GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-19 00:32:34 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #283 from konstruktoid/functionsupdate

Browse source 
Functionsupdate
This commit is contained in:
Thomas Sjögren 2018-01-16 13:53:44 +01:00 committed by GitHub
commit ed73b3728f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 1824 additions and 1277 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
README.md
View file

@ -43,7 +43,24 @@ Distribution specific Dockerfiles that fixes this issue are available in the
The [distribution specific Dockerfiles](https://github.com/docker/docker-bench-security/tree/master/distros) The [distribution specific Dockerfiles](https://github.com/docker/docker-bench-security/tree/master/distros)
may also help if the distribution you're using haven't yet shipped Docker may also help if the distribution you're using haven't yet shipped Docker
version 1.10.0 or later. version 1.13.0 or later.
### Docker Bench for Security options
```sh
-h optional Print this help message
-l FILE optional Log output in FILE
-c CHECK optional Run specific check
```
By default the Docker Bench for Security script will run all available tests and
produce logs in the current directory named `docker-bench-security.sh.log.json`
and `docker-bench-security.sh.log`.
The CIS based checks are named `check_<section>_<number>`, e.g. `check_2_6`
and community contributed checks are named `check_c_<number>`.
A complete list of checks are present in [functions_lib.sh](functions_lib.sh).
`sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -c check_2_2`
## Building Docker Bench for Security ## Building Docker Bench for Security

21
docker-bench-security.sh
View file

@ -9,8 +9,9 @@
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# Load dependencies # Load dependencies
. ./output_lib.sh . ./functions_lib.sh
. ./helper_lib.sh . ./helper_lib.sh
. ./output_lib.sh
# Setup the paths # Setup the paths
this_path=$(abspath "$0") ## Path of this file including filenamel this_path=$(abspath "$0") ## Path of this file including filenamel
@ -35,18 +36,20 @@ usage () {
usage: ${myname} [options] usage: ${myname} [options]
-h optional Print this help message -h optional Print this help message
-l PATH optional Log output in PATH -l FILE optional Log output in FILE
-c CHECK optional Run specific check
EOF EOF
} }
# Get the flags # Get the flags
# If you add an option here, please # If you add an option here, please
# remember to update usage() above. # remember to update usage() above.
while getopts hl: args while getopts hl:c: args
do do
case $args in case $args in
h) usage; exit 0 ;; h) usage; exit 0 ;;
l) logger="$OPTARG" ;; l) logger="$OPTARG" ;;
c) check="$OPTARG" ;;
*) usage; exit 1 ;; *) usage; exit 1 ;;
esac esac
done done
@ -95,11 +98,23 @@ main () {
# List all running containers except docker-bench (use names to improve readability in logs) # List all running containers except docker-bench (use names to improve readability in logs)
containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont") containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont")
if [ -z "$containers" ]; then
running_containers=0
else
running_containers=1
fi
for test in tests/*.sh for test in tests/*.sh
do do
. ./"$test" . ./"$test"
done done
if [ -z "$check" ]; then
cis
else
"$check"
fi
printf "\n" printf "\n"
info "Checks: $totalChecks" info "Checks: $totalChecks"
info "Score: $currentScore" info "Score: $currentScore"

161
functions_lib.sh Normal file
View file

@ -0,0 +1,161 @@
#!/bin/sh
host_configuration() {
check_1
check_1_1
check_1_2
check_1_3
check_1_4
check_1_5
check_1_6
check_1_7
check_1_8
check_1_9
check_1_10
check_1_11
check_1_12
check_1_13
}
docker_daemon_configuration() {
check_2
check_2_1
check_2_2
check_2_3
check_2_4
check_2_5
check_2_6
check_2_7
check_2_8
check_2_9
check_2_10
check_2_11
check_2_12
check_2_13
check_2_14
check_2_15
check_2_16
check_2_17
check_2_18
}
docker_daemon_files() {
check_3
check_3_1
check_3_2
check_3_3
check_3_4
check_3_5
check_3_6
check_3_7
check_3_8
check_3_9
check_3_10
check_3_11
check_3_12
check_3_13
check_3_14
check_3_15
check_3_16
check_3_17
check_3_18
check_3_19
check_3_20
}
container_images() {
check_4
check_4_1
check_4_2
check_4_3
check_4_4
check_4_5
check_4_6
check_4_7
check_4_8
check_4_9
check_4_10
check_4_11
}
container_runtime() {
check_5
check_running_containers
check_5_1
check_5_2
check_5_3
check_5_4
check_5_5
check_5_6
check_5_7
check_5_8
check_5_9
check_5_10
check_5_11
check_5_12
check_5_13
check_5_14
check_5_15
check_5_16
check_5_17
check_5_18
check_5_19
check_5_20
check_5_21
check_5_22
check_5_23
check_5_24
check_5_25
check_5_26
check_5_27
check_5_28
check_5_29
check_5_30
check_5_31
}
docker_security_operations() {
check_6
check_6_1
check_6_2
}
docker_swarm_configuration() {
check_7
check_7_1
check_7_2
check_7_3
check_7_5
check_7_6
check_7_7
check_7_8
check_7_9
check_7_10
}
community_checks() {
# check_c_1
true;
}
# CIS
cis() {
host_configuration
docker_daemon_configuration
docker_daemon_files
container_images
container_runtime
docker_security_operations
docker_swarm_configuration
}
# Community contributed
community() {
community_checks
}
# All
all() {
cis
community
}

