Merge pull request from konstruktoid/functionsupdate

Functionsupdate
This commit is contained in:
Thomas Sjögren 2018-01-16 13:53:44 +01:00 committed by GitHub
commit ed73b3728f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 1824 additions and 1277 deletions

View file

@ -43,7 +43,24 @@ Distribution specific Dockerfiles that fixes this issue are available in the
The [distribution specific Dockerfiles](https://github.com/docker/docker-bench-security/tree/master/distros) The [distribution specific Dockerfiles](https://github.com/docker/docker-bench-security/tree/master/distros)
may also help if the distribution you're using haven't yet shipped Docker may also help if the distribution you're using haven't yet shipped Docker
version 1.10.0 or later. version 1.13.0 or later.
### Docker Bench for Security options
```sh
-h optional Print this help message
-l FILE optional Log output in FILE
-c CHECK optional Run specific check
```
By default the Docker Bench for Security script will run all available tests and
produce logs in the current directory named `docker-bench-security.sh.log.json`
and `docker-bench-security.sh.log`.
The CIS based checks are named `check_<section>_<number>`, e.g. `check_2_6`
and community contributed checks are named `check_c_<number>`.
A complete list of checks are present in [functions_lib.sh](functions_lib.sh).
`sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -c check_2_2`
## Building Docker Bench for Security ## Building Docker Bench for Security

View file

@ -9,8 +9,9 @@
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# Load dependencies # Load dependencies
. ./output_lib.sh . ./functions_lib.sh
. ./helper_lib.sh . ./helper_lib.sh
. ./output_lib.sh
# Setup the paths # Setup the paths
this_path=$(abspath "$0") ## Path of this file including filenamel this_path=$(abspath "$0") ## Path of this file including filenamel
@ -35,18 +36,20 @@ usage () {
usage: ${myname} [options] usage: ${myname} [options]
-h optional Print this help message -h optional Print this help message
-l PATH optional Log output in PATH -l FILE optional Log output in FILE
-c CHECK optional Run specific check
EOF EOF
} }
# Get the flags # Get the flags
# If you add an option here, please # If you add an option here, please
# remember to update usage() above. # remember to update usage() above.
while getopts hl: args while getopts hl:c: args
do do
case $args in case $args in
h) usage; exit 0 ;; h) usage; exit 0 ;;
l) logger="$OPTARG" ;; l) logger="$OPTARG" ;;
c) check="$OPTARG" ;;
*) usage; exit 1 ;; *) usage; exit 1 ;;
esac esac
done done
@ -95,11 +98,23 @@ main () {
# List all running containers except docker-bench (use names to improve readability in logs) # List all running containers except docker-bench (use names to improve readability in logs)
containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont") containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont")
if [ -z "$containers" ]; then
running_containers=0
else
running_containers=1
fi
for test in tests/*.sh for test in tests/*.sh
do do
. ./"$test" . ./"$test"
done done
if [ -z "$check" ]; then
cis
else
"$check"
fi
printf "\n" printf "\n"
info "Checks: $totalChecks" info "Checks: $totalChecks"
info "Score: $currentScore" info "Score: $currentScore"

161
functions_lib.sh Normal file
View file

@ -0,0 +1,161 @@
#!/bin/sh
host_configuration() {
check_1
check_1_1
check_1_2
check_1_3
check_1_4
check_1_5
check_1_6
check_1_7
check_1_8
check_1_9
check_1_10
check_1_11
check_1_12
check_1_13
}
docker_daemon_configuration() {
check_2
check_2_1
check_2_2
check_2_3
check_2_4
check_2_5
check_2_6
check_2_7
check_2_8
check_2_9
check_2_10
check_2_11
check_2_12
check_2_13
check_2_14
check_2_15
check_2_16
check_2_17
check_2_18
}
docker_daemon_files() {
check_3
check_3_1
check_3_2
check_3_3
check_3_4
check_3_5
check_3_6
check_3_7
check_3_8
check_3_9
check_3_10
check_3_11
check_3_12
check_3_13
check_3_14
check_3_15
check_3_16
check_3_17
check_3_18
check_3_19
check_3_20
}
container_images() {
check_4
check_4_1
check_4_2
check_4_3
check_4_4
check_4_5
check_4_6
check_4_7
check_4_8
check_4_9
check_4_10
check_4_11
}
container_runtime() {
check_5
check_running_containers
check_5_1
check_5_2
check_5_3
check_5_4
check_5_5
check_5_6
check_5_7
check_5_8
check_5_9
check_5_10
check_5_11
check_5_12
check_5_13
check_5_14
check_5_15
check_5_16
check_5_17
check_5_18
check_5_19
check_5_20
check_5_21
check_5_22
check_5_23
check_5_24
check_5_25
check_5_26
check_5_27
check_5_28
check_5_29
check_5_30
check_5_31
}
docker_security_operations() {
check_6
check_6_1
check_6_2
}
docker_swarm_configuration() {
check_7
check_7_1
check_7_2
check_7_3
check_7_5
check_7_6
check_7_7
check_7_8
check_7_9
check_7_10
}
community_checks() {
# check_c_1
true;
}
# CIS
cis() {
host_configuration
docker_daemon_configuration
docker_daemon_files
container_images
container_runtime
docker_security_operations
docker_swarm_configuration
}
# Community contributed
community() {
community_checks
}
# All
all() {
cis
community
}

View file

@ -3,6 +3,9 @@
# Returns the absolute path of a given string # Returns the absolute path of a given string
abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; esac; } abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; esac; }
# Audit rules default path
auditrules="/etc/audit/audit.rules"
# Compares versions of software of the format X.Y.Z # Compares versions of software of the format X.Y.Z
do_version_check() { do_version_check() {
[ "$1" = "$2" ] && return 10 [ "$1" = "$2" ] && return 10

