From 6ec6ee06382a14dd913b1cc2d48c32f662867993 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 16 Jan 2018 13:44:43 +0100 Subject: [PATCH 1/5] add check option, and function names MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- docker-bench-security.sh | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/docker-bench-security.sh b/docker-bench-security.sh index 6e76717..e84cec5 100755 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -9,8 +9,9 @@ # ------------------------------------------------------------------------------ # Load dependencies -. ./output_lib.sh +. ./functions_lib.sh . ./helper_lib.sh +. ./output_lib.sh # Setup the paths this_path=$(abspath "$0") ## Path of this file including filenamel @@ -35,18 +36,20 @@ usage () { usage: ${myname} [options] -h optional Print this help message - -l PATH optional Log output in PATH + -l FILE optional Log output in FILE + -c CHECK optional Run specific check EOF } # Get the flags # If you add an option here, please # remember to update usage() above. -while getopts hl: args +while getopts hl:c: args do case $args in h) usage; exit 0 ;; l) logger="$OPTARG" ;; + c) check="$OPTARG" ;; *) usage; exit 1 ;; esac done @@ -95,11 +98,23 @@ main () { # List all running containers except docker-bench (use names to improve readability in logs) containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont") + if [ -z "$containers" ]; then + running_containers=0 + else + running_containers=1 + fi + for test in tests/*.sh do . ./"$test" done + if [ -z "$check" ]; then + cis + else + "$check" + fi + printf "\n" info "Checks: $totalChecks" info "Score: $currentScore" From d92a8abe13adfdf206ce7cdf16eb824a6765ec07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 16 Jan 2018 13:45:06 +0100 Subject: [PATCH 2/5] update README with examples MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- README.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c2ad3a8..a212808 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,24 @@ Distribution specific Dockerfiles that fixes this issue are available in the The [distribution specific Dockerfiles](https://github.com/docker/docker-bench-security/tree/master/distros) may also help if the distribution you're using haven't yet shipped Docker -version 1.10.0 or later. +version 1.13.0 or later. + +### Docker Bench for Security options + +```sh + -h optional Print this help message + -l FILE optional Log output in FILE + -c CHECK optional Run specific check +``` + +By default the Docker Bench for Security script will run all available tests and +produce logs in the current directory named `docker-bench-security.sh.log.json` +and `docker-bench-security.sh.log`. +The CIS based checks are named `check_
_`, e.g. `check_2_6` +and community contributed checks are named `check_c_`. +A complete list of checks are present in [functions_lib.sh](functions_lib.sh). + +`sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -c check_2_2` ## Building Docker Bench for Security From 50ca5fc7ffdf556bf0be30cf0ef6ac9a35154391 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 16 Jan 2018 13:45:45 +0100 Subject: [PATCH 3/5] add function helper MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- functions_lib.sh | 161 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 161 insertions(+) create mode 100644 functions_lib.sh diff --git a/functions_lib.sh b/functions_lib.sh new file mode 100644 index 0000000..7d7d0e6 --- /dev/null +++ b/functions_lib.sh @@ -0,0 +1,161 @@ +#!/bin/sh + +host_configuration() { + check_1 + check_1_1 + check_1_2 + check_1_3 + check_1_4 + check_1_5 + check_1_6 + check_1_7 + check_1_8 + check_1_9 + check_1_10 + check_1_11 + check_1_12 + check_1_13 +} + +docker_daemon_configuration() { + check_2 + check_2_1 + check_2_2 + check_2_3 + check_2_4 + check_2_5 + check_2_6 + check_2_7 + check_2_8 + check_2_9 + check_2_10 + check_2_11 + check_2_12 + check_2_13 + check_2_14 + check_2_15 + check_2_16 + check_2_17 + check_2_18 +} + +docker_daemon_files() { + check_3 + check_3_1 + check_3_2 + check_3_3 + check_3_4 + check_3_5 + check_3_6 + check_3_7 + check_3_8 + check_3_9 + check_3_10 + check_3_11 + check_3_12 + check_3_13 + check_3_14 + check_3_15 + check_3_16 + check_3_17 + check_3_18 + check_3_19 + check_3_20 +} + +container_images() { + check_4 + check_4_1 + check_4_2 + check_4_3 + check_4_4 + check_4_5 + check_4_6 + check_4_7 + check_4_8 + check_4_9 + check_4_10 + check_4_11 +} + +container_runtime() { + check_5 + check_running_containers + check_5_1 + check_5_2 + check_5_3 + check_5_4 + check_5_5 + check_5_6 + check_5_7 + check_5_8 + check_5_9 + check_5_10 + check_5_11 + check_5_12 + check_5_13 + check_5_14 + check_5_15 + check_5_16 + check_5_17 + check_5_18 + check_5_19 + check_5_20 + check_5_21 + check_5_22 + check_5_23 + check_5_24 + check_5_25 + check_5_26 + check_5_27 + check_5_28 + check_5_29 + check_5_30 + check_5_31 +} + +docker_security_operations() { + check_6 + check_6_1 + check_6_2 +} + +docker_swarm_configuration() { + check_7 + check_7_1 + check_7_2 + check_7_3 + check_7_5 + check_7_6 + check_7_7 + check_7_8 + check_7_9 + check_7_10 +} + +community_checks() { + # check_c_1 + true; +} + +# CIS +cis() { + host_configuration + docker_daemon_configuration + docker_daemon_files + container_images + container_runtime + docker_security_operations + docker_swarm_configuration +} + +# Community contributed +community() { + community_checks +} + +# All +all() { + cis + community +} From dc369a6bad071a777e0931f97a409fda869c5a35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 16 Jan 2018 13:46:08 +0100 Subject: [PATCH 4/5] move audit rules default path variable MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- helper_lib.sh | 3 +++ 1 file changed, 3 insertions(+) diff --git a/helper_lib.sh b/helper_lib.sh index 6dea993..6e675b4 100644 --- a/helper_lib.sh +++ b/helper_lib.sh @@ -3,6 +3,9 @@ # Returns the absolute path of a given string abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; esac; } +# Audit rules default path +auditrules="/etc/audit/audit.rules" + # Compares versions of software of the format X.Y.Z do_version_check() { [ "$1" = "$2" ] && return 10 From 8142de833421c4608126309ee6d2ed316a143f9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Tue, 16 Jan 2018 13:46:49 +0100 Subject: [PATCH 5/5] convert all checks to functions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- tests/1_host_configuration.sh | 461 +++++----- tests/2_docker_daemon_configuration.sh | 617 +++++++------- tests/3_docker_daemon_configuration_files.sh | 838 ++++++++++--------- tests/4_container_images.sh | 340 ++++---- tests/5_container_runtime.sh | 273 +++++- tests/6_docker_security_operations.sh | 74 +- tests/7_docker_swarm_configuration.sh | 294 ++++--- 7 files changed, 1624 insertions(+), 1273 deletions(-) diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh index cf45ab0..ce22dae 100644 --- a/tests/1_host_configuration.sh +++ b/tests/1_host_configuration.sh @@ -1,72 +1,91 @@ #!/bin/sh -logit "" -info "1 - Host Configuration" -auditrules="/etc/audit/audit.rules" +check_1() { + logit "" + info "1 - Host Configuration" +} # 1.1 -check_1_1="1.1 - Ensure a separate partition for containers has been created" -totalChecks=$((totalChecks + 1)) +check_1_1() { + check_1_1="1.1 - Ensure a separate partition for containers has been created" + totalChecks=$((totalChecks + 1)) -if grep /var/lib/docker /etc/fstab >/dev/null 2>&1; then - pass "$check_1_1" - logjson "1.1" "PASS" - currentScore=$((currentScore + 1)) -elif mountpoint -q -- /var/lib/docker >/dev/null 2>&1; then - pass "$check_1_1" - logjson "1.1" "PASS" - currentScore=$((currentScore + 1)) -else - warn "$check_1_1" - logjson "1.1" "WARN" - currentScore=$((currentScore - 1)) -fi + if grep /var/lib/docker /etc/fstab >/dev/null 2>&1; then + pass "$check_1_1" + logjson "1.1" "PASS" + currentScore=$((currentScore + 1)) + elif mountpoint -q -- /var/lib/docker >/dev/null 2>&1; then + pass "$check_1_1" + logjson "1.1" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_1_1" + logjson "1.1" "WARN" + currentScore=$((currentScore - 1)) + fi +} # 1.2 -check_1_2="1.2 - Ensure the container host has been Hardened" -totalChecks=$((totalChecks + 1)) -note "$check_1_2" -logjson "1.2" "INFO" -currentScore=$((currentScore - 0)) +check_1_2() { + check_1_2="1.2 - Ensure the container host has been Hardened" + totalChecks=$((totalChecks + 1)) + note "$check_1_2" + logjson "1.2" "INFO" + currentScore=$((currentScore - 0)) +} # 1.3 -check_1_3="1.3 - Ensure Docker is up to date" -totalChecks=$((totalChecks + 1)) -docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \ - | awk '{print $NF; exit}' | tr -d '[:alpha:]-,') -docker_current_version="$(date +%y.%m.0 -d @$(( $(date +%s) - 2592000)))" -do_version_check "$docker_current_version" "$docker_version" -if [ $? -eq 11 ]; then - info "$check_1_3" - info " * Using $docker_version, verify is it up to date as deemed necessary" - info " * Your operating system vendor may provide support and security maintenance for Docker" - logjson "1.3" "INFO" - currentScore=$((currentScore - 0)) -else - pass "$check_1_3" - info " * Using $docker_version which is current" - info " * Check with your operating system vendor for support and security maintenance for Docker" - logjson "1.3" "PASS" - currentScore=$((currentScore - 0)) -fi +check_1_3() { + check_1_3="1.3 - Ensure Docker is up to date" + totalChecks=$((totalChecks + 1)) + docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \ + | awk '{print $NF; exit}' | tr -d '[:alpha:]-,') + docker_current_version="$(date +%y.%m.0 -d @$(( $(date +%s) - 2592000)))" + do_version_check "$docker_current_version" "$docker_version" + if [ $? -eq 11 ]; then + info "$check_1_3" + info " * Using $docker_version, verify is it up to date as deemed necessary" + info " * Your operating system vendor may provide support and security maintenance for Docker" + logjson "1.3" "INFO" + currentScore=$((currentScore - 0)) + else + pass "$check_1_3" + info " * Using $docker_version which is current" + info " * Check with your operating system vendor for support and security maintenance for Docker" + logjson "1.3" "PASS" + currentScore=$((currentScore - 0)) + fi +} # 1.4 -check_1_4="1.4 - Ensure only trusted users are allowed to control Docker daemon" -totalChecks=$((totalChecks + 1)) -docker_users=$(getent group docker) -info "$check_1_4" -for u in $docker_users; do - info " * $u" - logjson "1.4" "$u" -done -currentScore=$((currentScore - 0)) +check_1_4() { + check_1_4="1.4 - Ensure only trusted users are allowed to control Docker daemon" + totalChecks=$((totalChecks + 1)) + docker_users=$(getent group docker) + info "$check_1_4" + for u in $docker_users; do + info " * $u" + logjson "1.4" "$u" + done + currentScore=$((currentScore - 0)) +} # 1.5 -check_1_5="1.5 - Ensure auditing is configured for the Docker daemon" -totalChecks=$((totalChecks + 1)) -file="/usr/bin/docker " -if command -v auditctl >/dev/null 2>&1; then - if auditctl -l | grep "$file" >/dev/null 2>&1; then +check_1_5() { + check_1_5="1.5 - Ensure auditing is configured for the Docker daemon" + totalChecks=$((totalChecks + 1)) + file="/usr/bin/docker " + if command -v auditctl >/dev/null 2>&1; then + if auditctl -l | grep "$file" >/dev/null 2>&1; then + pass "$check_1_5" + logjson "1.5" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_1_5" + logjson "1.5" "WARN" + currentScore=$((currentScore - 1)) + fi + elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then pass "$check_1_5" logjson "1.5" "PASS" currentScore=$((currentScore + 1)) @@ -75,23 +94,25 @@ if command -v auditctl >/dev/null 2>&1; then logjson "1.5" "WARN" currentScore=$((currentScore - 1)) fi -elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass "$check_1_5" - logjson "1.5" "PASS" - currentScore=$((currentScore + 1)) -else - warn "$check_1_5" - logjson "1.5" "WARN" - currentScore=$((currentScore - 1)) -fi +} # 1.6 -check_1_6="1.6 - Ensure auditing is configured for Docker files and directories - /var/lib/docker" -totalChecks=$((totalChecks + 1)) -directory="/var/lib/docker" -if [ -d "$directory" ]; then - if command -v auditctl >/dev/null 2>&1; then - if auditctl -l | grep $directory >/dev/null 2>&1; then +check_1_6() { + check_1_6="1.6 - Ensure auditing is configured for Docker files and directories - /var/lib/docker" + totalChecks=$((totalChecks + 1)) + directory="/var/lib/docker" + if [ -d "$directory" ]; then + if command -v auditctl >/dev/null 2>&1; then + if auditctl -l | grep $directory >/dev/null 2>&1; then + pass "$check_1_6" + logjson "1.6" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_1_6" + logjson "1.6" "WARN" + currentScore=$((currentScore - 1)) + fi + elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then pass "$check_1_6" logjson "1.6" "PASS" currentScore=$((currentScore + 1)) @@ -100,29 +121,31 @@ if [ -d "$directory" ]; then logjson "1.6" "WARN" currentScore=$((currentScore - 1)) fi - elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass "$check_1_6" - logjson "1.6" "PASS" - currentScore=$((currentScore + 1)) else - warn "$check_1_6" - logjson "1.6" "WARN" - currentScore=$((currentScore - 1)) + info "$check_1_6" + info " * Directory not found" + logjson "1.6" "INFO" + currentScore=$((currentScore + 0)) fi -else - info "$check_1_6" - info " * Directory not found" - logjson "1.6" "INFO" - currentScore=$((currentScore + 0)) -fi +} # 1.7 -check_1_7="1.7 - Ensure auditing is configured for Docker files and directories - /etc/docker" -totalChecks=$((totalChecks + 1)) -directory="/etc/docker" -if [ -d "$directory" ]; then - if command -v auditctl >/dev/null 2>&1; then - if auditctl -l | grep $directory >/dev/null 2>&1; then +check_1_7() { + check_1_7="1.7 - Ensure auditing is configured for Docker files and directories - /etc/docker" + totalChecks=$((totalChecks + 1)) + directory="/etc/docker" + if [ -d "$directory" ]; then + if command -v auditctl >/dev/null 2>&1; then + if auditctl -l | grep $directory >/dev/null 2>&1; then + pass "$check_1_7" + logjson "1.7" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_1_7" + logjson "1.7" "WARN" + currentScore=$((currentScore - 1)) + fi + elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then pass "$check_1_7" logjson "1.7" "PASS" currentScore=$((currentScore + 1)) @@ -131,29 +154,31 @@ if [ -d "$directory" ]; then logjson "1.7" "WARN" currentScore=$((currentScore - 1)) fi - elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass "$check_1_7" - logjson "1.7" "PASS" - currentScore=$((currentScore + 1)) else - warn "$check_1_7" - logjson "1.7" "WARN" - currentScore=$((currentScore - 1)) - fi -else - info "$check_1_7" - info " * Directory not found" - logjson "1.7" "INFO" - currentScore=$((currentScore + 0)) + info "$check_1_7" + info " * Directory not found" + logjson "1.7" "INFO" + currentScore=$((currentScore + 0)) fi +} # 1.8 -check_1_8="1.8 - Ensure auditing is configured for Docker files and directories - docker.service" -totalChecks=$((totalChecks + 1)) -file="$(get_systemd_service_file docker.service)" -if [ -f "$file" ]; then - if command -v auditctl >/dev/null 2>&1; then - if auditctl -l | grep "$file" >/dev/null 2>&1; then +check_1_8() { + check_1_8="1.8 - Ensure auditing is configured for Docker files and directories - docker.service" + totalChecks=$((totalChecks + 1)) + file="$(get_systemd_service_file docker.service)" + if [ -f "$file" ]; then + if command -v auditctl >/dev/null 2>&1; then + if auditctl -l | grep "$file" >/dev/null 2>&1; then + pass "$check_1_8" + logjson "1.8" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_1_8" + logjson "1.8" "WARN" + currentScore=$((currentScore - 1)) + fi + elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then pass "$check_1_8" logjson "1.8" "PASS" currentScore=$((currentScore + 1)) @@ -162,29 +187,31 @@ if [ -f "$file" ]; then logjson "1.8" "WARN" currentScore=$((currentScore - 1)) fi - elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass "$check_1_8" - logjson "1.8" "PASS" - currentScore=$((currentScore + 1)) else - warn "$check_1_8" - logjson "1.8" "WARN" - currentScore=$((currentScore - 1)) + info "$check_1_8" + info " * File not found" + logjson "1.8" "INFO" + currentScore=$((currentScore + 0)) fi -else - info "$check_1_8" - info " * File not found" - logjson "1.8" "INFO" - currentScore=$((currentScore + 0)) -fi +} # 1.9 -check_1_9="1.9 - Ensure auditing is configured for Docker files and directories - docker.socket" -totalChecks=$((totalChecks + 1)) -file="$(get_systemd_service_file docker.socket)" -if [ -e "$file" ]; then - if command -v auditctl >/dev/null 2>&1; then - if auditctl -l | grep "$file" >/dev/null 2>&1; then +check_1_9() { + check_1_9="1.9 - Ensure auditing is configured for Docker files and directories - docker.socket" + totalChecks=$((totalChecks + 1)) + file="$(get_systemd_service_file docker.socket)" + if [ -e "$file" ]; then + if command -v auditctl >/dev/null 2>&1; then + if auditctl -l | grep "$file" >/dev/null 2>&1; then + pass "$check_1_9" + logjson "1.9" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_1_9" + logjson "1.9" "WARN" + currentScore=$((currentScore - 1)) + fi + elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then pass "$check_1_9" logjson "1.9" "PASS" currentScore=$((currentScore + 1)) @@ -193,29 +220,31 @@ if [ -e "$file" ]; then logjson "1.9" "WARN" currentScore=$((currentScore - 1)) fi - elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass "$check_1_9" - logjson "1.9" "PASS" - currentScore=$((currentScore + 1)) else - warn "$check_1_9" - logjson "1.9" "WARN" - currentScore=$((currentScore - 1)) + info "$check_1_9" + info " * File not found" + logjson "1.9" "INFO" + currentScore=$((currentScore + 0)) fi -else - info "$check_1_9" - info " * File not found" - logjson "1.9" "INFO" - currentScore=$((currentScore + 0)) -fi +} # 1.10 -check_1_10="1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker" -totalChecks=$((totalChecks + 1)) -file="/etc/default/docker" -if [ -f "$file" ]; then - if command -v auditctl >/dev/null 2>&1; then - if auditctl -l | grep $file >/dev/null 2>&1; then +check_1_10() { + check_1_10="1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker" + totalChecks=$((totalChecks + 1)) + file="/etc/default/docker" + if [ -f "$file" ]; then + if command -v auditctl >/dev/null 2>&1; then + if auditctl -l | grep $file >/dev/null 2>&1; then + pass "$check_1_10" + logjson "1.10" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_1_10" + logjson "1.10" "WARN" + currentScore=$((currentScore - 1)) + fi + elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then pass "$check_1_10" logjson "1.10" "PASS" currentScore=$((currentScore + 1)) @@ -224,29 +253,31 @@ if [ -f "$file" ]; then logjson "1.10" "WARN" currentScore=$((currentScore - 1)) fi - elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass "$check_1_10" - logjson "1.10" "PASS" - currentScore=$((currentScore + 1)) else - warn "$check_1_10" - logjson "1.10" "WARN" - currentScore=$((currentScore - 1)) + info "$check_1_10" + info " * File not found" + logjson "1.10" "INFO" + currentScore=$((currentScore + 0)) fi -else - info "$check_1_10" - info " * File not found" - logjson "1.10" "INFO" - currentScore=$((currentScore + 0)) -fi +} # 1.11 -check_1_11="1.11 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json" -totalChecks=$((totalChecks + 1)) -file="/etc/docker/daemon.json" -if [ -f "$file" ]; then - if command -v auditctl >/dev/null 2>&1; then - if auditctl -l | grep $file >/dev/null 2>&1; then +check_1_11() { + check_1_11="1.11 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json" + totalChecks=$((totalChecks + 1)) + file="/etc/docker/daemon.json" + if [ -f "$file" ]; then + if command -v auditctl >/dev/null 2>&1; then + if auditctl -l | grep $file >/dev/null 2>&1; then + pass "$check_1_11" + logjson "1.11" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_1_11" + logjson "1.11" "WARN" + currentScore=$((currentScore - 1)) + fi + elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then pass "$check_1_11" logjson "1.11" "PASS" currentScore=$((currentScore + 1)) @@ -255,29 +286,31 @@ if [ -f "$file" ]; then logjson "1.11" "WARN" currentScore=$((currentScore - 1)) fi - elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass "$check_1_11" - logjson "1.11" "PASS" - currentScore=$((currentScore + 1)) else - warn "$check_1_11" - logjson "1.11" "WARN" - currentScore=$((currentScore - 1)) + info "$check_1_11" + info " * File not found" + logjson "1.11" "INFO" + currentScore=$((currentScore + 0)) fi -else - info "$check_1_11" - info " * File not found" - logjson "1.11" "INFO" - currentScore=$((currentScore + 0)) -fi +} # 1.12 -check_1_12="1.12 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd" -totalChecks=$((totalChecks + 1)) -file="/usr/bin/docker-containerd" -if [ -f "$file" ]; then - if command -v auditctl >/dev/null 2>&1; then - if auditctl -l | grep $file >/dev/null 2>&1; then +check_1_12() { + check_1_12="1.12 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd" + totalChecks=$((totalChecks + 1)) + file="/usr/bin/docker-containerd" + if [ -f "$file" ]; then + if command -v auditctl >/dev/null 2>&1; then + if auditctl -l | grep $file >/dev/null 2>&1; then + pass "$check_1_12" + logjson "1.12" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_1_12" + logjson "1.12" "WARN" + currentScore=$((currentScore - 1)) + fi + elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then pass "$check_1_12" logjson "1.12" "PASS" currentScore=$((currentScore + 1)) @@ -286,29 +319,31 @@ if [ -f "$file" ]; then logjson "1.12" "WARN" currentScore=$((currentScore - 1)) fi - elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass "$check_1_12" - logjson "1.12" "PASS" - currentScore=$((currentScore + 1)) else - warn "$check_1_12" - logjson "1.12" "WARN" - currentScore=$((currentScore - 1)) + info "$check_1_12" + info " * File not found" + logjson "1.12" "INFO" + currentScore=$((currentScore + 0)) fi -else - info "$check_1_12" - info " * File not found" - logjson "1.12" "INFO" - currentScore=$((currentScore + 0)) -fi +} # 1.13 -check_1_13="1.13 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc" -totalChecks=$((totalChecks + 1)) -file="/usr/bin/docker-runc" -if [ -f "$file" ]; then - if command -v auditctl >/dev/null 2>&1; then - if auditctl -l | grep $file >/dev/null 2>&1; then +check_1_13() { + check_1_13="1.13 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc" + totalChecks=$((totalChecks + 1)) + file="/usr/bin/docker-runc" + if [ -f "$file" ]; then + if command -v auditctl >/dev/null 2>&1; then + if auditctl -l | grep $file >/dev/null 2>&1; then + pass "$check_1_13" + logjson "1.13" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_1_13" + logjson "1.13" "WARN" + currentScore=$((currentScore - 1)) + fi + elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then pass "$check_1_13" logjson "1.13" "PASS" currentScore=$((currentScore + 1)) @@ -317,18 +352,10 @@ if [ -f "$file" ]; then logjson "1.13" "WARN" currentScore=$((currentScore - 1)) fi - elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then - pass "$check_1_13" - logjson "1.13" "PASS" - currentScore=$((currentScore + 1)) else - warn "$check_1_13" - logjson "1.13" "WARN" - currentScore=$((currentScore - 1)) + info "$check_1_13" + info " * File not found" + logjson "1.13" "INFO" + currentScore=$((currentScore + 0)) fi -else - info "$check_1_13" - info " * File not found" - logjson "1.13" "INFO" - currentScore=$((currentScore + 0)) -fi +} diff --git a/tests/2_docker_daemon_configuration.sh b/tests/2_docker_daemon_configuration.sh index 6c459a1..b5942dc 100644 --- a/tests/2_docker_daemon_configuration.sh +++ b/tests/2_docker_daemon_configuration.sh @@ -1,119 +1,151 @@ #!