3
helper_lib.sh
View file

@ -3,6 +3,9 @@
# Returns the absolute path of a given string # Returns the absolute path of a given string
abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; esac; } abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; esac; }
# Audit rules default path
auditrules="/etc/audit/audit.rules"
# Compares versions of software of the format X.Y.Z # Compares versions of software of the format X.Y.Z
do_version_check() { do_version_check() {
[ "$1" = "$2" ] && return 10 [ "$1" = "$2" ] && return 10

29
tests/1_host_configuration.sh
View file

@ -1,10 +1,12 @@
#!/bin/sh #!/bin/sh
check_1() {
logit "" logit ""
info "1 - Host Configuration" info "1 - Host Configuration"
auditrules="/etc/audit/audit.rules" }
# 1.1 # 1.1
check_1_1() {
check_1_1="1.1 - Ensure a separate partition for containers has been created" check_1_1="1.1 - Ensure a separate partition for containers has been created"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -21,15 +23,19 @@ else
logjson "1.1" "WARN" logjson "1.1" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 1.2 # 1.2
check_1_2() {
check_1_2="1.2 - Ensure the container host has been Hardened" check_1_2="1.2 - Ensure the container host has been Hardened"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
note "$check_1_2" note "$check_1_2"
logjson "1.2" "INFO" logjson "1.2" "INFO"
currentScore=$((currentScore - 0)) currentScore=$((currentScore - 0))
}
# 1.3 # 1.3
check_1_3() {
check_1_3="1.3 - Ensure Docker is up to date" check_1_3="1.3 - Ensure Docker is up to date"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \ docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
@ -49,8 +55,10 @@ else
logjson "1.3" "PASS" logjson "1.3" "PASS"
currentScore=$((currentScore - 0)) currentScore=$((currentScore - 0))
fi fi
}
# 1.4 # 1.4
check_1_4() {
check_1_4="1.4 - Ensure only trusted users are allowed to control Docker daemon" check_1_4="1.4 - Ensure only trusted users are allowed to control Docker daemon"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
docker_users=$(getent group docker) docker_users=$(getent group docker)
@ -60,8 +68,10 @@ for u in $docker_users; do
logjson "1.4" "$u" logjson "1.4" "$u"
done done
currentScore=$((currentScore - 0)) currentScore=$((currentScore - 0))
}
# 1.5 # 1.5
check_1_5() {
check_1_5="1.5 - Ensure auditing is configured for the Docker daemon" check_1_5="1.5 - Ensure auditing is configured for the Docker daemon"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="/usr/bin/docker " file="/usr/bin/docker "
@ -84,8 +94,10 @@ else
logjson "1.5" "WARN" logjson "1.5" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 1.6 # 1.6
check_1_6() {
check_1_6="1.6 - Ensure auditing is configured for Docker files and directories - /var/lib/docker" check_1_6="1.6 - Ensure auditing is configured for Docker files and directories - /var/lib/docker"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
directory="/var/lib/docker" directory="/var/lib/docker"
@ -115,8 +127,10 @@ else
logjson "1.6" "INFO" logjson "1.6" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 1.7 # 1.7
check_1_7() {
check_1_7="1.7 - Ensure auditing is configured for Docker files and directories - /etc/docker" check_1_7="1.7 - Ensure auditing is configured for Docker files and directories - /etc/docker"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
directory="/etc/docker" directory="/etc/docker"
@ -146,8 +160,10 @@ else
logjson "1.7" "INFO" logjson "1.7" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 1.8 # 1.8
check_1_8() {
check_1_8="1.8 - Ensure auditing is configured for Docker files and directories - docker.service" check_1_8="1.8 - Ensure auditing is configured for Docker files and directories - docker.service"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.service)" file="$(get_systemd_service_file docker.service)"
@ -177,8 +193,10 @@ else
logjson "1.8" "INFO" logjson "1.8" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 1.9 # 1.9
check_1_9() {
check_1_9="1.9 - Ensure auditing is configured for Docker files and directories - docker.socket" check_1_9="1.9 - Ensure auditing is configured for Docker files and directories - docker.socket"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.socket)" file="$(get_systemd_service_file docker.socket)"
@ -208,8 +226,10 @@ else
logjson "1.9" "INFO" logjson "1.9" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 1.10 # 1.10
check_1_10() {
check_1_10="1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker" check_1_10="1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="/etc/default/docker" file="/etc/default/docker"
@ -239,8 +259,10 @@ else
logjson "1.10" "INFO" logjson "1.10" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 1.11 # 1.11
check_1_11() {
check_1_11="1.11 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json" check_1_11="1.11 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="/etc/docker/daemon.json" file="/etc/docker/daemon.json"
@ -270,8 +292,10 @@ else
logjson "1.11" "INFO" logjson "1.11" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 1.12 # 1.12
check_1_12() {
check_1_12="1.12 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd" check_1_12="1.12 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="/usr/bin/docker-containerd" file="/usr/bin/docker-containerd"
@ -301,8 +325,10 @@ else
logjson "1.12" "INFO" logjson "1.12" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 1.13 # 1.13
check_1_13() {
check_1_13="1.13 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc" check_1_13="1.13 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="/usr/bin/docker-runc" file="/usr/bin/docker-runc"
@ -332,3 +358,4 @@ else
logjson "1.13" "INFO" logjson "1.13" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}

