GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-31 06:22:32 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'master' of github.com:konstruktoid/docker-bench-security into issue_25

Browse source 
* 'master' of github.com:konstruktoid/docker-bench-security:
  Fix test 5.14 to not always pass when multiple ports are published.
  change to docker repository
  make readme codeblocks prettier
  Add first version of CONTRIBUTING.md
  Issue #24, remove -U, -u
  use official alpine image as the base
  Make the main script an executable for if I want to run it on my host

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

Conflicts:
	README.md
This commit is contained in:
Thomas Sjögren 2015-06-15 22:01:36 +02:00
commit eca8471c71
7 changed files with 87 additions and 35 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

48
CONTRIBUTING.md Normal file
View file

@ -0,0 +1,48 @@
# Contributing to Docker Bench for Security
Want to hack on Docker Bench? Awesome! Here are instructions to get you
started.
The Docker Bench for Security is a part of the [Docker](https://www.docker.com) project, and follows
the same rules and principles. If you're already familiar with the way
Docker does things, you'll feel right at home.
Otherwise, go read
[Docker's contributions guidelines](https://github.com/docker/docker/blob/master/CONTRIBUTING.md).
### Development Environment Setup
The only thing you need to hack on Docker Bench for Security is a POSIX 2004 compliant shell. We try to keep the project compliant for maximum portability
#### Start hacking
You can build the container that wraps the docker-bench for security:
```sh
✗ git clone git@github.com:docker/docker-bench-security.git
✗ docker build -t diogomonica/docker-bench-security .
```
Or you can simply run the shell script locally:
```sh
✗ sh docker-bench-security.sh
```
The Docker Bench has the main script called `docker-bench-security.sh`. This is the main script that checks for all the dependencies, deals with command line arguments and loads all the tests.
The tests are split in 6 different files:
```sh
✗ docker-bench-security git:(master) ✗ tree tests
tests
├── 1_host_configuration.sh
├── 2_docker_daemon_configuration.sh
├── 3_docker_daemon_configuration_files.sh
├── 4_container_images.sh
├── 5_container_runtime.sh
└── 6_docker_security_operations.sh
```
To modify the Docker Bench for Security you should first clone the repository, make your changes, and then sign off on your commits. After that feel free to send us a pull-request with the changes.
While this tool is inspired in the CIS Docker 1.6 Benchmark, feel free to add new tests. We will try to turn dockerbench.com into a list of good community benchmarks for both security and performance, and we would love community contributions.

2
Dockerfile
View file

@ -1,4 +1,4 @@
FROM gliderlabs/alpine:3.1 FROM alpine:3.1
RUN apk --update add docker RUN apk --update add docker

2
README.md
View file

@ -43,7 +43,7 @@ docker run -it --net host --pid host -v /var/lib:/var/lib \
Also, this script can also be simply run from your base host by running: Also, this script can also be simply run from your base host by running:
```sh ```sh
git clone https://github.com/diogomonica/docker-bench-security.git git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security cd docker-bench-security
sh docker-bench-security.sh sh docker-bench-security.sh
``` ```