View file

@ -1,71 +1,81 @@
#!/bin/sh #!/bin/sh
logit "" check_1() {
info "1 - Host Configuration" logit ""
auditrules="/etc/audit/audit.rules" info "1 - Host Configuration"
}
# 1.1 # 1.1
check_1_1="1.1 - Ensure a separate partition for containers has been created" check_1_1() {
totalChecks=$((totalChecks + 1)) check_1_1="1.1 - Ensure a separate partition for containers has been created"
totalChecks=$((totalChecks + 1))
if grep /var/lib/docker /etc/fstab >/dev/null 2>&1; then if grep /var/lib/docker /etc/fstab >/dev/null 2>&1; then
pass "$check_1_1" pass "$check_1_1"
logjson "1.1" "PASS" logjson "1.1" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
elif mountpoint -q -- /var/lib/docker >/dev/null 2>&1; then elif mountpoint -q -- /var/lib/docker >/dev/null 2>&1; then
pass "$check_1_1" pass "$check_1_1"
logjson "1.1" "PASS" logjson "1.1" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_1_1" warn "$check_1_1"
logjson "1.1" "WARN" logjson "1.1" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 1.2 # 1.2
check_1_2="1.2 - Ensure the container host has been Hardened" check_1_2() {
totalChecks=$((totalChecks + 1)) check_1_2="1.2 - Ensure the container host has been Hardened"
note "$check_1_2" totalChecks=$((totalChecks + 1))
logjson "1.2" "INFO" note "$check_1_2"
currentScore=$((currentScore - 0)) logjson "1.2" "INFO"
currentScore=$((currentScore - 0))
}
# 1.3 # 1.3
check_1_3="1.3 - Ensure Docker is up to date" check_1_3() {
totalChecks=$((totalChecks + 1)) check_1_3="1.3 - Ensure Docker is up to date"
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \ totalChecks=$((totalChecks + 1))
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,') | awk '{print $NF; exit}' | tr -d '[:alpha:]-,')
docker_current_version="$(date +%y.%m.0 -d @$(( $(date +%s) - 2592000)))" docker_current_version="$(date +%y.%m.0 -d @$(( $(date +%s) - 2592000)))"
do_version_check "$docker_current_version" "$docker_version" do_version_check "$docker_current_version" "$docker_version"
if [ $? -eq 11 ]; then if [ $? -eq 11 ]; then
info "$check_1_3" info "$check_1_3"
info " * Using $docker_version, verify is it up to date as deemed necessary" info " * Using $docker_version, verify is it up to date as deemed necessary"
info " * Your operating system vendor may provide support and security maintenance for Docker" info " * Your operating system vendor may provide support and security maintenance for Docker"
logjson "1.3" "INFO" logjson "1.3" "INFO"
currentScore=$((currentScore - 0)) currentScore=$((currentScore - 0))
else else
pass "$check_1_3" pass "$check_1_3"
info " * Using $docker_version which is current" info " * Using $docker_version which is current"
info " * Check with your operating system vendor for support and security maintenance for Docker" info " * Check with your operating system vendor for support and security maintenance for Docker"
logjson "1.3" "PASS" logjson "1.3" "PASS"
currentScore=$((currentScore - 0)) currentScore=$((currentScore - 0))
fi fi
}
# 1.4 # 1.4
check_1_4="1.4 - Ensure only trusted users are allowed to control Docker daemon" check_1_4() {
totalChecks=$((totalChecks + 1)) check_1_4="1.4 - Ensure only trusted users are allowed to control Docker daemon"
docker_users=$(getent group docker) totalChecks=$((totalChecks + 1))
info "$check_1_4" docker_users=$(getent group docker)
for u in $docker_users; do info "$check_1_4"
for u in $docker_users; do
info " * $u" info " * $u"
logjson "1.4" "$u" logjson "1.4" "$u"
done done
currentScore=$((currentScore - 0)) currentScore=$((currentScore - 0))
}
# 1.5 # 1.5
check_1_5="1.5 - Ensure auditing is configured for the Docker daemon" check_1_5() {
totalChecks=$((totalChecks + 1)) check_1_5="1.5 - Ensure auditing is configured for the Docker daemon"
file="/usr/bin/docker " totalChecks=$((totalChecks + 1))
if command -v auditctl >/dev/null 2>&1; then file="/usr/bin/docker "
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_5" pass "$check_1_5"
logjson "1.5" "PASS" logjson "1.5" "PASS"
@ -75,21 +85,23 @@ if command -v auditctl >/dev/null 2>&1; then
logjson "1.5" "WARN" logjson "1.5" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_5" pass "$check_1_5"
logjson "1.5" "PASS" logjson "1.5" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_1_5" warn "$check_1_5"
logjson "1.5" "WARN" logjson "1.5" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 1.6 # 1.6
check_1_6="1.6 - Ensure auditing is configured for Docker files and directories - /var/lib/docker" check_1_6() {
totalChecks=$((totalChecks + 1)) check_1_6="1.6 - Ensure auditing is configured for Docker files and directories - /var/lib/docker"
directory="/var/lib/docker" totalChecks=$((totalChecks + 1))
if [ -d "$directory" ]; then directory="/var/lib/docker"
if [ -d "$directory" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $directory >/dev/null 2>&1; then if auditctl -l | grep $directory >/dev/null 2>&1; then
pass "$check_1_6" pass "$check_1_6"
@ -109,18 +121,20 @@ if [ -d "$directory" ]; then
logjson "1.6" "WARN" logjson "1.6" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_1_6" info "$check_1_6"
info " * Directory not found" info " * Directory not found"