39
tests/2_docker_daemon_configuration.sh
View file

@ -1,9 +1,12 @@
#!/bin/sh #!/bin/sh
check_2() {
logit "\n" logit "\n"
info "2 - Docker daemon configuration" info "2 - Docker daemon configuration"
}
# 2.1 # 2.1
check_2_1() {
check_2_1="2.1 - Ensure network traffic is restricted between containers on the default bridge" check_2_1="2.1 - Ensure network traffic is restricted between containers on the default bridge"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then
@ -19,8 +22,10 @@ else
logjson "2.1" "WARN" logjson "2.1" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 2.2 # 2.2
check_2_2() {
check_2_2="2.2 - Ensure the logging level is set to 'info'" check_2_2="2.2 - Ensure the logging level is set to 'info'"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then
@ -52,8 +57,10 @@ else
logjson "2.2" "PASS" logjson "2.2" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 2.3 # 2.3
check_2_3() {
check_2_3="2.3 - Ensure Docker is allowed to make changes to iptables" check_2_3="2.3 - Ensure Docker is allowed to make changes to iptables"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then
@ -69,8 +76,10 @@ else
logjson "2.3" "PASS" logjson "2.3" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 2.4 # 2.4
check_2_4() {
check_2_4="2.4 - Ensure insecure registries are not used" check_2_4="2.4 - Ensure insecure registries are not used"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then
@ -92,8 +101,10 @@ else
logjson "2.4" "PASS" logjson "2.4" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 2.5 # 2.5
check_2_5() {
check_2_5="2.5 - Ensure aufs storage driver is not used" check_2_5="2.5 - Ensure aufs storage driver is not used"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1; then
@ -105,8 +116,10 @@ else
logjson "2.5" "PASS" logjson "2.5" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 2.6 # 2.6
check_2_6() {
check_2_6="2.6 - Ensure TLS authentication for Docker daemon is configured" check_2_6="2.6 - Ensure TLS authentication for Docker daemon is configured"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then
@ -154,9 +167,10 @@ else
logjson "2.6" "INFO" logjson "2.6" "INFO"
currentScore=$((currentScore +0)) currentScore=$((currentScore +0))
fi fi
}
# 2.7 # 2.7
check_2_7() {
check_2_7="2.7 - Ensure the default ulimit is configured appropriately" check_2_7="2.7 - Ensure the default ulimit is configured appropriately"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then
@ -173,8 +187,10 @@ else
logjson "2.7" "INFO" logjson "2.7" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 2.8 # 2.8
check_2_8() {
check_2_8="2.8 - Enable user namespace support" check_2_8="2.8 - Enable user namespace support"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then
@ -190,8 +206,10 @@ else
logjson "2.8" "WARN" logjson "2.8" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 2.9 # 2.9
check_2_9() {
check_2_9="2.9 - Ensure the default cgroup usage has been confirmed" check_2_9="2.9 - Ensure the default cgroup usage has been confirmed"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'cgroup-parent' | grep -v '""'; then if get_docker_configuration_file_args 'cgroup-parent' | grep -v '""'; then
@ -209,8 +227,10 @@ else
logjson "2.9" "PASS" logjson "2.9" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 2.10 # 2.10
check_2_10() {
check_2_10="2.10 - Ensure base device size is not changed until needed" check_2_10="2.10 - Ensure base device size is not changed until needed"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then
@ -226,8 +246,10 @@ else
logjson "2.10" "PASS" logjson "2.10" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 2.11 # 2.11
check_2_11() {
check_2_11="2.11 - Ensure that authorization for Docker client commands is enabled" check_2_11="2.11 - Ensure that authorization for Docker client commands is enabled"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then
@ -243,8 +265,10 @@ else
logjson "2.11" "WARN" logjson "2.11" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 2.12 # 2.12
check_2_12() {
check_2_12="2.12 - Ensure centralized and remote logging is configured" check_2_12="2.12 - Ensure centralized and remote logging is configured"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then
@ -256,8 +280,10 @@ else
logjson "2.12" "PASS" logjson "2.12" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 2.13 # 2.13
check_2_13() {
check_2_13="2.13 - Ensure operations on legacy registry (v1) are Disabled" check_2_13="2.13 - Ensure operations on legacy registry (v1) are Disabled"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then
@ -273,8 +299,10 @@ else
logjson "2.13" "WARN" logjson "2.13" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 2.14 # 2.14
check_2_14() {
check_2_14="2.14 - Ensure live restore is Enabled" check_2_14="2.14 - Ensure live restore is Enabled"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then
@ -296,8 +324,10 @@ else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
fi fi
}
# 2.15 # 2.15
check_2_15() {
check_2_15="2.15 - Ensure Userland Proxy is Disabled" check_2_15="2.15 - Ensure Userland Proxy is Disabled"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then
@ -313,8 +343,10 @@ else
logjson "2.15" "WARN" logjson "2.15" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 2.16 # 2.16
check_2_16() {
check_2_16="2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed" check_2_16="2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then
@ -326,8 +358,10 @@ else
logjson "2.16" "INFO" logjson "2.16" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 2.17 # 2.17
check_2_17() {
check_2_17="2.17 - Ensure experimental features are avoided in production" check_2_17="2.17 - Ensure experimental features are avoided in production"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then
@ -339,8 +373,10 @@ else
logjson "2.17" "WARN" logjson "2.17" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 2.18 # 2.18
check_2_18() {
check_2_18="2.18 - Ensure containers are restricted from acquiring new privileges" check_2_18="2.18 - Ensure containers are restricted from acquiring new privileges"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if get_docker_effective_command_line_args '--no-new-privileges' >/dev/null 2>&1; then if get_docker_effective_command_line_args '--no-new-privileges' >/dev/null 2>&1; then
@ -356,3 +392,4 @@ else
logjson "2.18" "WARN" logjson "2.18" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}

