" "INFO"
resulttestjson "INFO" "Directory not found"
currentScore=$((currentScore + 0))
fi
}
# 1.7
check_1_7() {
check_1_7="1.7 - Ensure auditing is configured for Docker files and directories - /etc/docker"
id_1_7="1.7"
desc_1_7="Ensure auditing is configured for Docker files and directories - /etc/docker"
check_1_7="$id_1_7 - $desc_1_7"
starttestjson "$id_1_7" "$desc_1_7"
totalChecks=$((totalChecks + 1))
directory="/etc/docker"
if [ -d "$directory" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $directory >/dev/null 2>&1; then
pass "$check_1_7"
logjson "1.7" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_7"
logjson "1.7" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_7"
logjson "1.7" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_7"
logjson "1.7" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_7"
info " * Directory not found"
logjson "1.7" "INFO"
resulttestjson "INFO" "Directory not found"
currentScore=$((currentScore + 0))
fi
}
# 1.8
check_1_8() {
check_1_8="1.8 - Ensure auditing is configured for Docker files and directories - docker.service"
id_1_8="1.8"
desc_1_8="Ensure auditing is configured for Docker files and directories - docker.service"
check_1_8="$id_1_8 - $desc_1_8"
starttestjson "$id_1_8" "$desc_1_8"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.service)"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_8"
logjson "1.8" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_8"
logjson "1.8" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_8"
logjson "1.8" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_8"
logjson "1.8" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_8"
info " * File not found"
logjson "1.8" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 1.9
check_1_9() {
check_1_9="1.9 - Ensure auditing is configured for Docker files and directories - docker.socket"
id_1_9="1.9"
desc_1_9="Ensure auditing is configured for Docker files and directories - docker.socket"
check_1_9="$id_1_9 - $desc_1_9"
starttestjson "$id_1_9" "$desc_1_9"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.socket)"
if [ -e "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_9"
logjson "1.9" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_9"
logjson "1.9" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_9"
logjson "1.9" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_9"
logjson "1.9" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_9"
info " * File not found"
logjson "1.9" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 1.10
check_1_10() {
check_1_10="1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker"
id_1_10="1.10"
desc_1_10="Ensure auditing is configured for Docker files and directories - /etc/default/docker"
check_1_10="$id_1_10 - $desc_1_10"
starttestjson "$id_1_10" "$desc_1_10"
totalChecks=$((totalChecks + 1))
file="/etc/default/docker"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_10"
logjson "1.10" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_10"
logjson "1.10" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_10"
logjson "1.10" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_10"
logjson "1.10" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_10"
info " * File not found"
logjson "1.10" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 1.11
check_1_11() {
check_1_11="1.11 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json"
id_1_11="1.11"
desc_1_11="Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json"
check_1_11="$id_1_11 - $desc_1_11"
starttestjson "$id_1_11" "$desc_1_11"
totalChecks=$((totalChecks + 1))
file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_11"
logjson "1.11" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_11"
logjson "1.11" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_11"
logjson "1.11" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_11"
logjson "1.11" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_11"
info " * File not found"
logjson "1.11" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 1.12
check_1_12() {
check_1_12="1.12 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd"
id_1_12="1.12"
desc_1_12="Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd"
check_1_12="$id_1_12 - $desc_1_12"
starttestjson "$id_1_12" "$desc_1_12"
totalChecks=$((totalChecks + 1))
file="/usr/bin/docker-containerd"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_12"
logjson "1.12" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_12"
logjson "1.12" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_12"
logjson "1.12" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_12"
logjson "1.12" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_12"
info " * File not found"
logjson "1.12" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
# 1.13
check_1_13() {
check_1_13="1.13 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc"
id_1_13="1.13"
desc_1_13="Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc"
check_1_13="$id_1_13 - $desc_1_13"
starttestjson "$id_1_13" "$desc_1_13"
totalChecks=$((totalChecks + 1))
file="/usr/bin/docker-runc"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_13"
logjson "1.13" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_13"
logjson "1.13" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_13"
logjson "1.13" "PASS"
resulttestjson "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_13"
logjson "1.13" "WARN"
resulttestjson "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_1_13"
info " * File not found"
logjson "1.13" "INFO"
resulttestjson "INFO" "File not found"
currentScore=$((currentScore + 0))
fi
}
check_1_end() {
endsectionjson
}