logjson "1.6" "INFO" logjson "1.6" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 1.7 # 1.7
check_1_7="1.7 - Ensure auditing is configured for Docker files and directories - /etc/docker" check_1_7() {
totalChecks=$((totalChecks + 1)) check_1_7="1.7 - Ensure auditing is configured for Docker files and directories - /etc/docker"
directory="/etc/docker" totalChecks=$((totalChecks + 1))
if [ -d "$directory" ]; then directory="/etc/docker"
if [ -d "$directory" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $directory >/dev/null 2>&1; then if auditctl -l | grep $directory >/dev/null 2>&1; then
pass "$check_1_7" pass "$check_1_7"
@ -140,18 +154,20 @@ if [ -d "$directory" ]; then
logjson "1.7" "WARN" logjson "1.7" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_1_7" info "$check_1_7"
info " * Directory not found" info " * Directory not found"
logjson "1.7" "INFO" logjson "1.7" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 1.8 # 1.8
check_1_8="1.8 - Ensure auditing is configured for Docker files and directories - docker.service" check_1_8() {
totalChecks=$((totalChecks + 1)) check_1_8="1.8 - Ensure auditing is configured for Docker files and directories - docker.service"
file="$(get_systemd_service_file docker.service)" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="$(get_systemd_service_file docker.service)"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_8" pass "$check_1_8"
@ -171,18 +187,20 @@ if [ -f "$file" ]; then
logjson "1.8" "WARN" logjson "1.8" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_1_8" info "$check_1_8"
info " * File not found" info " * File not found"
logjson "1.8" "INFO" logjson "1.8" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 1.9 # 1.9
check_1_9="1.9 - Ensure auditing is configured for Docker files and directories - docker.socket" check_1_9() {
totalChecks=$((totalChecks + 1)) check_1_9="1.9 - Ensure auditing is configured for Docker files and directories - docker.socket"
file="$(get_systemd_service_file docker.socket)" totalChecks=$((totalChecks + 1))
if [ -e "$file" ]; then file="$(get_systemd_service_file docker.socket)"
if [ -e "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_9" pass "$check_1_9"
@ -202,18 +220,20 @@ if [ -e "$file" ]; then
logjson "1.9" "WARN" logjson "1.9" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_1_9" info "$check_1_9"
info " * File not found" info " * File not found"
logjson "1.9" "INFO" logjson "1.9" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 1.10 # 1.10
check_1_10="1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker" check_1_10() {
totalChecks=$((totalChecks + 1)) check_1_10="1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker"
file="/etc/default/docker" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="/etc/default/docker"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_10" pass "$check_1_10"
@ -233,18 +253,20 @@ if [ -f "$file" ]; then
logjson "1.10" "WARN" logjson "1.10" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_1_10" info "$check_1_10"
info " * File not found" info " * File not found"
logjson "1.10" "INFO" logjson "1.10" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 1.11 # 1.11
check_1_11="1.11 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json" check_1_11() {
totalChecks=$((totalChecks + 1)) check_1_11="1.11 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json"
file="/etc/docker/daemon.json" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_11" pass "$check_1_11"
@ -264,18 +286,20 @@ if [ -f "$file" ]; then
logjson "1.11" "WARN" logjson "1.11" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_1_11" info "$check_1_11"
info " * File not found" info " * File not found"
logjson "1.11" "INFO" logjson "1.11" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 1.12 # 1.12
check_1_12="1.12 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd" check_1_12() {
totalChecks=$((totalChecks + 1)) check_1_12="1.12 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd"
file="/usr/bin/docker-containerd" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="/usr/bin/docker-containerd"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_12" pass "$check_1_12"
@ -295,18 +319,20 @@ if [ -f "$file" ]; then
logjson "1.12" "WARN" logjson "1.12" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_1_12" info "$check_1_12"
info " * File not found" info " * File not found"
logjson "1.12" "INFO" logjson "1.12" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 1.13 # 1.13
check_1_13="1.13 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc" check_1_13() {
totalChecks=$((totalChecks + 1)) check_1_13="1.13 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc"
file="/usr/bin/docker-runc" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="/usr/bin/docker-runc"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_13" pass "$check_1_13"
@ -326,9 +352,10 @@ if [ -f "$file" ]; then
logjson "1.13" "WARN" logjson "1.13" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_1_13" info "$check_1_13"
info " * File not found" info " * File not found"
logjson "1.13" "INFO" logjson "1.13" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}