42
tests/3_docker_daemon_configuration_files.sh
View file

@ -1,9 +1,12 @@
#!/bin/sh #!/bin/sh
check_3() {
logit "\n" logit "\n"
info "3 - Docker daemon configuration files" info "3 - Docker daemon configuration files"
}
# 3.1 # 3.1
check_3_1() {
check_3_1="3.1 - Ensure that docker.service file ownership is set to root:root" check_3_1="3.1 - Ensure that docker.service file ownership is set to root:root"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.service)" file="$(get_systemd_service_file docker.service)"
@ -24,8 +27,10 @@ else
logjson "3.1" "INFO" logjson "3.1" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.2 # 3.2
check_3_2() {
check_3_2="3.2 - Ensure that docker.service file permissions are set to 644 or more restrictive" check_3_2="3.2 - Ensure that docker.service file permissions are set to 644 or more restrictive"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.service)" file="$(get_systemd_service_file docker.service)"
@ -46,8 +51,10 @@ else
logjson "3.2" "INFO" logjson "3.2" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.3 # 3.3
check_3_3() {
check_3_3="3.3 - Ensure that docker.socket file ownership is set to root:root" check_3_3="3.3 - Ensure that docker.socket file ownership is set to root:root"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.socket)" file="$(get_systemd_service_file docker.socket)"
@ -68,8 +75,10 @@ else
logjson "3.3" "INFO" logjson "3.3" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.4 # 3.4
check_3_4() {
check_3_4="3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive" check_3_4="3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.socket)" file="$(get_systemd_service_file docker.socket)"
@ -90,8 +99,10 @@ else
logjson "3.4" "INFO" logjson "3.4" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.5 # 3.5
check_3_5() {
check_3_5="3.5 - Ensure that /etc/docker directory ownership is set to root:root" check_3_5="3.5 - Ensure that /etc/docker directory ownership is set to root:root"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
directory="/etc/docker" directory="/etc/docker"
@ -112,8 +123,10 @@ else
logjson "3.5" "INFO" logjson "3.5" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.6 # 3.6
check_3_6() {
check_3_6="3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive" check_3_6="3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
directory="/etc/docker" directory="/etc/docker"
@ -134,8 +147,10 @@ else
logjson "3.6" "INFO" logjson "3.6" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.7 # 3.7
check_3_7() {
check_3_7="3.7 - Ensure that registry certificate file ownership is set to root:root" check_3_7="3.7 - Ensure that registry certificate file ownership is set to root:root"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
directory="/etc/docker/certs.d/" directory="/etc/docker/certs.d/"
@ -163,8 +178,10 @@ else
logjson "3.7" "INFO" logjson "3.7" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.8 # 3.8
check_3_8() {
check_3_8="3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive" check_3_8="3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
directory="/etc/docker/certs.d/" directory="/etc/docker/certs.d/"
@ -192,8 +209,10 @@ else
logjson "3.8" "INFO" logjson "3.8" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.9 # 3.9
check_3_9() {
check_3_9="3.9 - Ensure that TLS CA certificate file ownership is set to root:root" check_3_9="3.9 - Ensure that TLS CA certificate file ownership is set to root:root"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then
@ -218,8 +237,10 @@ else
logjson "3.9" "INFO" logjson "3.9" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.10 # 3.10
check_3_10() {
check_3_10="3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive" check_3_10="3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then
@ -244,8 +265,10 @@ else
logjson "3.10" "INFO" logjson "3.10" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.11 # 3.11
check_3_11() {
check_3_11="3.11 - Ensure that Docker server certificate file ownership is set to root:root" check_3_11="3.11 - Ensure that Docker server certificate file ownership is set to root:root"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then
@ -270,8 +293,10 @@ else
logjson "3.11" "INFO" logjson "3.11" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.12 # 3.12
check_3_12() {
check_3_12="3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive" check_3_12="3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then
@ -296,8 +321,10 @@ else
logjson "3.12" "INFO" logjson "3.12" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.13 # 3.13
check_3_13() {
check_3_13="3.13 - Ensure that Docker server certificate key file ownership is set to root:root" check_3_13="3.13 - Ensure that Docker server certificate key file ownership is set to root:root"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then
@ -322,8 +349,10 @@ else
logjson "3.13" "INFO" logjson "3.13" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.14 # 3.14
check_3_14() {
check_3_14="3.14 - Ensure that Docker server certificate key file permissions are set to 400" check_3_14="3.14 - Ensure that Docker server certificate key file permissions are set to 400"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then
@ -348,8 +377,10 @@ else
logjson "3.14" "INFO" logjson "3.14" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.15 # 3.15
check_3_15() {
check_3_15="3.15 - Ensure that Docker socket file ownership is set to root:docker" check_3_15="3.15 - Ensure that Docker socket file ownership is set to root:docker"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="/var/run/docker.sock" file="/var/run/docker.sock"
@ -370,8 +401,10 @@ else
logjson "3.15" "INFO" logjson "3.15" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.16 # 3.16
check_3_16() {
check_3_16="3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive" check_3_16="3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="/var/run/docker.sock" file="/var/run/docker.sock"
@ -392,8 +425,10 @@ else
logjson "3.16" "INFO" logjson "3.16" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.17 # 3.17
check_3_17() {
check_3_17="3.17 - Ensure that daemon.json file ownership is set to root:root" check_3_17="3.17 - Ensure that daemon.json file ownership is set to root:root"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="/etc/docker/daemon.json" file="/etc/docker/daemon.json"
@ -414,8 +449,10 @@ else
logjson "3.17" "INFO" logjson "3.17" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.18 # 3.18
check_3_18() {
check_3_18="3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive" check_3_18="3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="/etc/docker/daemon.json" file="/etc/docker/daemon.json"
@ -436,8 +473,10 @@ else
logjson "3.18" "INFO" logjson "3.18" "INFO"
currentScore=$((currentScore - 0)) currentScore=$((currentScore - 0))
fi fi
}
# 3.19 # 3.19
check_3_19() {
check_3_19="3.19 - Ensure that /etc/default/docker file ownership is set to root:root" check_3_19="3.19 - Ensure that /etc/default/docker file ownership is set to root:root"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="/etc/default/docker" file="/etc/default/docker"
@ -458,8 +497,10 @@ else
logjson "3.19" "INFO" logjson "3.19" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.20 # 3.20
check_3_20() {
check_3_20="3.20 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive" check_3_20="3.20 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
file="/etc/default/docker" file="/etc/default/docker"
@ -480,3 +521,4 @@ else
logjson "3.20" "INFO" logjson "3.20" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}