/bin/sh -logit "\n" -info "2 - Docker daemon configuration" +check_2() { + logit "\n" + info "2 - Docker daemon configuration" +} # 2.1 -check_2_1="2.1 - Ensure network traffic is restricted between containers on the default bridge" -totalChecks=$((totalChecks + 1)) -if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then - pass "$check_2_1" - logjson "2.1" "PASS" - currentScore=$((currentScore + 1)) -elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then - pass "$check_2_1" - logjson "2.1" "PASS" - currentScore=$((currentScore + 1)) -else - warn "$check_2_1" - logjson "2.1" "WARN" - currentScore=$((currentScore - 1)) -fi +check_2_1() { + check_2_1="2.1 - Ensure network traffic is restricted between containers on the default bridge" + totalChecks=$((totalChecks + 1)) + if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then + pass "$check_2_1" + logjson "2.1" "PASS" + currentScore=$((currentScore + 1)) + elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then + pass "$check_2_1" + logjson "2.1" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_2_1" + logjson "2.1" "WARN" + currentScore=$((currentScore - 1)) + fi +} # 2.2 -check_2_2="2.2 - Ensure the logging level is set to 'info'" -totalChecks=$((totalChecks + 1)) -if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then - if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then - pass "$check_2_2" - logjson "2.2" "PASS" - currentScore=$((currentScore + 1)) - elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then - pass "$check_2_2" - logjson "2.2" "PASS" - currentScore=$((currentScore + 1)) +check_2_2() { + check_2_2="2.2 - Ensure the logging level is set to 'info'" + totalChecks=$((totalChecks + 1)) + if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then + if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then + pass "$check_2_2" + logjson "2.2" "PASS" + currentScore=$((currentScore + 1)) + elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then + pass "$check_2_2" + logjson "2.2" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_2_2" + logjson "2.2" "WARN" + currentScore=$((currentScore - 1)) + fi + elif get_docker_effective_command_line_args '-l'; then + if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then + pass "$check_2_2" + logjson "2.2" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_2_2" + logjson "2.2" "WARN" + currentScore=$((currentScore - 1)) + fi else - warn "$check_2_2" - logjson "2.2" "WARN" - currentScore=$((currentScore - 1)) - fi -elif get_docker_effective_command_line_args '-l'; then - if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then pass "$check_2_2" logjson "2.2" "PASS" currentScore=$((currentScore + 1)) - else - warn "$check_2_2" - logjson "2.2" "WARN" - currentScore=$((currentScore - 1)) fi -else - pass "$check_2_2" - logjson "2.2" "PASS" - currentScore=$((currentScore + 1)) -fi +} # 2.3 -check_2_3="2.3 - Ensure Docker is allowed to make changes to iptables" -totalChecks=$((totalChecks + 1)) -if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then - warn "$check_2_3" - logjson "2.3" "WARN" - currentScore=$((currentScore - 1)) -elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then - warn "$check_2_3" - logjson "2.3" "WARN" - currentScore=$((currentScore - 1)) -else - pass "$check_2_3" - logjson "2.3" "PASS" - currentScore=$((currentScore + 1)) -fi +check_2_3() { + check_2_3="2.3 - Ensure Docker is allowed to make changes to iptables" + totalChecks=$((totalChecks + 1)) + if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then + warn "$check_2_3" + logjson "2.3" "WARN" + currentScore=$((currentScore - 1)) + elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then + warn "$check_2_3" + logjson "2.3" "WARN" + currentScore=$((currentScore - 1)) + else + pass "$check_2_3" + logjson "2.3" "PASS" + currentScore=$((currentScore + 1)) + fi +} # 2.4 -check_2_4="2.4 - Ensure insecure registries are not used" -totalChecks=$((totalChecks + 1)) -if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then - warn "$check_2_4" - logjson "2.4" "WARN" - currentScore=$((currentScore - 1)) -elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then - if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then - pass "$check_2_4" - logjson "2.4" "PASS" - currentScore=$((currentScore + 1)) - else +check_2_4() { + check_2_4="2.4 - Ensure insecure registries are not used" + totalChecks=$((totalChecks + 1)) + if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then warn "$check_2_4" logjson "2.4" "WARN" currentScore=$((currentScore - 1)) + elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then + if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then + pass "$check_2_4" + logjson "2.4" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_2_4" + logjson "2.4" "WARN" + currentScore=$((currentScore - 1)) + fi + else + pass "$check_2_4" + logjson "2.4" "PASS" + currentScore=$((currentScore + 1)) fi -else - pass "$check_2_4" - logjson "2.4" "PASS" - currentScore=$((currentScore + 1)) -fi +} # 2.5 -check_2_5="2.5 - Ensure aufs storage driver is not used" -totalChecks=$((totalChecks + 1)) -if docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1; then - warn "$check_2_5" - logjson "2.5" "WARN" - currentScore=$((currentScore - 1)) -else - pass "$check_2_5" - logjson "2.5" "PASS" - currentScore=$((currentScore + 1)) -fi +check_2_5() { + check_2_5="2.5 - Ensure aufs storage driver is not used" + totalChecks=$((totalChecks + 1)) + if docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1; then + warn "$check_2_5" + logjson "2.5" "WARN" + currentScore=$((currentScore - 1)) + else + pass "$check_2_5" + logjson "2.5" "PASS" + currentScore=$((currentScore + 1)) + fi +} # 2.6 -check_2_6="2.6 - Ensure TLS authentication for Docker daemon is configured" -totalChecks=$((totalChecks + 1)) -if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then - if [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \ - [ $(get_docker_configuration_file_args '"tlsverify' | grep 'true') ] ; then - if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then - if get_docker_configuration_file_args 'tlsverify' | grep 'true' >/dev/null 2>&1; then +check_2_6() { + check_2_6="2.6 - Ensure TLS authentication for Docker daemon is configured" + totalChecks=$((totalChecks + 1)) + if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then + if [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \ + [ $(get_docker_configuration_file_args '"tlsverify' | grep 'true') ] ; then + if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then + if get_docker_configuration_file_args 'tlsverify' | grep 'true' >/dev/null 2>&1; then + pass "$check_2_6" + logjson "2.6" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_2_6" + warn " * Docker daemon currently listening on TCP with TLS, but no verification" + logjson "2.6" "WARN" + currentScore=$((currentScore - 1)) + fi + fi + else + warn "$check_2_6" + warn " * Docker daemon currently listening on TCP without TLS" + logjson "2.6" "WARN" + currentScore=$((currentScore - 1)) + fi + elif get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1; then + if get_docker_cumulative_command_line_args '--tlskey' | grep 'tlskey=' >/dev/null 2>&1; then + if get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify' >/dev/null 2>&1; then pass "$check_2_6" logjson "2.6" "PASS" currentScore=$((currentScore + 1)) @@ -123,236 +155,241 @@ if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then logjson "2.6" "WARN" currentScore=$((currentScore - 1)) fi - fi - else - warn "$check_2_6" - warn " * Docker daemon currently listening on TCP without TLS" - logjson "2.6" "WARN" - currentScore=$((currentScore - 1)) - fi -elif get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1; then - if get_docker_cumulative_command_line_args '--tlskey' | grep 'tlskey=' >/dev/null 2>&1; then - if get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify' >/dev/null 2>&1; then - pass "$check_2_6" - logjson "2.6" "PASS" - currentScore=$((currentScore + 1)) else warn "$check_2_6" - warn " * Docker daemon currently listening on TCP with TLS, but no verification" + warn " * Docker daemon currently listening on TCP without TLS" logjson "2.6" "WARN" currentScore=$((currentScore - 1)) fi else - warn "$check_2_6" - warn " * Docker daemon currently listening on TCP without TLS" - logjson "2.6" "WARN" - currentScore=$((currentScore - 1)) + info "$check_2_6" + info " * Docker daemon not listening on TCP" + logjson "2.6" "INFO" + currentScore=$((currentScore +0)) fi -else - info "$check_2_6" - info " * Docker daemon not listening on TCP" - logjson "2.6" "INFO" - currentScore=$((currentScore +0)) -fi - +} # 2.7 -check_2_7="2.7 - Ensure the default ulimit is configured appropriately" -totalChecks=$((totalChecks + 1)) -if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then - pass "$check_2_7" - logjson "2.7" "PASS" - currentScore=$((currentScore + 1)) -elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then - pass "$check_2_7" - logjson "2.7" "PASS" - currentScore=$((currentScore + 1)) -else - info "$check_2_7" - info " * Default ulimit doesn't appear to be set" - logjson "2.7" "INFO" - currentScore=$((currentScore + 0)) -fi +check_2_7() { + check_2_7="2.7 - Ensure the default ulimit is configured appropriately" + totalChecks=$((totalChecks + 1)) + if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then + pass "$check_2_7" + logjson "2.7" "PASS" + currentScore=$((currentScore + 1)) + elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then + pass "$check_2_7" + logjson "2.7" "PASS" + currentScore=$((currentScore + 1)) + else + info "$check_2_7" + info " * Default ulimit doesn't appear to be set" + logjson "2.7" "INFO" + currentScore=$((currentScore + 0)) + fi +} # 2.8 -check_2_8="2.8 - Enable user namespace support" -totalChecks=$((totalChecks + 1)) -if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then - pass "$check_2_8" - logjson "2.8" "PASS" - currentScore=$((currentScore + 1)) -elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then - pass "$check_2_8" - logjson "2.8" "PASS" - currentScore=$((currentScore + 1)) -else - warn "$check_2_8" - logjson "2.8" "WARN" - currentScore=$((currentScore - 1)) -fi +check_2_8() { + check_2_8="2.8 - Enable user namespace support" + totalChecks=$((totalChecks + 1)) + if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then + pass "$check_2_8" + logjson "2.8" "PASS" + currentScore=$((currentScore + 1)) + elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then + pass "$check_2_8" + logjson "2.8" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_2_8" + logjson "2.8" "WARN" + currentScore=$((currentScore - 1)) + fi +} # 2.9 -check_2_9="2.9 - Ensure the default cgroup usage has been confirmed" -totalChecks=$((totalChecks + 1)) -if get_docker_configuration_file_args 'cgroup-parent' | grep -v '""'; then - warn "$check_2_9" - info " * Confirm cgroup usage" - logjson "2.9" "INFO" - currentScore=$((currentScore + 0)) -elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then - warn "$check_2_9" - info " * Confirm cgroup usage" - logjson "2.9" "INFO" - currentScore=$((currentScore + 0)) -else - pass "$check_2_9" - logjson "2.9" "PASS" - currentScore=$((currentScore + 1)) -fi +check_2_9() { + check_2_9="2.9 - Ensure the default cgroup usage has been confirmed" + totalChecks=$((totalChecks + 1)) + if get_docker_configuration_file_args 'cgroup-parent' | grep -v '""'; then + warn "$check_2_9" + info " * Confirm cgroup usage" + logjson "2.9" "INFO" + currentScore=$((currentScore + 0)) + elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then + warn "$check_2_9" + info " * Confirm cgroup usage" + logjson "2.9" "INFO" + currentScore=$((currentScore + 0)) + else + pass "$check_2_9" + logjson "2.9" "PASS" + currentScore=$((currentScore + 1)) + fi +} # 2.10 -check_2_10="2.10 - Ensure base device size is not changed until needed" -totalChecks=$((totalChecks + 1)) -if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then - warn "$check_2_10" - logjson "2.10" "WARN" - currentScore=$((currentScore - 1)) -elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then - warn "$check_2_10" - logjson "2.10" "WARN" - currentScore=$((currentScore - 1)) -else - pass "$check_2_10" - logjson "2.10" "PASS" - currentScore=$((currentScore + 1)) -fi +check_2_10() { + check_2_10="2.10 - Ensure base device size is not changed until needed" + totalChecks=$((totalChecks + 1)) + if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then + warn "$check_2_10" + logjson "2.10" "WARN" + currentScore=$((currentScore - 1)) + elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then + warn "$check_2_10" + logjson "2.10" "WARN" + currentScore=$((currentScore - 1)) + else + pass "$check_2_10" + logjson "2.10" "PASS" + currentScore=$((currentScore + 1)) + fi +} # 2.11 -check_2_11="2.11 - Ensure that authorization for Docker client commands is enabled" -totalChecks=$((totalChecks + 1)) -if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then - pass "$check_2_11" - logjson "2.11" "PASS" - currentScore=$((currentScore + 1)) -elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then - pass "$check_2_11" - logjson "2.11" "PASS" - currentScore=$((currentScore + 1)) -else - warn "$check_2_11" - logjson "2.11" "WARN" - currentScore=$((currentScore - 1)) -fi +check_2_11() { + check_2_11="2.11 - Ensure that authorization for Docker client commands is enabled" + totalChecks=$((totalChecks + 1)) + if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then + pass "$check_2_11" + logjson "2.11" "PASS" + currentScore=$((currentScore + 1)) + elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then + pass "$check_2_11" + logjson "2.11" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_2_11" + logjson "2.11" "WARN" + currentScore=$((currentScore - 1)) + fi +} # 2.12 -check_2_12="2.12 - Ensure centralized and remote logging is configured" -totalChecks=$((totalChecks + 1)) -if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then - warn "$check_2_12" - logjson "2.12" "WARN" - currentScore=$((currentScore - 1)) -else - pass "$check_2_12" - logjson "2.12" "PASS" - currentScore=$((currentScore + 1)) -fi +check_2_12() { + check_2_12="2.12 - Ensure centralized and remote logging is configured" + totalChecks=$((totalChecks + 1)) + if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then + warn "$check_2_12" + logjson "2.12" "WARN" + currentScore=$((currentScore - 1)) + else + pass "$check_2_12" + logjson "2.12" "PASS" + currentScore=$((currentScore + 1)) + fi +} # 2.13 -check_2_13="2.13 - Ensure operations on legacy registry (v1) are Disabled" -totalChecks=$((totalChecks + 1)) -if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then - pass "$check_2_13" - logjson "2.13" "PASS" - currentScore=$((currentScore + 1)) -elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then - pass "$check_2_13" - logjson "2.13" "PASS" - currentScore=$((currentScore + 1)) -else - warn "$check_2_13" - logjson "2.13" "WARN" - currentScore=$((currentScore - 1)) -fi +check_2_13() { + check_2_13="2.13 - Ensure operations on legacy registry (v1) are Disabled" + totalChecks=$((totalChecks + 1)) + if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then + pass "$check_2_13" + logjson "2.13" "PASS" + currentScore=$((currentScore + 1)) + elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then + pass "$check_2_13" + logjson "2.13" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_2_13" + logjson "2.13" "WARN" + currentScore=$((currentScore - 1)) + fi +} # 2.14 -check_2_14="2.14 - Ensure live restore is Enabled" -totalChecks=$((totalChecks + 1)) -if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then - pass "$check_2_14" - logjson "2.14" "PASS" - currentScore=$((currentScore + 1)) -else - if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then - pass "$check_2_14 (Incompatible with swarm mode)" - logjson "2.14" "PASS" - currentScore=$((currentScore + 1)) - elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then +check_2_14() { + check_2_14="2.14 - Ensure live restore is Enabled" + totalChecks=$((totalChecks + 1)) + if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then pass "$check_2_14" logjson "2.14" "PASS" currentScore=$((currentScore + 1)) else - warn "$check_2_14" - logjson "2.14" "WARN" - currentScore=$((currentScore - 1)) + if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then + pass "$check_2_14 (Incompatible with swarm mode)" + logjson "2.14" "PASS" + currentScore=$((currentScore + 1)) + elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then + pass "$check_2_14" + logjson "2.14" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_2_14" + logjson "2.14" "WARN" + currentScore=$((currentScore - 1)) + fi fi -fi +} # 2.15 -check_2_15="2.15 - Ensure Userland Proxy is Disabled" -totalChecks=$((totalChecks + 1)) -if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then - pass "$check_2_15" - logjson "2.15" "PASS" - currentScore=$((currentScore + 1)) -elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then - pass "$check_2_15" - logjson "2.15" "PASS" - currentScore=$((currentScore + 1)) -else - warn "$check_2_15" - logjson "2.15" "WARN" - currentScore=$((currentScore - 1)) -fi +check_2_15() { + check_2_15="2.15 - Ensure Userland Proxy is Disabled" + totalChecks=$((totalChecks + 1)) + if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then + pass "$check_2_15" + logjson "2.15" "PASS" + currentScore=$((currentScore + 1)) + elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then + pass "$check_2_15" + logjson "2.15" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_2_15" + logjson "2.15" "WARN" + currentScore=$((currentScore - 1)) + fi +} # 2.16 -check_2_16="2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed" -totalChecks=$((totalChecks + 1)) -if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then - pass "$check_2_16" - logjson "2.16" "PASS" - currentScore=$((currentScore + 1)) -else - info "$check_2_16" - logjson "2.16" "INFO" - currentScore=$((currentScore + 0)) -fi +check_2_16() { + check_2_16="2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed" + totalChecks=$((totalChecks + 1)) + if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then + pass "$check_2_16" + logjson "2.16" "PASS" + currentScore=$((currentScore + 1)) + else + info "$check_2_16" + logjson "2.16" "INFO" + currentScore=$((currentScore + 0)) + fi +} # 2.17 -check_2_17="2.17 - Ensure experimental features are avoided in production" -totalChecks=$((totalChecks + 1)) -if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then - pass "$check_2_17" - logjson "2.17" "PASS" - currentScore=$((currentScore + 1)) -else - warn "$check_2_17" - logjson "2.17" "WARN" - currentScore=$((currentScore - 1)) -fi +check_2_17() { + check_2_17="2.17 - Ensure experimental features are avoided in production" + totalChecks=$((totalChecks + 1)) + if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then + pass "$check_2_17" + logjson "2.17" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_2_17" + logjson "2.17" "WARN" + currentScore=$((currentScore - 1)) + fi +} # 2.18 -check_2_18="2.18 - Ensure containers are restricted from acquiring new privileges" -totalChecks=$((totalChecks + 1)) -if get_docker_effective_command_line_args '--no-new-privileges' >/dev/null 2>&1; then - pass "$check_2_18" - logjson "2.18" "PASS" - currentScore=$((currentScore + 1)) -elif get_docker_configuration_file_args 'no-new-privileges' >/dev/null 2>&1; then - pass "$check_2_18" - logjson "2.18" "PASS" - currentScore=$((currentScore + 1)) -else - warn "$check_2_18" - logjson "2.18" "WARN" - currentScore=$((currentScore - 1)) -fi +check_2_18() { + check_2_18="2.18 - Ensure containers are restricted from acquiring new privileges" + totalChecks=$((totalChecks + 1)) + if get_docker_effective_command_line_args '--no-new-privileges' >/dev/null 2>&1; then + pass "$check_2_18" + logjson "2.18" "PASS" + currentScore=$((currentScore + 1)) + elif get_docker_configuration_file_args 'no-new-privileges' >/dev/null 2>&1; then + pass "$check_2_18" + logjson "2.18" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_2_18" + logjson "2.18" "WARN" + currentScore=$((currentScore - 1)) + fi +} diff --git a/tests/3_docker_daemon_configuration_files.sh b/tests/3_docker_daemon_configuration_files.sh index bd4bf6a..7c2a3a7 100644 --- a/tests/3_docker_daemon_configuration_files.sh +++ b/tests/3_docker_daemon_configuration_files.sh @@ -1,482 +1,524 @@ #!/bin/sh -logit "\n" -info "3 - Docker daemon configuration files" +check_3() { + logit "\n" + info "3 - Docker daemon configuration files" +} # 3.1 -check_3_1="3.1 - Ensure that docker.service file ownership is set to root:root" -totalChecks=$((totalChecks + 1)) -file="$(get_systemd_service_file docker.service)" -if [ -f "$file" ]; then - if [ "$(stat -c %u%g $file)" -eq 00 ]; then - pass "$check_3_1" - logjson "3.1" "PASS" - currentScore=$((currentScore + 1)) +check_3_1() { + check_3_1="3.1 - Ensure that docker.service file ownership is set to root:root" + totalChecks=$((totalChecks + 1)) + file="$(get_systemd_service_file docker.service)" + if [ -f "$file" ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then + pass "$check_3_1" + logjson "3.1" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_3_1" + warn " * Wrong ownership for $file" + logjson "3.1" "WARN" + currentScore=$((currentScore - 1)) + fi else - warn "$check_3_1" - warn " * Wrong ownership for $file" - logjson "3.1" "WARN" - currentScore=$((currentScore - 1)) + info "$check_3_1" + info " * File not found" + logjson "3.1" "INFO" + currentScore=$((currentScore + 0)) fi -else - info "$check_3_1" - info " * File not found" - logjson "3.1" "INFO" - currentScore=$((currentScore + 0)) -fi +} # 3.2 -check_3_2="3.2 - Ensure that docker.service file permissions are set to 644 or more restrictive" -totalChecks=$((totalChecks + 1)) -file="$(get_systemd_service_file docker.service)" -if [ -f "$file" ]; then - if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then - pass "$check_3_2" - logjson "3.2" "PASS" - currentScore=$((currentScore + 1)) +check_3_2() { + check_3_2="3.2 - Ensure that docker.service file permissions are set to 644 or more restrictive" + totalChecks=$((totalChecks + 1)) + file="$(get_systemd_service_file docker.service)" + if [ -f "$file" ]; then + if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then + pass "$check_3_2" + logjson "3.2" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_3_2" + warn " * Wrong permissions for $file" + logjson "3.2" "WARN" + currentScore=$((currentScore - 1)) + fi else - warn "$check_3_2" - warn " * Wrong permissions for $file" - logjson "3.2" "WARN" - currentScore=$((currentScore - 1)) + info "$check_3_2" + info " * File not found" + logjson "3.2" "INFO" + currentScore=$((currentScore + 0)) fi -else - info "$check_3_2" - info " * File not found" - logjson "3.2" "INFO" - currentScore=$((currentScore + 0)) -fi +} # 3.3 -check_3_3="3.3 - Ensure that docker.socket file ownership is set to root:root" -totalChecks=$((totalChecks + 1)) -file="$(get_systemd_service_file docker.socket)" -if [ -f "$file" ]; then - if [ "$(stat -c %u%g $file)" -eq 00 ]; then - pass "$check_3_3" - logjson "3.3" "PASS" - currentScore=$((currentScore + 1)) +check_3_3() { + check_3_3="3.3 - Ensure that docker.socket file ownership is set to root:root" + totalChecks=$((totalChecks + 1)) + file="$(get_systemd_service_file docker.socket)" + if [ -f "$file" ]; then + if [ "$(stat -c %u%g $file)" -eq 00 ]; then + pass "$check_3_3" + logjson "3.3" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_3_3" + warn " * Wrong ownership for $file" + logjson "3.3" "WARN" + currentScore=$((currentScore - 1)) + fi else - warn "$check_3_3" - warn " * Wrong ownership for $file" - logjson "3.3" "WARN" - currentScore=$((currentScore - 1)) + info "$check_3_3" + info " * File not found" + logjson "3.3" "INFO" + currentScore=$((currentScore + 0)) fi -else - info "$check_3_3" - info " * File not found" - logjson "3.3" "INFO" - currentScore=$((currentScore + 0)) -fi +} # 3.4 -check_3_4="3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive" -totalChecks=$((totalChecks + 1)) -file="$(get_systemd_service_file docker.socket)" -if [ -f "$file" ]; then - if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then - pass "$check_3_4" - logjson "3.4" "PASS" - currentScore=$((currentScore + 1)) +check_3_4() { + check_3_4="3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive" + totalChecks=$((totalChecks + 1)) + file="$(get_systemd_service_file docker.socket)" + if [ -f "$file" ]; then + if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then + pass "$check_3_4" + logjson "3.4" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_3_4" + warn " * Wrong permissions for $file" + logjson "3.4" "WARN" + currentScore=$((currentScore - 1)) + fi else - warn "$check_3_4" - warn " * Wrong permissions for $file" - logjson "3.4" "WARN" - currentScore=$((currentScore - 1)) + info "$check_3_4" + info " * File not found" + logjson "3.4" "INFO" + currentScore=$((currentScore + 0)) fi -else - info "$check_3_4" - info " * File not found" - logjson "3.4" "INFO" - currentScore=$((currentScore + 0)) -fi +} # 3.5 -check_3_5="3.5 - Ensure that /etc/docker directory ownership is set to root:root" -totalChecks=$((totalChecks + 1)) -directory="/etc/docker" -if [ -d "$directory" ]; then - if [ "$(stat -c %u%g $directory)" -eq 00 ]; then - pass "$check_3_5" - logjson "3.5" "PASS" - currentScore=$((currentScore + 1)) +check_3_5() { + check_3_5="3.5 - Ensure that /etc/docker directory ownership is set to root:root" + totalChecks=$((totalChecks + 1)) + directory="/etc/docker" + if [ -d "$directory" ]; then + if [ "$(stat -c %u%g $directory)" -eq 00 ]; then + pass "$check_3_5" + logjson "3.5" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_3_5" + warn " * Wrong ownership for $directory" + logjson "3.5" "WARN" + currentScore=$((currentScore - 1)) + fi else - warn "$check_3_5" - warn " * Wrong ownership for $directory" - logjson "3.5" "WARN" - currentScore=$((currentScore - 1)) + info "$check_3_5" + info " * Directory not found" + logjson "3.5" "INFO" + currentScore=$((currentScore + 0)) fi -else - info "$check_3_5" - info " * Directory not found" - logjson "3.5" "INFO" - currentScore=$((currentScore + 0)) -fi +} # 3.6 -check_3_6="3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive" -totalChecks=$((totalChecks + 1)) -directory="/etc/docker" -if [ -d "$directory" ]; then - if [ "$(stat -c %a $directory)" -eq 755 -o "$(stat -c %a $directory)" -eq 700 ]; then - pass "$check_3_6" - logjson "3.6" "PASS" - currentScore=$((currentScore + 1)) +check_3_6() { + check_3_6="3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive" + totalChecks=$((totalChecks + 1)) + directory="/etc/docker" + if [ -d "$directory" ]; then + if [ "$(stat -c %a $directory)" -eq 755 -o "$(stat -c %a $directory)" -eq 700 ]; then + pass "$check_3_6" + logjson "3.6" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_3_6" + warn " * Wrong permissions for $directory" + logjson "3.6" "WARN" + currentScore=$((currentScore - 1)) + fi else - warn "$check_3_6" - warn " * Wrong permissions for $directory" - logjson "3.6" "WARN" - currentScore=$((currentScore - 1)) + info "$check_3_6" + info " * Directory not found" + logjson "3.6" "INFO" + currentScore=$((currentScore + 0)) fi -else - info "$check_3_6" - info " * Directory not found" - logjson "3.6" "INFO" - currentScore=$((currentScore + 0)) -fi +} # 3.7 -check_3_7="3.7 - Ensure that registry certificate file ownership is set to root:root" -totalChecks=$((totalChecks + 1)) -directory="/etc/docker/certs.d/" -if [ -d "$directory" ]; then - fail=0 - owners=$(find "$directory" -type f -name '*.crt') - for p in $owners; do - if [ "$(stat -c %u $p)" -ne 0 ]; then - fail=1 +check_3_7() { + check_3_7="3.7 - Ensure that registry certificate file ownership is set to root:root" + totalChecks=$((totalChecks + 1)) + directory="/etc/docker/certs.d/" + if [ -d "$directory" ]; then + fail=0 + owners=$(find "$directory" -type f -name '*.crt') + for p in $owners; do + if [ "$(stat -c %u $p)" -ne 0 ]; then + fail=1 + fi + done + if [ $fail -eq 1 ]; then + warn "$check_3_7" + warn " * Wrong ownership for $directory" + logjson "3.7" "WARN" + currentScore=$((currentScore - 1)) + else + pass "$check_3_7" + logjson "3.7" "PASS" + currentScore=$((currentScore + 1)) fi - done - if [ $fail -eq 1 ]; then - warn "$check_3_7" - warn " * Wrong ownership for $directory" - logjson "3.7" "WARN" - currentScore=$((currentScore - 1)) else - pass "$check_3_7" - logjson "3.7" "PASS" - currentScore=$((currentScore + 1)) + info "$check_3_7" + info " * Directory not found" + logjson "3.7" "INFO" + currentScore=$((currentScore + 0)) fi -else - info "$check_3_7" - info " * Directory not found" - logjson "3.7" "INFO" - currentScore=$((currentScore + 0)) -fi +} # 3.8 -check_3_8="3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive" -totalChecks=$((totalChecks + 1)) -directory="/etc/docker/certs.d/" -if [ -d "$directory" ]; then - fail=0 - perms=$(find "$directory" -type f -name '*.crt') - for p in $perms; do - if [ "$(stat -c %a $p)" -ne 444 -a "$(stat -c %a $p)" -ne 400 ]; then - fail=1 +check_3_8() { + check_3_8="3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive" + totalChecks=$((totalChecks + 1)) + directory="/etc/docker/certs.d/" + if [ -d "$directory" ]; then + fail=0 + perms=$(find "$directory" -type f -name '*.crt') + for p in $perms; do + if [ "$(stat -c %a $p)" -ne 444 -a "$(stat -c %a $p)" -ne 400 ]; then + fail=1 + fi + done + if [ $fail -eq 1 ]; then + warn "$check_3_8" + warn " * Wrong permissions for $directory" + logjson "3.8" "WARN" + currentScore=$((currentScore - 1)) + else + pass "$check_3_8" + logjson "3.8" "PASS" + currentScore=$((currentScore + 1)) fi - done - if [ $fail -eq 1 ]; then - warn "$check_3_8" - warn " * Wrong permissions for $directory" - logjson "3.8" "WARN" - currentScore=$((currentScore - 1)) else - pass "$check_3_8" - logjson "3.8" "PASS" - currentScore=$((currentScore + 1)) + info "$check_3_8" + info " * Directory not found" + logjson "3.8" "INFO" + currentScore=$((currentScore + 0)) fi -else - info "$check_3_8" - info " * Directory not found" - logjson "3.8" "INFO" - currentScore=$((currentScore + 0)) -fi +} # 3.9 -check_3_9="3.9 - Ensure that TLS CA certificate file ownership is set to root:root" -totalChecks=$((totalChecks + 1)) -if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then - tlscacert=$(get_docker_configuration_file_args 'tlscacert') -else - tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) -fi -if [ -f "$tlscacert" ]; then - if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then - pass "$check_3_9" - logjson "3.9" "PASS" - currentScore=$((currentScore + 1)) +check_3_9() { + check_3_9="3.9 - Ensure that TLS CA certificate file ownership is set to root:root" + totalChecks=$((totalChecks + 1)) + if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then + tlscacert=$(get_docker_configuration_file_args 'tlscacert') else - warn "$check_3_9" - warn " * Wrong ownership for $tlscacert" - logjson "3.9" "WARN" - currentScore=$((currentScore - 1)) + tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi -else - info "$check_3_9" - info " * No TLS CA certificate found" - logjson "3.9" "INFO" - currentScore=$((currentScore + 0)) -fi + if [ -f "$tlscacert" ]; then + if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then + pass "$check_3_9" + logjson "3.9" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_3_9" + warn " * Wrong ownership for $tlscacert" + logjson "3.9" "WARN" + currentScore=$((currentScore - 1)) + fi + else + info "$check_3_9" + info " * No TLS CA certificate found" + logjson "3.9" "INFO" + currentScore=$((currentScore + 0)) + fi +} # 3.10 -check_3_10="3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive" -totalChecks=$((totalChecks + 1)) -if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then - tlscacert=$(get_docker_configuration_file_args 'tlscacert') -else - tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) -fi -if [ -f "$tlscacert" ]; then - if [ "$(stat -c %a $tlscacert)" -eq 444 -o "$(stat -c %a $tlscacert)" -eq 400 ]; then - pass "$check_3_10" - logjson "3.10" "PASS" - currentScore=$((currentScore + 1)) +check_3_10() { + check_3_10="3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive" + totalChecks=$((totalChecks + 1)) + if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then + tlscacert=$(get_docker_configuration_file_args 'tlscacert') else - warn "$check_3_10" - warn " * Wrong permissions for $tlscacert" - logjson "3.10" "WARN" - currentScore=$((currentScore - 1)) + tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi -else - info "$check_3_10" - info " * No TLS CA certificate found" - logjson "3.10" "INFO" - currentScore=$((currentScore + 0)) -fi + if [ -f "$tlscacert" ]; then + if [ "$(stat -c %a $tlscacert)" -eq 444 -o "$(stat -c %a $tlscacert)" -eq 400 ]; then + pass "$check_3_10" + logjson "3.10" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_3_10" + warn " * Wrong permissions for $tlscacert" + logjson "3.10" "WARN" + currentScore=$((currentScore - 1)) + fi + else + info "$check_3_10" + info " * No TLS CA certificate found" + logjson "3.10" "INFO" + currentScore=$((currentScore + 0)) + fi +} # 3.11 -check_3_11="3.11 - Ensure that Docker server certificate file ownership is set to root:root" -totalChecks=$((totalChecks + 1)) -if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then - tlscert=$(get_docker_configuration_file_args 'tlscert') -else - tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) -fi -if [ -f "$tlscert" ]; then - if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then - pass "$check_3_11" - logjson "3.11" "PASS" - currentScore=$((currentScore + 1)) +check_3_11() { + check_3_11="3.11 - Ensure that Docker server certificate file ownership is set to root:root" + totalChecks=$((totalChecks + 1)) + if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then + tlscert=$(get_docker_configuration_file_args 'tlscert') else - warn "$check_3_11" - warn " * Wrong ownership for $tlscert" - logjson "3.11" "WARN" - currentScore=$((currentScore - 1)) + tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi -else - info "$check_3_11" - info " * No TLS Server certificate found" - logjson "3.11" "INFO" - currentScore=$((currentScore + 0)) -fi + if [ -f "$tlscert" ]; then + if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then + pass "$check_3_11" + logjson "3.11" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_3_11" + warn " * Wrong ownership for $tlscert" + logjson "3.11" "WARN" + currentScore=$((currentScore - 1)) + fi + else + info "$check_3_11" + info " * No TLS Server certificate found" + logjson "3.11" "INFO" + currentScore=$((currentScore + 0)) + fi +} # 3.12 -check_3_12="3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive" -totalChecks=$((totalChecks + 1)) -if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then - tlscert=$(get_docker_configuration_file_args 'tlscert') -else - tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) -fi -if [ -f "$tlscert" ]; then - if [ "$(stat -c %a $tlscert)" -eq 444 -o "$(stat -c %a $tlscert)" -eq 400 ]; then - pass "$check_3_12" - logjson "3.12" "PASS" - currentScore=$((currentScore + 1)) +check_3_12() { + check_3_12="3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive" + totalChecks=$((totalChecks + 1)) + if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then + tlscert=$(get_docker_configuration_file_args 'tlscert') else - warn "$check_3_12" - warn " * Wrong permissions for $tlscert" - logjson "3.12" "WARN" - currentScore=$((currentScore - 1)) + tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi -else - info "$check_3_12" - info " * No TLS Server certificate found" - logjson "3.12" "INFO" - currentScore=$((currentScore + 0)) -fi + if [ -f "$tlscert" ]; then + if [ "$(stat -c %a $tlscert)" -eq 444 -o "$(stat -c %a $tlscert)" -eq 400 ]; then + pass "$check_3_12" + logjson "3.12" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_3_12" + warn " * Wrong permissions for $tlscert" + logjson "3.12" "WARN" + currentScore=$((currentScore - 1)) + fi + else + info "$check_3_12" + info " * No TLS Server certificate found" + logjson "3.12" "INFO" + currentScore=$((currentScore + 0)) + fi +} # 3.13 -check_3_13="3.13 - Ensure that Docker server certificate key file ownership is set to root:root" -totalChecks=$((totalChecks + 1)) -if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then - tlskey=$(get_docker_configuration_file_args 'tlskey') -else - tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) -fi -if [ -f "$tlskey" ]; then - if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then - pass "$check_3_13" - logjson "3.13" "PASS" - currentScore=$((currentScore + 1)) +check_3_13() { + check_3_13="3.13 - Ensure that Docker server certificate key file ownership is set to root:root" + totalChecks=$((totalChecks + 1)) + if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then + tlskey=$(get_docker_configuration_file_args 'tlskey') else - warn "$check_3_13" - warn " * Wrong ownership for $tlskey" - logjson "3.13" "WARN" - currentScore=$((currentScore - 1)) + tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi -else - info "$check_3_13" - info " * No TLS Key found" - logjson "3.13" "INFO" - currentScore=$((currentScore + 0)) -fi + if [ -f "$tlskey" ]; then + if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then + pass "$check_3_13" + logjson "3.13" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_3_13" + warn " * Wrong ownership for $tlskey" + logjson "3.13" "WARN" + currentScore=$((currentScore - 1)) + fi + else + info "$check_3_13" + info " * No TLS Key found" + logjson "3.13" "INFO" + currentScore=$((currentScore + 0)) + fi +} # 3.14 -check_3_14="3.14 - Ensure that Docker server certificate key file permissions are set to 400" -totalChecks=$((totalChecks + 1)) -if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then - tlskey=$(get_docker_configuration_file_args 'tlskey') -else - tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) -fi -if [ -f "$tlskey" ]; then - if [ "$(stat -c %a $tlskey)" -eq 400 ]; then - pass "$check_3_14" - logjson "3.14" "PASS" - currentScore=$((currentScore + 1)) +check_3_14() { + check_3_14="3.14 - Ensure that Docker server certificate key file permissions are set to 400" + totalChecks=$((totalChecks + 1)) + if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then + tlskey=$(get_docker_configuration_file_args 'tlskey') else - warn "$check_3_14" - warn " * Wrong permissions for $tlskey" - logjson "3.14" "WARN" - currentScore=$((currentScore - 1)) + tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi -else - info "$check_3_14" - info " * No TLS Key found" - logjson "3.14" "INFO" - currentScore=$((currentScore + 0)) -fi + if [ -f "$tlskey" ]; then + if [ "$(stat -c %a $tlskey)" -eq 400 ]; then + pass "$check_3_14" + logjson "3.14" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_3_14" + warn " * Wrong permissions for $tlskey" + logjson "3.14" "WARN" + currentScore=$((currentScore - 1)) + fi + else + info "$check_3_14" + info " * No TLS Key found" + logjson "3.14" "INFO" + currentScore=$((currentScore + 0)) + fi +} # 3.15 -check_3_15="3.15 - Ensure that Docker socket file ownership is set to root:docker" -totalChecks=$((totalChecks + 1)) -file="/var/run/docker.sock" -if [ -S "$file" ]; then - if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then - pass "$check_3_15" - logjson "3.15" "PASS" - currentScore=$((currentScore + 1)) +check_3_15() { + check_3_15="3.15 - Ensure that Docker socket file ownership is set to root:docker" + totalChecks=$((totalChecks + 1)) + file="/var/run/docker.sock" + if [ -S "$file" ]; then + if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then + pass "$check_3_15" + logjson "3.15" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_3_15" + warn " * Wrong ownership for $file" + logjson "3.15" "WARN" + currentScore=$((currentScore - 1)) + fi else - warn "$check_3_15" - warn " * Wrong ownership for $file" - logjson "3.15" "WARN" - currentScore=$((currentScore - 1)) + info "$check_3_15" + info " * File not found" + logjson "3.15" "INFO" + currentScore=$((currentScore + 0)) fi -else - info "$check_3_15" - info " * File not found" - logjson "3.15" "INFO" - currentScore=$((currentScore + 0)) -fi +} # 3.16 -check_3_16="3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive" -totalChecks=$((totalChecks + 1)) -file="/var/run/docker.sock" -if [ -S "$file" ]; then - if [ "$(stat -c %a $file)" -eq 660 -o "$(stat -c %a $file)" -eq 600 ]; then - pass "$check_3_16" - logjson "3.16" "PASS" - currentScore=$((currentScore + 1)) +check_3_16() { + check_3_16="3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive" + totalChecks=$((totalChecks + 1)) + file="/var/run/docker.sock" + if [ -S "$file" ]; then + if [ "$(stat -c %a $file)" -eq 660 -o "$(stat -c %a $file)" -eq 600 ]; then + pass "$check_3_16" + logjson "3.16" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_3_16" + warn " * Wrong permissions for $file" + logjson "3.16" "WARN" + currentScore=$((currentScore - 1)) + fi else - warn "$check_3_16" - warn " * Wrong permissions for $file" - logjson "3.16" "WARN" - currentScore=$((currentScore - 1)) + info "$check_3_16" + info " * File not found" + logjson "3.16" "INFO" + currentScore=$((currentScore + 0)) fi -else - info "$check_3_16" - info " * File not found" - logjson "3.16" "INFO" - currentScore=$((currentScore + 0)) -fi +} # 3.17 -check_3_17="3.17 - Ensure that daemon.json file ownership is set to root:root" -totalChecks=$((totalChecks + 1)) -file="/etc/docker/daemon.json" -if [ -f "$file" ]; then - if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then - pass "$check_3_17" - logjson "3.17" "PASS" - currentScore=$((currentScore + 1)) +check_3_17() { + check_3_17="3.17 - Ensure that daemon.json file ownership is set to root:root" + totalChecks=$((totalChecks + 1)) + file="/etc/docker/daemon.json" + if [ -f "$file" ]; then + if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then + pass "$check_3_17" + logjson "3.17" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_3_17" + warn " * Wrong ownership for $file" + logjson "3.17" "WARN" + currentScore=$((currentScore - 1)) + fi else - warn "$check_3_17" - warn " * Wrong ownership for $file" - logjson "3.17" "WARN" - currentScore=$((currentScore - 1)) + info "$check_3_17" + info " * File not found" + logjson "3.17" "INFO" + currentScore=$((currentScore + 0)) fi -else - info "$check_3_17" - info " * File not found" - logjson "3.17" "INFO" - currentScore=$((currentScore + 0)) -fi +} # 3.18 -check_3_18="3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive" -totalChecks=$((totalChecks + 1)) -file="/etc/docker/daemon.json" -if [ -f "$file" ]; then - if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then - pass "$check_3_18" - logjson "3.18" "PASS" - currentScore=$((currentScore + 1)) +check_3_18() { + check_3_18="3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive" + totalChecks=$((totalChecks + 1)) + file="/etc/docker/daemon.json" + if [ -f "$file" ]; then + if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then + pass "$check_3_18" + logjson "3.18" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_3_18" + warn " * Wrong permissions for $file" + logjson "3.18" "WARN" + currentScore=$((currentScore - 1)) + fi else - warn "$check_3_18" - warn " * Wrong permissions for $file" - logjson "3.18" "WARN" - currentScore=$((currentScore - 1)) + info "$check_3_18" + info " * File not found" + logjson "3.18" "INFO" + currentScore=$((currentScore - 0)) fi -else - info "$check_3_18" - info " * File not found" - logjson "3.18" "INFO" - currentScore=$((currentScore - 0)) -fi +} # 3.19 -check_3_19="3.19 - Ensure that /etc/default/docker file ownership is set to root:root" -totalChecks=$((totalChecks + 1)) -file="/etc/default/docker" -if [ -f "$file" ]; then - if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then - pass "$check_3_19" - logjson "3.19" "PASS" - currentScore=$((currentScore + 1)) +check_3_19() { + check_3_19="3.19 - Ensure that /etc/default/docker file ownership is set to root:root" + totalChecks=$((totalChecks + 1)) + file="/etc/default/docker" + if [ -f "$file" ]; then + if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then + pass "$check_3_19" + logjson "3.19" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_3_19" + warn " * Wrong ownership for $file" + logjson "3.19" "WARN" + currentScore=$((currentScore - 1)) + fi else - warn "$check_3_19" - warn " * Wrong ownership for $file" - logjson "3.19" "WARN" - currentScore=$((currentScore - 1)) + info "$check_3_19" + info " * File not found" + logjson "3.19" "INFO" + currentScore=$((currentScore + 0)) fi -else - info "$check_3_19" - info " * File not found" - logjson "3.19" "INFO" - currentScore=$((currentScore + 0)) -fi +} # 3.20 -check_3_20="3.20 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive" -totalChecks=$((totalChecks + 1)) -file="/etc/default/docker" -if [ -f "$file" ]; then - if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then - pass "$check_3_20" - logjson "3.20" "PASS" - currentScore=$((currentScore + 1)) +check_3_20() { + check_3_20="3.20 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive" + totalChecks=$((totalChecks + 1)) + file="/etc/default/docker" + if [ -f "$file" ]; then + if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then + pass "$check_3_20" + logjson "3.20" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_3_20" + warn " * Wrong permissions for $file" + logjson "3.20" "WARN" + currentScore=$((currentScore - 1)) + fi else - warn "$check_3_20" - warn " * Wrong permissions for $file" - logjson "3.20" "WARN" - currentScore=$((currentScore - 1)) + info "$check_3_20" + info " * File not found" + logjson "3.20" "INFO" + currentScore=$((currentScore + 0)) fi -else - info "$check_3_20" - info " * File not found" - logjson "3.20" "INFO" - currentScore=$((currentScore + 0)) -fi +} diff --git a/tests/4_container_images.sh b/tests/4_container_images.sh index 63f6223..8d35267 100644 --- a/tests/4_container_images.sh +++ b/tests/4_container_images.sh @@ -1,182 +1,206 @@ #!/bin/sh -logit "\n" -info "4 - Container Images and Build File" - -# 4.1 -check_4_1="4.1 - Ensure a user for the container has been created" -totalChecks=$((totalChecks + 1)) - -# If container_users is empty, there are no running containers -if [ -z "$containers" ]; then - info "$check_4_1" - info " * No containers running" - logjson "4.1" "INFO" - currentScore=$((currentScore + 0)) -else - # We have some containers running, set failure flag to 0. Check for Users. - fail=0 - # Make the loop separator be a new-line in POSIX compliant fashion - set -f; IFS=$' -' - for c in $containers; do - user=$(docker inspect --format 'User={{.Config.User}}' "$c") - - if [ "$user" = "User=" -o "$user" = "User=[]" -o "$user" = "User=" ]; then - # If it's the first container, fail the test - if [ $fail -eq 0 ]; then - warn "$check_4_1" - warn " * Running as root: $c" - logjson "4.1" "WARN: $c" - fail=1 - else - warn " * Running as root: $c" - logjson "4.1" "WARN: $c" - fi - fi - done - # We went through all the containers and found none running as root - if [ $fail -eq 0 ]; then - pass "$check_4_1" - logjson "4.1" "PASS" - currentScore=$((currentScore + 1)) - else - currentScore=$((currentScore - 1)) - fi -fi -# Make the loop separator go back to space -set +f; unset IFS - images=$(docker images -q) +check_4() { + logit "\n" + info "4 - Container Images and Build File" +} + +# 4.1 +check_4_1() { + check_4_1="4.1 - Ensure a user for the container has been created" + totalChecks=$((totalChecks + 1)) + + # If container_users is empty, there are no running containers + if [ -z "$containers" ]; then + info "$check_4_1" + info " * No containers running" + logjson "4.1" "INFO" + currentScore=$((currentScore + 0)) + else + # We have some containers running, set failure flag to 0. Check for Users. + fail=0 + # Make the loop separator be a new-line in POSIX compliant fashion + set -f; IFS=$' + ' + for c in $containers; do + user=$(docker inspect --format 'User={{.Config.User}}' "$c") + + if [ "$user" = "User=" -o "$user" = "User=[]" -o "$user" = "User=" ]; then + # If it's the first container, fail the test + if [ $fail -eq 0 ]; then + warn "$check_4_1" + warn " * Running as root: $c" + logjson "4.1" "WARN: $c" + fail=1 + else + warn " * Running as root: $c" + logjson "4.1" "WARN: $c" + fi + fi + done + # We went through all the containers and found none running as root + if [ $fail -eq 0 ]; then + pass "$check_4_1" + logjson "4.1" "PASS" + currentScore=$((currentScore + 1)) + else + currentScore=$((currentScore - 1)) + fi + fi + # Make the loop separator go back to space + set +f; unset IFS +} + # 4.2 -check_4_2="4.2 - Ensure that containers use trusted base images" -totalChecks=$((totalChecks + 1)) -note "$check_4_2" -logjson "4.2" "NOTE" -currentScore=$((currentScore + 0)) +check_4_2() { + check_4_2="4.2 - Ensure that containers use trusted base images" + totalChecks=$((totalChecks + 1)) + note "$check_4_2" + logjson "4.2" "NOTE" + currentScore=$((currentScore + 0)) +} # 4.3 -check_4_3="4.3 - Ensure unnecessary packages are not installed in the container" -totalChecks=$((totalChecks + 1)) -note "$check_4_3" -logjson "4.3" "NOTE" -currentScore=$((currentScore + 0)) +check_4_3() { + check_4_3="4.3 - Ensure unnecessary packages are not installed in the container" + totalChecks=$((totalChecks + 1)) + note "$check_4_3" + logjson "4.3" "NOTE" + currentScore=$((currentScore + 0)) +} # 4.4 -check_4_4="4.4 - Ensure images are scanned and rebuilt to include security patches" -totalChecks=$((totalChecks + 1)) -note "$check_4_4" -logjson "4.4" "NOTE" -currentScore=$((currentScore + 0)) +check_4_4() { + check_4_4="4.4 - Ensure images are scanned and rebuilt to include security patches" + totalChecks=$((totalChecks + 1)) + note "$check_4_4" + logjson "4.4" "NOTE" + currentScore=$((currentScore + 0)) +} # 4.5 -check_4_5="4.5 - Ensure Content trust for Docker is Enabled" -totalChecks=$((totalChecks + 1)) -if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then - pass "$check_4_5" - logjson "4.5" "PASS" - currentScore=$((currentScore + 1)) -else - warn "$check_4_5" - logjson "4.5" "WARN" - currentScore=$((currentScore - 1)) -fi +check_4_5() { + check_4_5="4.5 - Ensure Content trust for Docker is Enabled" + totalChecks=$((totalChecks + 1)) + if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then + pass "$check_4_5" + logjson "4.5" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_4_5" + logjson "4.5" "WARN" + currentScore=$((currentScore - 1)) + fi +} # 4.6 -check_4_6="4.6 - Ensure HEALTHCHECK instructions have been added to the container image" -totalChecks=$((totalChecks + 1)) -fail=0 -for img in $images; do - if docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "" >/dev/null 2>&1; then - if [ $fail -eq 0 ]; then - fail=1 - warn "$check_4_6" - logjson "4.6" "WARN" - fi - imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) - if ! [ "$imgName" = '[]' ]; then - warn " * No Healthcheck found: $imgName" - logjson "4.6" "WARN: $imgName" +check_4_6() { + check_4_6="4.6 - Ensure HEALTHCHECK instructions have been added to the container image" + totalChecks=$((totalChecks + 1)) + fail=0 + for img in $images; do + if docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "" >/dev/null 2>&1; then + if [ $fail -eq 0 ]; then + fail=1 + warn "$check_4_6" + logjson "4.6" "WARN" + fi + imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) + if ! [ "$imgName" = '[]' ]; then + warn " * No Healthcheck found: $imgName" + logjson "4.6" "WARN: $imgName" + fi fi + done + if [ $fail -eq 0 ]; then + pass "$check_4_6" + logjson "4.6" "PASS" + currentScore=$((currentScore + 1)) + else + currentScore=$((currentScore - 1)) fi -done -if [ $fail -eq 0 ]; then - pass "$check_4_6" - logjson "4.6" "PASS" - currentScore=$((currentScore + 1)) -else - currentScore=$((currentScore - 1)) -fi +} # 4.7 -check_4_7="4.7 - Ensure update instructions are not use alone in the Dockerfile" -totalChecks=$((totalChecks + 1)) -fail=0 -for img in $images; do - if docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1; then - if [ $fail -eq 0 ]; then - fail=1 - info "$check_4_7" - logjson "4.7" "INFO" - fi - imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) - if ! [ "$imgName" = '[]' ]; then - info " * Update instruction found: $imgName" - fi - fi -done -if [ $fail -eq 0 ]; then - pass "$check_4_7" - logjson "4.7" "PASS" - currentScore=$((currentScore + 1)) -else - currentScore=$((currentScore + 0)) -fi - -# 4.8 -check_4_8="4.8 - Ensure setuid and setgid permissions are removed in the images" -totalChecks=$((totalChecks + 1)) -note "$check_4_8" -logjson "4.8" "NOTE" -currentScore=$((currentScore + 0)) - -# 4.9 -check_4_9="4.9 - Ensure COPY is used instead of ADD in Dockerfile" -totalChecks=$((totalChecks + 1)) -fail=0 -for img in $images; do - docker history "$img" 2> /dev/null | grep 'ADD' >/dev/null 2>&1 - if [ $? -eq 0 ]; then - if [ $fail -eq 0 ]; then - fail=1 - info "$check_4_9" - logjson "4.9" "INFO" - fi - imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) - if ! [ "$imgName" = '[]' ]; then - info " * ADD in image history: $imgName" - logjson "4.9" "INFO: $imgName" +check_4_7() { + check_4_7="4.7 - Ensure update instructions are not use alone in the Dockerfile" + totalChecks=$((totalChecks + 1)) + fail=0 + for img in $images; do + if docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1; then + if [ $fail -eq 0 ]; then + fail=1 + info "$check_4_7" + logjson "4.7" "INFO" + fi + imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) + if ! [ "$imgName" = '[]' ]; then + info " * Update instruction found: $imgName" + fi fi + done + if [ $fail -eq 0 ]; then + pass "$check_4_7" + logjson "4.7" "PASS" + currentScore=$((currentScore + 1)) + else currentScore=$((currentScore + 0)) fi -done -if [ $fail -eq 0 ]; then - pass "$check_4_9" - logjson "4.9" "PASS" - currentScore=$((currentScore + 1)) -fi +} + +# 4.8 +check_4_8() { + check_4_8="4.8 - Ensure setuid and setgid permissions are removed in the images" + totalChecks=$((totalChecks + 1)) + note "$check_4_8" + logjson "4.8" "NOTE" + currentScore=$((currentScore + 0)) +} + +# 4.9 +check_4_9() { + check_4_9="4.9 - Ensure COPY is used instead of ADD in Dockerfile" + totalChecks=$((totalChecks + 1)) + fail=0 + for img in $images; do + docker history "$img" 2> /dev/null | grep 'ADD' >/dev/null 2>&1 + if [ $? -eq 0 ]; then + if [ $fail -eq 0 ]; then + fail=1 + info "$check_4_9" + logjson "4.9" "INFO" + fi + imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) + if ! [ "$imgName" = '[]' ]; then + info " * ADD in image history: $imgName" + logjson "4.9" "INFO: $imgName" + fi + currentScore=$((currentScore + 0)) + fi + done + if [ $fail -eq 0 ]; then + pass "$check_4_9" + logjson "4.9" "PASS" + currentScore=$((currentScore + 1)) + fi +} # 4.10 -check_4_10="4.10 - Ensure secrets are not stored in Dockerfiles" -totalChecks=$((totalChecks + 1)) -note "$check_4_10" -logjson "4.10" "NOTE" -currentScore=$((currentScore + 0)) +check_4_10() { + check_4_10="4.10 - Ensure secrets are not stored in Dockerfiles" + totalChecks=$((totalChecks + 1)) + note "$check_4_10" + logjson "4.10" "NOTE" + currentScore=$((currentScore + 0)) +} # 4.11 -check_4_11="4.11 - Ensure verified packages are only Installed" -totalChecks=$((totalChecks + 1)) -note "$check_4_11" -logjson "4.11" "NOTE" -currentScore=$((currentScore + 0)) +check_4_11() { + check_4_11="4.11 - Ensure verified packages are only Installed" + totalChecks=$((totalChecks + 1)) + note "$check_4_11" + logjson "4.11" "NOTE" + currentScore=$((currentScore + 0)) +} diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh index 3330c23..1aca0fe 100644 --- a/tests/5_container_runtime.sh +++ b/tests/5_container_runtime.sh @@ -1,16 +1,29 @@ #!/bin/sh +check_5() { logit "\n" -info "5 - Container Runtime" +info "5 - Container Runtime" +} + +check_running_containers() { + # If containers is empty, there are no running containers + if [ -z "$containers" ]; then + info " * No containers running, skipping Section 5" + running_containers=0 + else + running_containers=1 + # Make the loop separator be a new-line in POSIX compliant fashion + set -f; IFS=$' + ' + fi +} + +# 5.1 +check_5_1() { + if [ "$running_containers" -ne 1 ]; then + return + fi -# If containers is empty, there are no running containers -if [ -z "$containers" ]; then - info " * No containers running, skipping Section 5" -else - # Make the loop separator be a new-line in POSIX compliant fashion - set -f; IFS=$' -' - # 5.1 check_5_1="5.1 - Ensure AppArmor Profile is Enabled" totalChecks=$((totalChecks + 1)) @@ -39,8 +52,14 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.2 +check_5_2() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.2 check_5_2="5.2 - Ensure SELinux security options are set, if applicable" totalChecks=$((totalChecks + 1)) @@ -69,8 +88,14 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.3 +check_5_3() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.3 check_5_3="5.3 - Ensure Linux Kernel Capabilities are restricted within containers" totalChecks=$((totalChecks + 1)) @@ -102,8 +127,14 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.4 +check_5_4() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.4 check_5_4="5.4 - Ensure privileged containers are not used" totalChecks=$((totalChecks + 1)) @@ -132,8 +163,14 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.5 +check_5_5() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.5 check_5_5="5.5 - Ensure sensitive host system directories are not mounted on containers" totalChecks=$((totalChecks + 1)) @@ -182,8 +219,14 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.6 +check_5_6() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.6 check_5_6="5.6 - Ensure ssh is not run within containers" totalChecks=$((totalChecks + 1)) @@ -226,8 +269,14 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.7 +check_5_7() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.7 check_5_7="5.7 - Ensure privileged ports are not mapped within containers" totalChecks=$((totalChecks + 1)) @@ -260,15 +309,27 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.8 +check_5_8() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.8 check_5_8="5.8 - Ensure only needed ports are open on the container" totalChecks=$((totalChecks + 1)) note "$check_5_8" logjson "5.8" "NOTE" currentScore=$((currentScore + 0)) +} + +# 5.9 +check_5_9() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.9 check_5_9="5.9 - Ensure the host's network namespace is not shared" totalChecks=$((totalChecks + 1)) @@ -297,8 +358,14 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.10 +check_5_10() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.10 check_5_10="5.10 - Ensure memory usage for container is limited" totalChecks=$((totalChecks + 1)) @@ -331,8 +398,14 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.11 +check_5_11() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.11 check_5_11="5.11 - Ensure CPU priority is set appropriately on the container" totalChecks=$((totalChecks + 1)) @@ -365,8 +438,14 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.12 +check_5_12() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.12 check_5_12="5.12 - Ensure the container's root filesystem is mounted as read only" totalChecks=$((totalChecks + 1)) @@ -395,8 +474,14 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.13 +check_5_13() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.13 check_5_13="5.13 - Ensure incoming container traffic is binded to a specific host interface" totalChecks=$((totalChecks + 1)) @@ -425,8 +510,14 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.14 +check_5_14() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.14 check_5_14="5.14 - Ensure 'on-failure' container restart policy is set to '5'" totalChecks=$((totalChecks + 1)) @@ -455,8 +546,14 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.15 +check_5_15() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.15 check_5_15="5.15 - Ensure the host's process namespace is not shared" totalChecks=$((totalChecks + 1)) @@ -485,8 +582,14 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.16 +check_5_16() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.16 check_5_16="5.16 - Ensure the host's IPC namespace is not shared" totalChecks=$((totalChecks + 1)) @@ -515,8 +618,14 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.17 +check_5_17() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.17 check_5_17="5.17 - Ensure host devices are not directly exposed to containers" totalChecks=$((totalChecks + 1)) @@ -545,8 +654,14 @@ else else currentScore=$((currentScore + 0)) fi +} + +# 5.18 +check_5_18() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.18 check_5_18="5.18 - Ensure the default ulimit is overwritten at runtime, only if needed" totalChecks=$((totalChecks + 1)) @@ -575,8 +690,14 @@ else else currentScore=$((currentScore + 0)) fi +} + +# 5.19 +check_5_19() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.19 check_5_19="5.19 - Ensure mount propagation mode is not set to shared" totalChecks=$((totalChecks + 1)) @@ -604,8 +725,14 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.20 +check_5_20() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.20 check_5_20="5.20 - Ensure the host's UTS namespace is not shared" totalChecks=$((totalChecks + 1)) @@ -634,8 +761,14 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.21 +check_5_21() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.21 check_5_21="5.21 - Ensure the default seccomp profile is not Disabled" totalChecks=$((totalChecks + 1)) @@ -663,22 +796,40 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.22 +check_5_22() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.22 check_5_22="5.22 - Ensure docker exec commands are not used with privileged option" totalChecks=$((totalChecks + 1)) note "$check_5_22" logjson "5.22" "NOTE" currentScore=$((currentScore + 0)) +} + +# 5.23 +check_5_23() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.23 check_5_23="5.23 - Ensure docker exec commands are not used with user option" totalChecks=$((totalChecks + 1)) note "$check_5_23" logjson "5.23" "NOTE" currentScore=$((currentScore + 0)) +} + +# 5.24 +check_5_24() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.24 check_5_24="5.24 - Ensure cgroup usage is confirmed" totalChecks=$((totalChecks + 1)) @@ -707,8 +858,13 @@ else else currentScore=$((currentScore - 1)) fi +} - # 5.25 +# 5.25 +check_5_25() { + if [ "$running_containers" -ne 1 ]; then + return + fi check_5_25="5.25 - Ensure the container is restricted from acquiring additional privileges" totalChecks=$((totalChecks + 1)) @@ -735,8 +891,14 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.26 +check_5_26() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.26 check_5_26="5.26 - Ensure container health is checked at runtime" totalChecks=$((totalChecks + 1)) @@ -761,15 +923,27 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.27 +check_5_27() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.27 check_5_27="5.27 - Ensure docker commands always get the latest version of the image" totalChecks=$((totalChecks + 1)) info "$check_5_27" logjson "5.27" "INFO" currentScore=$((currentScore + 0)) +} + +# 5.28 +check_5_28() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.28 check_5_28="5.28 - Ensure PIDs cgroup limit is used" totalChecks=$((totalChecks + 1)) @@ -798,8 +972,14 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.29 +check_5_29() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.29 check_5_29="5.29 - Ensure Docker's default bridge docker0 is not used" totalChecks=$((totalChecks + 1)) @@ -832,8 +1012,14 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.30 +check_5_30() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.30 check_5_30="5.30 - Ensure the host's user namespaces is not shared" totalChecks=$((totalChecks + 1)) @@ -860,8 +1046,14 @@ else else currentScore=$((currentScore - 1)) fi +} + +# 5.31 +check_5_31() { + if [ "$running_containers" -ne 1 ]; then + return + fi - # 5.31 check_5_31="5.31 - Ensure the Docker socket is not mounted inside any containers" totalChecks=$((totalChecks + 1)) @@ -888,4 +1080,5 @@ else else currentScore=$((currentScore - 1)) fi -fi +} + diff --git a/tests/6_docker_security_operations.sh b/tests/6_docker_security_operations.sh index c09a833..8376e09 100644 --- a/tests/6_docker_security_operations.sh +++ b/tests/6_docker_security_operations.sh @@ -1,42 +1,48 @@ #!