0
docker-bench-security.sh Normal file → Executable file
View file

20
tests/2_docker_daemon_configuration.sh
View file

@ -5,7 +5,7 @@ info "2 - Docker Daemon Configuration"
# 2.1 # 2.1
check_2_1="2.1 - Do not use lxc execution driver" check_2_1="2.1 - Do not use lxc execution driver"
pgrep -U root -u root -lf docker | grep lxc >/dev/null 2>&1 pgrep -lf docker | grep lxc >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
warn "$check_2_1" warn "$check_2_1"
else else
@ -14,7 +14,7 @@ fi
# 2.2 # 2.2
check_2_2="2.2 - Restrict network traffic between containers" check_2_2="2.2 - Restrict network traffic between containers"
pgrep -U root -u root -lf docker | grep "icc=false" >/dev/null 2>&1 pgrep -lf docker | grep "icc=false" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_2_2" pass "$check_2_2"
else else
@ -23,7 +23,7 @@ fi
# 2.3 # 2.3
check_2_3="2.3 - Set the logging level" check_2_3="2.3 - Set the logging level"
pgrep -U root -u root -lf docker | grep "log-level=\"debug\"" >/dev/null 2>&1 pgrep -lf docker | grep "log-level=\"debug\"" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
warn "$check_2_3" warn "$check_2_3"
else else
@ -32,7 +32,7 @@ fi
# 2.4 # 2.4
check_2_4="2.4 - Allow Docker to make changes to iptables" check_2_4="2.4 - Allow Docker to make changes to iptables"
pgrep -U root -u root -lf docker | grep "iptables=false" >/dev/null 2>&1 pgrep -lf docker | grep "iptables=false" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
warn "$check_2_4" warn "$check_2_4"
else else
@ -41,7 +41,7 @@ fi
# 2.5 # 2.5
check_2_5="2.5 - Do not use insecure registries" check_2_5="2.5 - Do not use insecure registries"
pgrep -U root -u root -lf docker | grep "insecure-registry" >/dev/null 2>&1 pgrep -lf docker | grep "insecure-registry" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
warn "$check_2_5" warn "$check_2_5"
else else
@ -50,7 +50,7 @@ fi
# 2.6 # 2.6
check_2_6="2.6 - Setup a local registry mirror" check_2_6="2.6 - Setup a local registry mirror"
pgrep -U root -u root -lf docker | grep "registry-mirror" >/dev/null 2>&1 pgrep -lf docker | grep "registry-mirror" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_2_6" pass "$check_2_6"
else else
@ -69,7 +69,7 @@ fi
# 2.8 # 2.8
check_2_8="2.8 - Do not bind Docker to another IP/Port or a Unix socket" check_2_8="2.8 - Do not bind Docker to another IP/Port or a Unix socket"
pgrep -U root -u root -lf docker | grep "\-H" >/dev/null 2>&1 pgrep -lf docker | grep "\-H" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
info "$check_2_8" info "$check_2_8"
info " * Docker daemon running with -H" info " * Docker daemon running with -H"
@ -79,9 +79,9 @@ fi
# 2.9 # 2.9
check_2_9="2.9 - Configure TLS authentication for Docker daemon" check_2_9="2.9 - Configure TLS authentication for Docker daemon"
pgrep -U root -u root -lf docker | grep "tcp://" >/dev/null 2>&1 pgrep -lf docker | grep "tcp://" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pgrep -U root -u root -lf docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1 pgrep -lf docker | grep "tlsverify" | grep "tlskey" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_2_9" pass "$check_2_9"
info " * Docker daemon currently listening on TCP" info " * Docker daemon currently listening on TCP"
@ -96,7 +96,7 @@ fi
# 2.10 # 2.10
check_2_10="2.10 - Set default ulimit as appropriate" check_2_10="2.10 - Set default ulimit as appropriate"
pgrep -U root -u root -lf docker | grep "default-ulimit" >/dev/null 2>&1 pgrep -lf docker | grep "default-ulimit" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
pass "$check_2_10" pass "$check_2_10"
else else

10
tests/5_container_runtime.sh
View file

@ -201,9 +201,11 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
port=$(docker port "$c" | awk '{print $1}' | cut -d '/' -f1) ports=$(docker port "$c" | awk '{print $1}' | cut -d '/' -f1)
if [ ! -z "$port" ] && [ "$port" -lt 1025 ]; then # iterate through port range (line delimited)
for port in $ports; do
if [ ! -z "$port" ] && [ "0$port" -lt 1025 ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
warn "$check_5_8" warn "$check_5_8"
@ -214,6 +216,7 @@ else
fi fi
fi fi
done done
done
# We went through all the containers and found no privileged ports # We went through all the containers and found no privileged ports
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_8" pass "$check_5_8"
@ -316,7 +319,7 @@ else
fail=0 fail=0
for c in $containers; do for c in $containers; do
ip=$(docker port "$c" | awk '{print $3}' | cut -d ':' -f1) for ip in $(docker port "$c" | awk '{print $3}' | cut -d ':' -f1); do
if [ "$ip" = "0.0.0.0" ]; then if [ "$ip" = "0.0.0.0" ]; then
# If it's the first container, fail the test # If it's the first container, fail the test
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
@ -328,6 +331,7 @@ else
fi fi
fi fi
done done
done
# We went through all the containers and found no ports bound to 0.0.0.0 # We went through all the containers and found no ports bound to 0.0.0.0
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_5_14" pass "$check_5_14"

6
tests/6_docker_security_operations.sh
View file

@ -40,8 +40,8 @@ images=$(docker images -q | wc -l | awk '{print $1}')
active_images=0 active_images=0
for c in $(docker inspect -f "{{.Image}}" $(docker ps -qa)); do for c in $(docker inspect -f "{{.Image}}" $(docker ps -qa)); do
if [[ $(docker images --no-trunc -a | grep $c) ]]; then if docker images --no-trunc -a | grep $c > /dev/null ; then
((active_images++)) active_images=$(( active_images += 1 ))
fi fi
done done
@ -53,7 +53,7 @@ else
info " * There are currently: $images images" info " * There are currently: $images images"
fi fi
if [[ "$active_images" -lt "$((images / 2))" ]]; then if [ "$active_images" -lt "$((images / 2))" ]; then
warn " * Only $active_images out of $images are in use" warn " * Only $active_images out of $images are in use"
fi fi