28
tests/4_container_images.sh
View file

@ -1,9 +1,14 @@
#!/bin/sh #!/bin/sh
images=$(docker images -q)
check_4() {
logit "\n" logit "\n"
info "4 - Container Images and Build File" info "4 - Container Images and Build File"
}
# 4.1 # 4.1
check_4_1() {
check_4_1="4.1 - Ensure a user for the container has been created" check_4_1="4.1 - Ensure a user for the container has been created"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -46,31 +51,37 @@ else
fi fi
# Make the loop separator go back to space # Make the loop separator go back to space
set +f; unset IFS set +f; unset IFS
}
images=$(docker images -q)
# 4.2 # 4.2
check_4_2() {
check_4_2="4.2 - Ensure that containers use trusted base images" check_4_2="4.2 - Ensure that containers use trusted base images"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
note "$check_4_2" note "$check_4_2"
logjson "4.2" "NOTE" logjson "4.2" "NOTE"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}
# 4.3 # 4.3
check_4_3() {
check_4_3="4.3 - Ensure unnecessary packages are not installed in the container" check_4_3="4.3 - Ensure unnecessary packages are not installed in the container"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
note "$check_4_3" note "$check_4_3"
logjson "4.3" "NOTE" logjson "4.3" "NOTE"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}
# 4.4 # 4.4
check_4_4() {
check_4_4="4.4 - Ensure images are scanned and rebuilt to include security patches" check_4_4="4.4 - Ensure images are scanned and rebuilt to include security patches"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
note "$check_4_4" note "$check_4_4"
logjson "4.4" "NOTE" logjson "4.4" "NOTE"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}
# 4.5 # 4.5
check_4_5() {
check_4_5="4.5 - Ensure Content trust for Docker is Enabled" check_4_5="4.5 - Ensure Content trust for Docker is Enabled"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
@ -82,8 +93,10 @@ else
logjson "4.5" "WARN" logjson "4.5" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 4.6 # 4.6
check_4_6() {
check_4_6="4.6 - Ensure HEALTHCHECK instructions have been added to the container image" check_4_6="4.6 - Ensure HEALTHCHECK instructions have been added to the container image"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
@ -108,8 +121,10 @@ if [ $fail -eq 0 ]; then
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 4.7 # 4.7
check_4_7() {
check_4_7="4.7 - Ensure update instructions are not use alone in the Dockerfile" check_4_7="4.7 - Ensure update instructions are not use alone in the Dockerfile"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
@ -133,15 +148,19 @@ if [ $fail -eq 0 ]; then
else else
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 4.8 # 4.8
check_4_8() {
check_4_8="4.8 - Ensure setuid and setgid permissions are removed in the images" check_4_8="4.8 - Ensure setuid and setgid permissions are removed in the images"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
note "$check_4_8" note "$check_4_8"
logjson "4.8" "NOTE" logjson "4.8" "NOTE"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}
# 4.9 # 4.9
check_4_9() {
check_4_9="4.9 - Ensure COPY is used instead of ADD in Dockerfile" check_4_9="4.9 - Ensure COPY is used instead of ADD in Dockerfile"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
fail=0 fail=0
@ -166,17 +185,22 @@ if [ $fail -eq 0 ]; then
logjson "4.9" "PASS" logjson "4.9" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 4.10 # 4.10
check_4_10() {
check_4_10="4.10 - Ensure secrets are not stored in Dockerfiles" check_4_10="4.10 - Ensure secrets are not stored in Dockerfiles"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
note "$check_4_10" note "$check_4_10"
logjson "4.10" "NOTE" logjson "4.10" "NOTE"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}
# 4.11 # 4.11
check_4_11() {
check_4_11="4.11 - Ensure verified packages are only Installed" check_4_11="4.11 - Ensure verified packages are only Installed"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
note "$check_4_11" note "$check_4_11"
logjson "4.11" "NOTE" logjson "4.11" "NOTE"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}