View file

@ -1,29 +1,34 @@
#!/bin/sh #!/bin/sh
logit "\n" check_2() {
info "2 - Docker daemon configuration" logit "\n"
info "2 - Docker daemon configuration"
}
# 2.1 # 2.1
check_2_1="2.1 - Ensure network traffic is restricted between containers on the default bridge" check_2_1() {
totalChecks=$((totalChecks + 1)) check_2_1="2.1 - Ensure network traffic is restricted between containers on the default bridge"
if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then
pass "$check_2_1" pass "$check_2_1"
logjson "2.1" "PASS" logjson "2.1" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then
pass "$check_2_1" pass "$check_2_1"
logjson "2.1" "PASS" logjson "2.1" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_2_1" warn "$check_2_1"
logjson "2.1" "WARN" logjson "2.1" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 2.2 # 2.2
check_2_2="2.2 - Ensure the logging level is set to 'info'" check_2_2() {
totalChecks=$((totalChecks + 1)) check_2_2="2.2 - Ensure the logging level is set to 'info'"
if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then
if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then
pass "$check_2_2" pass "$check_2_2"
logjson "2.2" "PASS" logjson "2.2" "PASS"
@ -37,7 +42,7 @@ if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then
logjson "2.2" "WARN" logjson "2.2" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
elif get_docker_effective_command_line_args '-l'; then elif get_docker_effective_command_line_args '-l'; then
if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then
pass "$check_2_2" pass "$check_2_2"
logjson "2.2" "PASS" logjson "2.2" "PASS"
@ -47,37 +52,41 @@ elif get_docker_effective_command_line_args '-l'; then
logjson "2.2" "WARN" logjson "2.2" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
pass "$check_2_2" pass "$check_2_2"
logjson "2.2" "PASS" logjson "2.2" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 2.3 # 2.3
check_2_3="2.3 - Ensure Docker is allowed to make changes to iptables" check_2_3() {
totalChecks=$((totalChecks + 1)) check_2_3="2.3 - Ensure Docker is allowed to make changes to iptables"
if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then
warn "$check_2_3" warn "$check_2_3"
logjson "2.3" "WARN" logjson "2.3" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then
warn "$check_2_3" warn "$check_2_3"
logjson "2.3" "WARN" logjson "2.3" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
else else
pass "$check_2_3" pass "$check_2_3"
logjson "2.3" "PASS" logjson "2.3" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 2.4 # 2.4
check_2_4="2.4 - Ensure insecure registries are not used" check_2_4() {
totalChecks=$((totalChecks + 1)) check_2_4="2.4 - Ensure insecure registries are not used"
if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then
warn "$check_2_4" warn "$check_2_4"
logjson "2.4" "WARN" logjson "2.4" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then
pass "$check_2_4" pass "$check_2_4"
logjson "2.4" "PASS" logjson "2.4" "PASS"
@ -87,29 +96,33 @@ elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; the
logjson "2.4" "WARN" logjson "2.4" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
pass "$check_2_4" pass "$check_2_4"
logjson "2.4" "PASS" logjson "2.4" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 2.5 # 2.5
check_2_5="2.5 - Ensure aufs storage driver is not used" check_2_5() {
totalChecks=$((totalChecks + 1)) check_2_5="2.5 - Ensure aufs storage driver is not used"
if docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1; then
warn "$check_2_5" warn "$check_2_5"
logjson "2.5" "WARN" logjson "2.5" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
else else
pass "$check_2_5" pass "$check_2_5"
logjson "2.5" "PASS" logjson "2.5" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 2.6 # 2.6
check_2_6="2.6 - Ensure TLS authentication for Docker daemon is configured" check_2_6() {
totalChecks=$((totalChecks + 1)) check_2_6="2.6 - Ensure TLS authentication for Docker daemon is configured"
if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then totalChecks=$((totalChecks + 1))
if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then
if [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \ if [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \
[ $(get_docker_configuration_file_args '"tlsverify' | grep 'true') ] ; then [ $(get_docker_configuration_file_args '"tlsverify' | grep 'true') ] ; then
if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then
@ -130,7 +143,7 @@ if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then
logjson "2.6" "WARN" logjson "2.6" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
elif get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1; then elif get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1; then
if get_docker_cumulative_command_line_args '--tlskey' | grep 'tlskey=' >/dev/null 2>&1; then if get_docker_cumulative_command_line_args '--tlskey' | grep 'tlskey=' >/dev/null 2>&1; then
if get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify' >/dev/null 2>&1; then if get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify' >/dev/null 2>&1; then
pass "$check_2_6" pass "$check_2_6"
@ -148,140 +161,155 @@ elif get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/de
logjson "2.6" "WARN" logjson "2.6" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_2_6" info "$check_2_6"
info " * Docker daemon not listening on TCP" info " * Docker daemon not listening on TCP"
logjson "2.6" "INFO" logjson "2.6" "INFO"
currentScore=$((currentScore +0)) currentScore=$((currentScore +0))
fi fi
}
# 2.7 # 2.7
check_2_7="2.7 - Ensure the default ulimit is configured appropriately" check_2_7() {
totalChecks=$((totalChecks + 1)) check_2_7="2.7 - Ensure the default ulimit is configured appropriately"
if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then
pass "$check_2_7" pass "$check_2_7"
logjson "2.7" "PASS" logjson "2.7" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
pass "$check_2_7" pass "$check_2_7"
logjson "2.7" "PASS" logjson "2.7" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
info "$check_2_7" info "$check_2_7"
info " * Default ulimit doesn't appear to be set" info " * Default ulimit doesn't appear to be set"
logjson "2.7" "INFO" logjson "2.7" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 2.8 # 2.8
check_2_8="2.8 - Enable user namespace support" check_2_8() {
totalChecks=$((totalChecks + 1)) check_2_8="2.8 - Enable user namespace support"
if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then
pass "$check_2_8" pass "$check_2_8"
logjson "2.8" "PASS" logjson "2.8" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
pass "$check_2_8" pass "$check_2_8"
logjson "2.8" "PASS" logjson "2.8" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_2_8" warn "$check_2_8"