/bin/sh -logit "\n" -info "6 - Docker Security Operations" +check_6() { + logit "\n" + info "6 - Docker Security Operations" +} # 6.1 -check_6_1="6.1 - Avoid image sprawl" -totalChecks=$((totalChecks + 1)) -images=$(docker images -q | sort -u | wc -l | awk '{print $1}') -active_images=0 +check_6_1() { + check_6_1="6.1 - Avoid image sprawl" + totalChecks=$((totalChecks + 1)) + images=$(docker images -q | sort -u | wc -l | awk '{print $1}') + active_images=0 -for c in $(docker inspect --format "{{.Image}}" $(docker ps -qa) 2>/dev/null); do - if docker images --no-trunc -a | grep "$c" > /dev/null ; then - active_images=$(( active_images += 1 )) + for c in $(docker inspect --format "{{.Image}}" $(docker ps -qa) 2>/dev/null); do + if docker images --no-trunc -a | grep "$c" > /dev/null ; then + active_images=$(( active_images += 1 )) + fi + done + + info "$check_6_1" + info " * There are currently: $images images" + + if [ "$active_images" -lt "$((images / 2))" ]; then + info " * Only $active_images out of $images are in use" + logjson "6.1" "INFO: $active_images" fi -done - - info "$check_6_1" - info " * There are currently: $images images" - -if [ "$active_images" -lt "$((images / 2))" ]; then - info " * Only $active_images out of $images are in use" - logjson "6.1" "INFO: $active_images" -fi -currentScore=$((currentScore + 0)) + currentScore=$((currentScore + 0)) +} # 6.2 -check_6_2="6.2 - Avoid container sprawl" -totalChecks=$((totalChecks + 1)) -total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}') -running_containers=$(docker ps -q | wc -l | awk '{print $1}') -diff="$((total_containers - running_containers))" -if [ "$diff" -gt 25 ]; then - info "$check_6_2" - info " * There are currently a total of $total_containers containers, with only $running_containers of them currently running" - logjson "6.2" "INFO: $running_containers" -else - info "$check_6_2" - info " * There are currently a total of $total_containers containers, with $running_containers of them currently running" - logjson "6.2" "INFO: $running_containers" -fi -currentScore=$((currentScore + 0)) +check_6_2() { + check_6_2="6.2 - Avoid container sprawl" + totalChecks=$((totalChecks + 1)) + total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}') + running_containers=$(docker ps -q | wc -l | awk '{print $1}') + diff="$((total_containers - running_containers))" + if [ "$diff" -gt 25 ]; then + info "$check_6_2" + info " * There are currently a total of $total_containers containers, with only $running_containers of them currently running" + logjson "6.2" "INFO: $running_containers" + else + info "$check_6_2" + info " * There are currently a total of $total_containers containers, with $running_containers of them currently running" + logjson "6.2" "INFO: $running_containers" + fi + currentScore=$((currentScore + 0)) +} diff --git a/tests/7_docker_swarm_configuration.sh b/tests/7_docker_swarm_configuration.sh index 3e011c5..0f6b3f5 100644 --- a/tests/7_docker_swarm_configuration.sh +++ b/tests/7_docker_swarm_configuration.sh @@ -1,174 +1,196 @@ #!/bin/sh -logit "\n" -info "7 - Docker Swarm Configuration" +check_7() { + logit "\n" + info "7 - Docker Swarm Configuration" +} # 7.1 -check_7_1="7.1 - Ensure swarm mode is not Enabled, if not needed" -totalChecks=$((totalChecks + 1)) -if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then - pass "$check_7_1" - logjson "7.1" "PASS" - currentScore=$((currentScore + 1)) -else - warn "$check_7_1" - logjson "7.1" "WARN" - currentScore=$((currentScore - 1)) -fi +check_7_1() { + check_7_1="7.1 - Ensure swarm mode is not Enabled, if not needed" + totalChecks=$((totalChecks + 1)) + if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then + pass "$check_7_1" + logjson "7.1" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_7_1" + logjson "7.1" "WARN" + currentScore=$((currentScore - 1)) + fi +} # 7.2 -check_7_2="7.2 - Ensure the minimum number of manager nodes have been created in a swarm" -totalChecks=$((totalChecks + 1)) -if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then - managernodes=$(docker node ls | grep -c "Leader") - if [ "$managernodes" -le 1 ]; then - pass "$check_7_2" +check_7_2() { + check_7_2="7.2 - Ensure the minimum number of manager nodes have been created in a swarm" + totalChecks=$((totalChecks + 1)) + if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then + managernodes=$(docker node ls | grep -c "Leader") + if [ "$managernodes" -le 1 ]; then + pass "$check_7_2" + logjson "7.2" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_7_2" + logjson "7.2" "WARN" + currentScore=$((currentScore - 1)) + fi + else + pass "$check_7_2 (Swarm mode not enabled)" logjson "7.2" "PASS" currentScore=$((currentScore + 1)) - else - warn "$check_7_2" - logjson "7.2" "WARN" - currentScore=$((currentScore - 1)) fi -else - pass "$check_7_2 (Swarm mode not enabled)" - logjson "7.2" "PASS" - currentScore=$((currentScore + 1)) -fi +} # 7.3 -check_7_3="7.3 - Ensure swarm services are binded to a specific host interface" -totalChecks=$((totalChecks + 1)) -if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then - ss -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1 - if [ $? -eq 1 ]; then - pass "$check_7_3" +check_7_3() { + check_7_3="7.3 - Ensure swarm services are binded to a specific host interface" + totalChecks=$((totalChecks + 1)) + if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then + ss -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1 + if [ $? -eq 1 ]; then + pass "$check_7_3" + logjson "7.3" "PASS" + currentScore=$((currentScore + 1)) + else + warn "$check_7_3" + logjson "7.3" "WARN" + currentScore=$((currentScore - 1)) + fi + else + pass "$check_7_3 (Swarm mode not enabled)" logjson "7.3" "PASS" currentScore=$((currentScore + 1)) - else - warn "$check_7_3" - logjson "7.3" "WARN" - currentScore=$((currentScore - 1)) fi -else - pass "$check_7_3 (Swarm mode not enabled)" - logjson "7.3" "PASS" - currentScore=$((currentScore + 1)) -fi +} # 7.4 -check_7_4="7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network" -totalChecks=$((totalChecks + 1)) -if docker network ls --filter driver=overlay --quiet | \ - xargs docker network inspect --format '{{.Name}} {{ .Options }}' 2>/dev/null | \ - grep -v 'encrypted:' 2>/dev/null 1>&2; then - warn "$check_7_4" - currentScore=$((currentScore - 1)) - for encnet in $(docker network ls --filter driver=overlay --quiet); do - if docker network inspect --format '{{.Name}} {{ .Options }}' "$encnet" | \ - grep -v 'encrypted:' 2>/dev/null 1>&2; then - warn " * Unencrypted overlay network: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")" - logjson "7.4" "WARN: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")" - fi - done -else - pass "$check_7_4" - logjson "7.4" "PASS" - currentScore=$((currentScore + 1)) -fi +check_7_4(){ + check_7_4="7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network" + totalChecks=$((totalChecks + 1)) + if docker network ls --filter driver=overlay --quiet | \ + xargs docker network inspect --format '{{.Name}} {{ .Options }}' 2>/dev/null | \ + grep -v 'encrypted:' 2>/dev/null 1>&2; then + warn "$check_7_4" + currentScore=$((currentScore - 1)) + for encnet in $(docker network ls --filter driver=overlay --quiet); do + if docker network inspect --format '{{.Name}} {{ .Options }}' "$encnet" | \ + grep -v 'encrypted:' 2>/dev/null 1>&2; then + warn " * Unencrypted overlay network: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")" + logjson "7.4" "WARN: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")" + fi + done + else + pass "$check_7_4" + logjson "7.4" "PASS" + currentScore=$((currentScore + 1)) + fi +} # 7.5 -check_7_5="7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster" -totalChecks=$((totalChecks + 1)) -if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then - if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then - pass "$check_7_5" +check_7_5() { + check_7_5="7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster" + totalChecks=$((totalChecks + 1)) + if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then + if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then + pass "$check_7_5" + logjson "7.5" "PASS" + currentScore=$((currentScore + 1)) + else + info "$check_7_5" + logjson "7.5" "INFO" + currentScore=$((currentScore + 0)) + fi + else + pass "$check_7_5 (Swarm mode not enabled)" logjson "7.5" "PASS" currentScore=$((currentScore + 1)) - else - info "$check_7_5" - logjson "7.5" "INFO" - currentScore=$((currentScore + 0)) fi -else - pass "$check_7_5 (Swarm mode not enabled)" - logjson "7.5" "PASS" - currentScore=$((currentScore + 1)) -fi +} # 7.6 -check_7_6="7.6 - Ensure swarm manager is run in auto-lock mode" -totalChecks=$((totalChecks + 1)) -if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then - if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then - warn "$check_7_6" - logjson "7.6" "WARN" - currentScore=$((currentScore - 1)) +check_7_6() { + check_7_6="7.6 - Ensure swarm manager is run in auto-lock mode" + totalChecks=$((totalChecks + 1)) + if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then + if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then + warn "$check_7_6" + logjson "7.6" "WARN" + currentScore=$((currentScore - 1)) + else + pass "$check_7_6" + logjson "7.6" "PASS" + currentScore=$((currentScore + 1)) + fi else - pass "$check_7_6" + pass "$check_7_6 (Swarm mode not enabled)" logjson "7.6" "PASS" currentScore=$((currentScore + 1)) fi -else - pass "$check_7_6 (Swarm mode not enabled)" - logjson "7.6" "PASS" - currentScore=$((currentScore + 1)) -fi +} # 7.7 -check_7_7="7.7 - Ensure swarm manager auto-lock key is rotated periodically" -totalChecks=$((totalChecks + 1)) -if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then - note "$check_7_7" - logjson "7.7" "NOTE" - currentScore=$((currentScore + 0)) -else - pass "$check_7_7 (Swarm mode not enabled)" - logjson "7.7" "PASS" - currentScore=$((currentScore + 1)) -fi +check_7_7() { + check_7_7="7.7 - Ensure swarm manager auto-lock key is rotated periodically" + totalChecks=$((totalChecks + 1)) + if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then + note "$check_7_7" + logjson "7.7" "NOTE" + currentScore=$((currentScore + 0)) + else + pass "$check_7_7 (Swarm mode not enabled)" + logjson "7.7" "PASS" + currentScore=$((currentScore + 1)) + fi +} # 7.8 -check_7_8="7.8 - Ensure node certificates are rotated as appropriate" -totalChecks=$((totalChecks + 1)) -if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then - if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then - pass "$check_7_8" +check_7_8() { + check_7_8="7.8 - Ensure node certificates are rotated as appropriate" + totalChecks=$((totalChecks + 1)) + if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then + if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then + pass "$check_7_8" + logjson "7.8" "PASS" + currentScore=$((currentScore + 1)) + else + info "$check_7_8" + logjson "7.8" "INFO" + currentScore=$((currentScore + 0)) + fi + else + pass "$check_7_8 (Swarm mode not enabled)" logjson "7.8" "PASS" currentScore=$((currentScore + 1)) - else - info "$check_7_8" - logjson "7.8" "INFO" - currentScore=$((currentScore + 0)) fi -else - pass "$check_7_8 (Swarm mode not enabled)" - logjson "7.8" "PASS" - currentScore=$((currentScore + 1)) -fi +} # 7.9 -check_7_9="7.9 - Ensure CA certificates are rotated as appropriate" -totalChecks=$((totalChecks + 1)) -if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then - info "$check_7_9" - logjson "7.9" "INFO" - currentScore=$((currentScore + 0)) -else - pass "$check_7_9 (Swarm mode not enabled)" - logjson "7.9" "PASS" - currentScore=$((currentScore + 1)) -fi +check_7_9() { + check_7_9="7.9 - Ensure CA certificates are rotated as appropriate" + totalChecks=$((totalChecks + 1)) + if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then + info "$check_7_9" + logjson "7.9" "INFO" + currentScore=$((currentScore + 0)) + else + pass "$check_7_9 (Swarm mode not enabled)" + logjson "7.9" "PASS" + currentScore=$((currentScore + 1)) + fi +} # 7.10 -check_7_10="7.10 - Ensure management plane traffic has been separated from data plane traffic" -totalChecks=$((totalChecks + 1)) -if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then - info "$check_7_10" - logjson "7.10" "INFO" - currentScore=$((currentScore + 0)) -else - pass "$check_7_10 (Swarm mode not enabled)" - logjson "7.10" "PASS" - currentScore=$((currentScore + 1)) -fi +check_7_10() { + check_7_10="7.10 - Ensure management plane traffic has been separated from data plane traffic" + totalChecks=$((totalChecks + 1)) + if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then + info "$check_7_10" + logjson "7.10" "INFO" + currentScore=$((currentScore + 0)) + else + pass "$check_7_10 (Swarm mode not enabled)" + logjson "7.10" "PASS" + currentScore=$((currentScore + 1)) + fi +}