195
tests/5_container_runtime.sh
View file

@ -1,16 +1,29 @@
#!/bin/sh #!/bin/sh
check_5() {
logit "\n" logit "\n"
info "5 - Container Runtime" info "5 - Container Runtime"
}
check_running_containers() {
# If containers is empty, there are no running containers # If containers is empty, there are no running containers
if [ -z "$containers" ]; then if [ -z "$containers" ]; then
info " * No containers running, skipping Section 5" info " * No containers running, skipping Section 5"
running_containers=0
else else
running_containers=1
# Make the loop separator be a new-line in POSIX compliant fashion # Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$' set -f; IFS=$'
' '
fi
}
# 5.1 # 5.1
check_5_1() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_1="5.1 - Ensure AppArmor Profile is Enabled" check_5_1="5.1 - Ensure AppArmor Profile is Enabled"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -39,8 +52,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.2 # 5.2
check_5_2() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_2="5.2 - Ensure SELinux security options are set, if applicable" check_5_2="5.2 - Ensure SELinux security options are set, if applicable"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -69,8 +88,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.3 # 5.3
check_5_3() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_3="5.3 - Ensure Linux Kernel Capabilities are restricted within containers" check_5_3="5.3 - Ensure Linux Kernel Capabilities are restricted within containers"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -102,8 +127,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.4 # 5.4
check_5_4() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_4="5.4 - Ensure privileged containers are not used" check_5_4="5.4 - Ensure privileged containers are not used"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -132,8 +163,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.5 # 5.5
check_5_5() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_5="5.5 - Ensure sensitive host system directories are not mounted on containers" check_5_5="5.5 - Ensure sensitive host system directories are not mounted on containers"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -182,8 +219,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.6 # 5.6
check_5_6() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_6="5.6 - Ensure ssh is not run within containers" check_5_6="5.6 - Ensure ssh is not run within containers"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -226,8 +269,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.7 # 5.7
check_5_7() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_7="5.7 - Ensure privileged ports are not mapped within containers" check_5_7="5.7 - Ensure privileged ports are not mapped within containers"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -260,15 +309,27 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.8 # 5.8
check_5_8() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_8="5.8 - Ensure only needed ports are open on the container" check_5_8="5.8 - Ensure only needed ports are open on the container"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
note "$check_5_8" note "$check_5_8"
logjson "5.8" "NOTE" logjson "5.8" "NOTE"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}
# 5.9 # 5.9
check_5_9() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_9="5.9 - Ensure the host's network namespace is not shared" check_5_9="5.9 - Ensure the host's network namespace is not shared"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -297,8 +358,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.10 # 5.10
check_5_10() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_10="5.10 - Ensure memory usage for container is limited" check_5_10="5.10 - Ensure memory usage for container is limited"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -331,8 +398,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.11 # 5.11
check_5_11() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_11="5.11 - Ensure CPU priority is set appropriately on the container" check_5_11="5.11 - Ensure CPU priority is set appropriately on the container"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -365,8 +438,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.12 # 5.12
check_5_12() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_12="5.12 - Ensure the container's root filesystem is mounted as read only" check_5_12="5.12 - Ensure the container's root filesystem is mounted as read only"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -395,8 +474,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.13 # 5.13
check_5_13() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_13="5.13 - Ensure incoming container traffic is binded to a specific host interface" check_5_13="5.13 - Ensure incoming container traffic is binded to a specific host interface"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -425,8 +510,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.14 # 5.14
check_5_14() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_14="5.14 - Ensure 'on-failure' container restart policy is set to '5'" check_5_14="5.14 - Ensure 'on-failure' container restart policy is set to '5'"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -455,8 +546,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.15 # 5.15
check_5_15() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_15="5.15 - Ensure the host's process namespace is not shared" check_5_15="5.15 - Ensure the host's process namespace is not shared"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -485,8 +582,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.16 # 5.16