logjson "2.8" "WARN" logjson "2.8" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 2.9 # 2.9
check_2_9="2.9 - Ensure the default cgroup usage has been confirmed" check_2_9() {
totalChecks=$((totalChecks + 1)) check_2_9="2.9 - Ensure the default cgroup usage has been confirmed"
if get_docker_configuration_file_args 'cgroup-parent' | grep -v '""'; then totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'cgroup-parent' | grep -v '""'; then
warn "$check_2_9" warn "$check_2_9"
info " * Confirm cgroup usage" info " * Confirm cgroup usage"
logjson "2.9" "INFO" logjson "2.9" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
warn "$check_2_9" warn "$check_2_9"
info " * Confirm cgroup usage" info " * Confirm cgroup usage"
logjson "2.9" "INFO" logjson "2.9" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
else else
pass "$check_2_9" pass "$check_2_9"
logjson "2.9" "PASS" logjson "2.9" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 2.10 # 2.10
check_2_10="2.10 - Ensure base device size is not changed until needed" check_2_10() {
totalChecks=$((totalChecks + 1)) check_2_10="2.10 - Ensure base device size is not changed until needed"
if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then
warn "$check_2_10" warn "$check_2_10"
logjson "2.10" "WARN" logjson "2.10" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
warn "$check_2_10" warn "$check_2_10"
logjson "2.10" "WARN" logjson "2.10" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
else else
pass "$check_2_10" pass "$check_2_10"
logjson "2.10" "PASS" logjson "2.10" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 2.11 # 2.11
check_2_11="2.11 - Ensure that authorization for Docker client commands is enabled" check_2_11() {
totalChecks=$((totalChecks + 1)) check_2_11="2.11 - Ensure that authorization for Docker client commands is enabled"
if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then
pass "$check_2_11" pass "$check_2_11"
logjson "2.11" "PASS" logjson "2.11" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
pass "$check_2_11" pass "$check_2_11"
logjson "2.11" "PASS" logjson "2.11" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_2_11" warn "$check_2_11"
logjson "2.11" "WARN" logjson "2.11" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 2.12 # 2.12
check_2_12="2.12 - Ensure centralized and remote logging is configured" check_2_12() {
totalChecks=$((totalChecks + 1)) check_2_12="2.12 - Ensure centralized and remote logging is configured"
if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then
warn "$check_2_12" warn "$check_2_12"
logjson "2.12" "WARN" logjson "2.12" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
else else
pass "$check_2_12" pass "$check_2_12"
logjson "2.12" "PASS" logjson "2.12" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 2.13 # 2.13
check_2_13="2.13 - Ensure operations on legacy registry (v1) are Disabled" check_2_13() {
totalChecks=$((totalChecks + 1)) check_2_13="2.13 - Ensure operations on legacy registry (v1) are Disabled"
if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then
pass "$check_2_13" pass "$check_2_13"
logjson "2.13" "PASS" logjson "2.13" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then
pass "$check_2_13" pass "$check_2_13"
logjson "2.13" "PASS" logjson "2.13" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_2_13" warn "$check_2_13"
logjson "2.13" "WARN" logjson "2.13" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 2.14 # 2.14
check_2_14="2.14 - Ensure live restore is Enabled" check_2_14() {
totalChecks=$((totalChecks + 1)) check_2_14="2.14 - Ensure live restore is Enabled"
if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then
pass "$check_2_14" pass "$check_2_14"
logjson "2.14" "PASS" logjson "2.14" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
pass "$check_2_14 (Incompatible with swarm mode)" pass "$check_2_14 (Incompatible with swarm mode)"
logjson "2.14" "PASS" logjson "2.14" "PASS"
@ -295,64 +323,73 @@ else
logjson "2.14" "WARN" logjson "2.14" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
fi fi
}
# 2.15 # 2.15
check_2_15="2.15 - Ensure Userland Proxy is Disabled" check_2_15() {
totalChecks=$((totalChecks + 1)) check_2_15="2.15 - Ensure Userland Proxy is Disabled"
if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then
pass "$check_2_15" pass "$check_2_15"
logjson "2.15" "PASS" logjson "2.15" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
pass "$check_2_15" pass "$check_2_15"
logjson "2.15" "PASS" logjson "2.15" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_2_15" warn "$check_2_15"
logjson "2.15" "WARN" logjson "2.15" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 2.16 # 2.16
check_2_16="2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed" check_2_16() {
totalChecks=$((totalChecks + 1)) check_2_16="2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed"
if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then totalChecks=$((totalChecks + 1))
if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then
pass "$check_2_16" pass "$check_2_16"
logjson "2.16" "PASS" logjson "2.16" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
info "$check_2_16" info "$check_2_16"
logjson "2.16" "INFO" logjson "2.16" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 2.17 # 2.17
check_2_17="2.17 - Ensure experimental features are avoided in production" check_2_17() {
totalChecks=$((totalChecks + 1)) check_2_17="2.17 - Ensure experimental features are avoided in production"
if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then totalChecks=$((totalChecks + 1))
if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then
pass "$check_2_17" pass "$check_2_17"
logjson "2.17" "PASS" logjson "2.17" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_2_17" warn "$check_2_17"
logjson "2.17" "WARN" logjson "2.17" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 2.18 # 2.18
check_2_18="2.18 - Ensure containers are restricted from acquiring new privileges" check_2_18() {
totalChecks=$((totalChecks + 1)) check_2_18="2.18 - Ensure containers are restricted from acquiring new privileges"
if get_docker_effective_command_line_args '--no-new-privileges' >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if get_docker_effective_command_line_args '--no-new-privileges' >/dev/null 2>&1; then
pass "$check_2_18" pass "$check_2_18"
logjson "2.18" "PASS" logjson "2.18" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
elif get_docker_configuration_file_args 'no-new-privileges' >/dev/null 2>&1; then elif get_docker_configuration_file_args 'no-new-privileges' >/dev/null 2>&1; then
pass "$check_2_18" pass "$check_2_18"
logjson "2.18" "PASS" logjson "2.18" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_2_18" warn "$check_2_18"
logjson "2.18" "WARN" logjson "2.18" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}

View file

@ -1,13 +1,16 @@
#!/bin/sh #!/bin/sh
logit "\n" check_3() {
info "3 - Docker daemon configuration files" logit "\n"
info "3 - Docker daemon configuration files"
}
# 3.1 # 3.1
check_3_1="3.1 - Ensure that docker.service file ownership is set to root:root" check_3_1() {
totalChecks=$((totalChecks + 1)) check_3_1="3.1 - Ensure that docker.service file ownership is set to root:root"
file="$(get_systemd_service_file docker.service)" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="$(get_systemd_service_file docker.service)"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_1" pass "$check_3_1"
logjson "3.1" "PASS" logjson "3.1" "PASS"
@ -18,18 +21,20 @@ if [ -f "$file" ]; then
logjson "3.1" "WARN" logjson "3.1" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_1" info "$check_3_1"
info " * File not found" info " * File not found"
logjson "3.1" "INFO" logjson "3.1" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.2 # 3.2
check_3_2="3.2 - Ensure that docker.service file permissions are set to 644 or more restrictive" check_3_2() {
totalChecks=$((totalChecks + 1)) check_3_2="3.2 - Ensure that docker.service file permissions are set to 644 or more restrictive"
file="$(get_systemd_service_file docker.service)" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="$(get_systemd_service_file docker.service)"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_2" pass "$check_3_2"
logjson "3.2" "PASS" logjson "3.2" "PASS"
@ -40,18 +45,20 @@ if [ -f "$file" ]; then
logjson "3.2" "WARN" logjson "3.2" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_2" info "$check_3_2"
info " * File not found" info " * File not found"
logjson "3.2" "INFO" logjson "3.2" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.3 # 3.3
check_3_3="3.3 - Ensure that docker.socket file ownership is set to root:root" check_3_3() {
totalChecks=$((totalChecks + 1)) check_3_3="3.3 - Ensure that docker.socket file ownership is set to root:root"
file="$(get_systemd_service_file docker.socket)" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="$(get_systemd_service_file docker.socket)"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_3" pass "$check_3_3"
logjson "3.3" "PASS" logjson "3.3" "PASS"
@ -62,18 +69,20 @@ if [ -f "$file" ]; then
logjson "3.3" "WARN" logjson "3.3" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_3" info "$check_3_3"
info " * File not found" info " * File not found"
logjson "3.3" "INFO" logjson "3.3" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.4 # 3.4
check_3_4="3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive" check_3_4() {
totalChecks=$((totalChecks + 1)) check_3_4="3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive"
file="$(get_systemd_service_file docker.socket)" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="$(get_systemd_service_file docker.socket)"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_4" pass "$check_3_4"
logjson "3.4" "PASS" logjson "3.4" "PASS"
@ -84,18 +93,20 @@ if [ -f "$file" ]; then
logjson "3.4" "WARN" logjson "3.4" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_4" info "$check_3_4"
info " * File not found" info " * File not found"
logjson "3.4" "INFO" logjson "3.4" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.5 # 3.5
check_3_5="3.5 - Ensure that /etc/docker directory ownership is set to root:root" check_3_5() {
totalChecks=$((totalChecks + 1)) check_3_5="3.5 - Ensure that /etc/docker directory ownership is set to root:root"
directory="/etc/docker" totalChecks=$((totalChecks + 1))
if [ -d "$directory" ]; then directory="/etc/docker"
if [ -d "$directory" ]; then
if [ "$(stat -c %u%g $directory)" -eq 00 ]; then if [ "$(stat -c %u%g $directory)" -eq 00 ]; then
pass "$check_3_5" pass "$check_3_5"
logjson "3.5" "PASS" logjson "3.5" "PASS"
@ -106,18 +117,20 @@ if [ -d "$directory" ]; then
logjson "3.5" "WARN" logjson "3.5" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_5" info "$check_3_5"
info " * Directory not found" info " * Directory not found"
logjson "3.5" "INFO" logjson "3.5" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.6 # 3.6
check_3_6="3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive" check_3_6() {
totalChecks=$((totalChecks + 1)) check_3_6="3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive"
directory="/etc/docker" totalChecks=$((totalChecks + 1))
if [ -d "$directory" ]; then directory="/etc/docker"
if [ -d "$directory" ]; then
if [ "$(stat -c %a $directory)" -eq 755 -o "$(stat -c %a $directory)" -eq 700 ]; then if [ "$(stat -c %a $directory)" -eq 755 -o "$(stat -c %a $directory)" -eq 700 ]; then
pass "$check_3_6" pass "$check_3_6"
logjson "3.6" "PASS" logjson "3.6" "PASS"
@ -128,18 +141,20 @@ if [ -d "$directory" ]; then
logjson "3.6" "WARN" logjson "3.6" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_6" info "$check_3_6"
info " * Directory not found" info " * Directory not found"
logjson "3.6" "INFO" logjson "3.6" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.7 # 3.7
check_3_7="3.7 - Ensure that registry certificate file ownership is set to root:root" check_3_7() {
totalChecks=$((totalChecks + 1)) check_3_7="3.7 - Ensure that registry certificate file ownership is set to root:root"
directory="/etc/docker/certs.d/" totalChecks=$((totalChecks + 1))
if [ -d "$directory" ]; then directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then
fail=0 fail=0
owners=$(find "$directory" -type f -name '*.crt') owners=$(find "$directory" -type f -name '*.crt')
for p in $owners; do for p in $owners; do
@ -157,18 +172,20 @@ if [ -d "$directory" ]; then
logjson "3.7" "PASS" logjson "3.7" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
else else
info "$check_3_7" info "$check_3_7"
info " * Directory not found" info " * Directory not found"
logjson "3.7" "INFO" logjson "3.7" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.8 # 3.8
check_3_8="3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive" check_3_8() {