check_5_16() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_16="5.16 - Ensure the host's IPC namespace is not shared" check_5_16="5.16 - Ensure the host's IPC namespace is not shared"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -515,8 +618,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.17 # 5.17
check_5_17() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_17="5.17 - Ensure host devices are not directly exposed to containers" check_5_17="5.17 - Ensure host devices are not directly exposed to containers"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -545,8 +654,14 @@ else
else else
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 5.18 # 5.18
check_5_18() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_18="5.18 - Ensure the default ulimit is overwritten at runtime, only if needed" check_5_18="5.18 - Ensure the default ulimit is overwritten at runtime, only if needed"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -575,8 +690,14 @@ else
else else
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 5.19 # 5.19
check_5_19() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_19="5.19 - Ensure mount propagation mode is not set to shared" check_5_19="5.19 - Ensure mount propagation mode is not set to shared"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -604,8 +725,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.20 # 5.20
check_5_20() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_20="5.20 - Ensure the host's UTS namespace is not shared" check_5_20="5.20 - Ensure the host's UTS namespace is not shared"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -634,8 +761,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.21 # 5.21
check_5_21() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_21="5.21 - Ensure the default seccomp profile is not Disabled" check_5_21="5.21 - Ensure the default seccomp profile is not Disabled"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -663,22 +796,40 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.22 # 5.22
check_5_22() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_22="5.22 - Ensure docker exec commands are not used with privileged option" check_5_22="5.22 - Ensure docker exec commands are not used with privileged option"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
note "$check_5_22" note "$check_5_22"
logjson "5.22" "NOTE" logjson "5.22" "NOTE"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}
# 5.23 # 5.23
check_5_23() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_23="5.23 - Ensure docker exec commands are not used with user option" check_5_23="5.23 - Ensure docker exec commands are not used with user option"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
note "$check_5_23" note "$check_5_23"
logjson "5.23" "NOTE" logjson "5.23" "NOTE"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}
# 5.24 # 5.24
check_5_24() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_24="5.24 - Ensure cgroup usage is confirmed" check_5_24="5.24 - Ensure cgroup usage is confirmed"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -707,8 +858,13 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.25 # 5.25
check_5_25() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_25="5.25 - Ensure the container is restricted from acquiring additional privileges" check_5_25="5.25 - Ensure the container is restricted from acquiring additional privileges"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -735,8 +891,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.26 # 5.26
check_5_26() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_26="5.26 - Ensure container health is checked at runtime" check_5_26="5.26 - Ensure container health is checked at runtime"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -761,15 +923,27 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.27 # 5.27
check_5_27() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_27="5.27 - Ensure docker commands always get the latest version of the image" check_5_27="5.27 - Ensure docker commands always get the latest version of the image"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
info "$check_5_27" info "$check_5_27"
logjson "5.27" "INFO" logjson "5.27" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}
# 5.28 # 5.28
check_5_28() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_28="5.28 - Ensure PIDs cgroup limit is used" check_5_28="5.28 - Ensure PIDs cgroup limit is used"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -798,8 +972,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.29 # 5.29
check_5_29() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_29="5.29 - Ensure Docker's default bridge docker0 is not used" check_5_29="5.29 - Ensure Docker's default bridge docker0 is not used"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -832,8 +1012,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.30 # 5.30
check_5_30() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_30="5.30 - Ensure the host's user namespaces is not shared" check_5_30="5.30 - Ensure the host's user namespaces is not shared"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -860,8 +1046,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.31 # 5.31
check_5_31() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_31="5.31 - Ensure the Docker socket is not mounted inside any containers" check_5_31="5.31 - Ensure the Docker socket is not mounted inside any containers"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -888,4 +1080,5 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
fi }