totalChecks=$((totalChecks + 1)) check_3_8="3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive"
directory="/etc/docker/certs.d/" totalChecks=$((totalChecks + 1))
if [ -d "$directory" ]; then directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then
fail=0 fail=0
perms=$(find "$directory" -type f -name '*.crt') perms=$(find "$directory" -type f -name '*.crt')
for p in $perms; do for p in $perms; do
@ -186,22 +203,24 @@ if [ -d "$directory" ]; then
logjson "3.8" "PASS" logjson "3.8" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
else else
info "$check_3_8" info "$check_3_8"
info " * Directory not found" info " * Directory not found"
logjson "3.8" "INFO" logjson "3.8" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.9 # 3.9
check_3_9="3.9 - Ensure that TLS CA certificate file ownership is set to root:root" check_3_9() {
totalChecks=$((totalChecks + 1)) check_3_9="3.9 - Ensure that TLS CA certificate file ownership is set to root:root"
if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then
tlscacert=$(get_docker_configuration_file_args 'tlscacert') tlscacert=$(get_docker_configuration_file_args 'tlscacert')
else else
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi fi
if [ -f "$tlscacert" ]; then if [ -f "$tlscacert" ]; then
if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
pass "$check_3_9" pass "$check_3_9"
logjson "3.9" "PASS" logjson "3.9" "PASS"
@ -212,22 +231,24 @@ if [ -f "$tlscacert" ]; then
logjson "3.9" "WARN" logjson "3.9" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_9" info "$check_3_9"
info " * No TLS CA certificate found" info " * No TLS CA certificate found"
logjson "3.9" "INFO" logjson "3.9" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.10 # 3.10
check_3_10="3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive" check_3_10() {
totalChecks=$((totalChecks + 1)) check_3_10="3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive"
if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then
tlscacert=$(get_docker_configuration_file_args 'tlscacert') tlscacert=$(get_docker_configuration_file_args 'tlscacert')
else else
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi fi
if [ -f "$tlscacert" ]; then if [ -f "$tlscacert" ]; then
if [ "$(stat -c %a $tlscacert)" -eq 444 -o "$(stat -c %a $tlscacert)" -eq 400 ]; then if [ "$(stat -c %a $tlscacert)" -eq 444 -o "$(stat -c %a $tlscacert)" -eq 400 ]; then
pass "$check_3_10" pass "$check_3_10"
logjson "3.10" "PASS" logjson "3.10" "PASS"
@ -238,22 +259,24 @@ if [ -f "$tlscacert" ]; then
logjson "3.10" "WARN" logjson "3.10" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_10" info "$check_3_10"
info " * No TLS CA certificate found" info " * No TLS CA certificate found"
logjson "3.10" "INFO" logjson "3.10" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.11 # 3.11
check_3_11="3.11 - Ensure that Docker server certificate file ownership is set to root:root" check_3_11() {
totalChecks=$((totalChecks + 1)) check_3_11="3.11 - Ensure that Docker server certificate file ownership is set to root:root"
if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then
tlscert=$(get_docker_configuration_file_args 'tlscert') tlscert=$(get_docker_configuration_file_args 'tlscert')
else else
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi fi
if [ -f "$tlscert" ]; then if [ -f "$tlscert" ]; then
if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
pass "$check_3_11" pass "$check_3_11"
logjson "3.11" "PASS" logjson "3.11" "PASS"
@ -264,22 +287,24 @@ if [ -f "$tlscert" ]; then
logjson "3.11" "WARN" logjson "3.11" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_11" info "$check_3_11"
info " * No TLS Server certificate found" info " * No TLS Server certificate found"
logjson "3.11" "INFO" logjson "3.11" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.12 # 3.12
check_3_12="3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive" check_3_12() {
totalChecks=$((totalChecks + 1)) check_3_12="3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive"
if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then
tlscert=$(get_docker_configuration_file_args 'tlscert') tlscert=$(get_docker_configuration_file_args 'tlscert')
else else
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi fi
if [ -f "$tlscert" ]; then if [ -f "$tlscert" ]; then
if [ "$(stat -c %a $tlscert)" -eq 444 -o "$(stat -c %a $tlscert)" -eq 400 ]; then if [ "$(stat -c %a $tlscert)" -eq 444 -o "$(stat -c %a $tlscert)" -eq 400 ]; then
pass "$check_3_12" pass "$check_3_12"
logjson "3.12" "PASS" logjson "3.12" "PASS"
@ -290,22 +315,24 @@ if [ -f "$tlscert" ]; then
logjson "3.12" "WARN" logjson "3.12" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_12" info "$check_3_12"
info " * No TLS Server certificate found" info " * No TLS Server certificate found"
logjson "3.12" "INFO" logjson "3.12" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.13 # 3.13
check_3_13="3.13 - Ensure that Docker server certificate key file ownership is set to root:root" check_3_13() {
totalChecks=$((totalChecks + 1)) check_3_13="3.13 - Ensure that Docker server certificate key file ownership is set to root:root"
if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then
tlskey=$(get_docker_configuration_file_args 'tlskey') tlskey=$(get_docker_configuration_file_args 'tlskey')
else else
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi fi
if [ -f "$tlskey" ]; then if [ -f "$tlskey" ]; then
if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
pass "$check_3_13" pass "$check_3_13"
logjson "3.13" "PASS" logjson "3.13" "PASS"
@ -316,22 +343,24 @@ if [ -f "$tlskey" ]; then
logjson "3.13" "WARN" logjson "3.13" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_13" info "$check_3_13"
info " * No TLS Key found" info " * No TLS Key found"
logjson "3.13" "INFO" logjson "3.13" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.14 # 3.14
check_3_14="3.14 - Ensure that Docker server certificate key file permissions are set to 400" check_3_14() {