6
tests/6_docker_security_operations.sh
View file

@ -1,9 +1,12 @@
#!/bin/sh #!/bin/sh
check_6() {
logit "\n" logit "\n"
info "6 - Docker Security Operations" info "6 - Docker Security Operations"
}
# 6.1 # 6.1
check_6_1() {
check_6_1="6.1 - Avoid image sprawl" check_6_1="6.1 - Avoid image sprawl"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
images=$(docker images -q | sort -u | wc -l | awk '{print $1}') images=$(docker images -q | sort -u | wc -l | awk '{print $1}')
@ -23,8 +26,10 @@ if [ "$active_images" -lt "$((images / 2))" ]; then
logjson "6.1" "INFO: $active_images" logjson "6.1" "INFO: $active_images"
fi fi
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}
# 6.2 # 6.2
check_6_2() {
check_6_2="6.2 - Avoid container sprawl" check_6_2="6.2 - Avoid container sprawl"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}') total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}')
@ -40,3 +45,4 @@ else
logjson "6.2" "INFO: $running_containers" logjson "6.2" "INFO: $running_containers"
fi fi
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}

22
tests/7_docker_swarm_configuration.sh
View file

@ -1,9 +1,12 @@
#!/bin/sh #!/bin/sh
check_7() {
logit "\n" logit "\n"
info "7 - Docker Swarm Configuration" info "7 - Docker Swarm Configuration"
}
# 7.1 # 7.1
check_7_1() {
check_7_1="7.1 - Ensure swarm mode is not Enabled, if not needed" check_7_1="7.1 - Ensure swarm mode is not Enabled, if not needed"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
@ -15,8 +18,10 @@ else
logjson "7.1" "WARN" logjson "7.1" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 7.2 # 7.2
check_7_2() {
check_7_2="7.2 - Ensure the minimum number of manager nodes have been created in a swarm" check_7_2="7.2 - Ensure the minimum number of manager nodes have been created in a swarm"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
@ -35,8 +40,10 @@ else
logjson "7.2" "PASS" logjson "7.2" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 7.3 # 7.3
check_7_3() {
check_7_3="7.3 - Ensure swarm services are binded to a specific host interface" check_7_3="7.3 - Ensure swarm services are binded to a specific host interface"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
@ -55,8 +62,10 @@ else
logjson "7.3" "PASS" logjson "7.3" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 7.4 # 7.4
check_7_4(){
check_7_4="7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network" check_7_4="7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if docker network ls --filter driver=overlay --quiet | \ if docker network ls --filter driver=overlay --quiet | \
@ -76,8 +85,10 @@ else
logjson "7.4" "PASS" logjson "7.4" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 7.5 # 7.5
check_7_5() {
check_7_5="7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster" check_7_5="7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
@ -95,8 +106,10 @@ else
logjson "7.5" "PASS" logjson "7.5" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 7.6 # 7.6
check_7_6() {
check_7_6="7.6 - Ensure swarm manager is run in auto-lock mode" check_7_6="7.6 - Ensure swarm manager is run in auto-lock mode"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
@ -114,8 +127,10 @@ else
logjson "7.6" "PASS" logjson "7.6" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 7.7 # 7.7
check_7_7() {
check_7_7="7.7 - Ensure swarm manager auto-lock key is rotated periodically" check_7_7="7.7 - Ensure swarm manager auto-lock key is rotated periodically"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
@ -127,8 +142,10 @@ else
logjson "7.7" "PASS" logjson "7.7" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 7.8 # 7.8
check_7_8() {
check_7_8="7.8 - Ensure node certificates are rotated as appropriate" check_7_8="7.8 - Ensure node certificates are rotated as appropriate"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
@ -146,8 +163,10 @@ else
logjson "7.8" "PASS" logjson "7.8" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 7.9 # 7.9
check_7_9() {
check_7_9="7.9 - Ensure CA certificates are rotated as appropriate" check_7_9="7.9 - Ensure CA certificates are rotated as appropriate"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
@ -159,8 +178,10 @@ else
logjson "7.9" "PASS" logjson "7.9" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 7.10 # 7.10
check_7_10() {
check_7_10="7.10 - Ensure management plane traffic has been separated from data plane traffic" check_7_10="7.10 - Ensure management plane traffic has been separated from data plane traffic"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
@ -172,3 +193,4 @@ else
logjson "7.10" "PASS" logjson "7.10" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}