totalChecks=$((totalChecks + 1)) check_3_14="3.14 - Ensure that Docker server certificate key file permissions are set to 400"
if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then
tlskey=$(get_docker_configuration_file_args 'tlskey') tlskey=$(get_docker_configuration_file_args 'tlskey')
else else
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi fi
if [ -f "$tlskey" ]; then if [ -f "$tlskey" ]; then
if [ "$(stat -c %a $tlskey)" -eq 400 ]; then if [ "$(stat -c %a $tlskey)" -eq 400 ]; then
pass "$check_3_14" pass "$check_3_14"
logjson "3.14" "PASS" logjson "3.14" "PASS"
@ -342,18 +371,20 @@ if [ -f "$tlskey" ]; then
logjson "3.14" "WARN" logjson "3.14" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_14" info "$check_3_14"
info " * No TLS Key found" info " * No TLS Key found"
logjson "3.14" "INFO" logjson "3.14" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.15 # 3.15
check_3_15="3.15 - Ensure that Docker socket file ownership is set to root:docker" check_3_15() {
totalChecks=$((totalChecks + 1)) check_3_15="3.15 - Ensure that Docker socket file ownership is set to root:docker"
file="/var/run/docker.sock" totalChecks=$((totalChecks + 1))
if [ -S "$file" ]; then file="/var/run/docker.sock"
if [ -S "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then
pass "$check_3_15" pass "$check_3_15"
logjson "3.15" "PASS" logjson "3.15" "PASS"
@ -364,18 +395,20 @@ if [ -S "$file" ]; then
logjson "3.15" "WARN" logjson "3.15" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_15" info "$check_3_15"
info " * File not found" info " * File not found"
logjson "3.15" "INFO" logjson "3.15" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.16 # 3.16
check_3_16="3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive" check_3_16() {
totalChecks=$((totalChecks + 1)) check_3_16="3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive"
file="/var/run/docker.sock" totalChecks=$((totalChecks + 1))
if [ -S "$file" ]; then file="/var/run/docker.sock"
if [ -S "$file" ]; then
if [ "$(stat -c %a $file)" -eq 660 -o "$(stat -c %a $file)" -eq 600 ]; then if [ "$(stat -c %a $file)" -eq 660 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_16" pass "$check_3_16"
logjson "3.16" "PASS" logjson "3.16" "PASS"
@ -386,18 +419,20 @@ if [ -S "$file" ]; then
logjson "3.16" "WARN" logjson "3.16" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_16" info "$check_3_16"
info " * File not found" info " * File not found"
logjson "3.16" "INFO" logjson "3.16" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.17 # 3.17
check_3_17="3.17 - Ensure that daemon.json file ownership is set to root:root" check_3_17() {
totalChecks=$((totalChecks + 1)) check_3_17="3.17 - Ensure that daemon.json file ownership is set to root:root"
file="/etc/docker/daemon.json" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass "$check_3_17" pass "$check_3_17"
logjson "3.17" "PASS" logjson "3.17" "PASS"
@ -408,18 +443,20 @@ if [ -f "$file" ]; then
logjson "3.17" "WARN" logjson "3.17" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_17" info "$check_3_17"
info " * File not found" info " * File not found"
logjson "3.17" "INFO" logjson "3.17" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.18 # 3.18
check_3_18="3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive" check_3_18() {
totalChecks=$((totalChecks + 1)) check_3_18="3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive"
file="/etc/docker/daemon.json" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_18" pass "$check_3_18"
logjson "3.18" "PASS" logjson "3.18" "PASS"
@ -430,18 +467,20 @@ if [ -f "$file" ]; then
logjson "3.18" "WARN" logjson "3.18" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_18" info "$check_3_18"
info " * File not found" info " * File not found"
logjson "3.18" "INFO" logjson "3.18" "INFO"
currentScore=$((currentScore - 0)) currentScore=$((currentScore - 0))
fi fi
}
# 3.19 # 3.19
check_3_19="3.19 - Ensure that /etc/default/docker file ownership is set to root:root" check_3_19() {
totalChecks=$((totalChecks + 1)) check_3_19="3.19 - Ensure that /etc/default/docker file ownership is set to root:root"
file="/etc/default/docker" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="/etc/default/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass "$check_3_19" pass "$check_3_19"
logjson "3.19" "PASS" logjson "3.19" "PASS"
@ -452,18 +491,20 @@ if [ -f "$file" ]; then
logjson "3.19" "WARN" logjson "3.19" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_19" info "$check_3_19"
info " * File not found" info " * File not found"
logjson "3.19" "INFO" logjson "3.19" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 3.20 # 3.20
check_3_20="3.20 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive" check_3_20() {
totalChecks=$((totalChecks + 1)) check_3_20="3.20 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive"
file="/etc/default/docker" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="/etc/default/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_20" pass "$check_3_20"
logjson "3.20" "PASS" logjson "3.20" "PASS"
@ -474,9 +515,10 @@ if [ -f "$file" ]; then
logjson "3.20" "WARN" logjson "3.20" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
info "$check_3_20" info "$check_3_20"
info " * File not found" info " * File not found"
logjson "3.20" "INFO" logjson "3.20" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}

View file

@ -1,24 +1,29 @@
#!/bin/sh #!/bin/sh
logit "\n" images=$(docker images -q)
info "4 - Container Images and Build File"
check_4() {
logit "\n"
info "4 - Container Images and Build File"
}
# 4.1 # 4.1
check_4_1="4.1 - Ensure a user for the container has been created" check_4_1() {
totalChecks=$((totalChecks + 1)) check_4_1="4.1 - Ensure a user for the container has been created"
totalChecks=$((totalChecks + 1))
# If container_users is empty, there are no running containers # If container_users is empty, there are no running containers
if [ -z "$containers" ]; then if [ -z "$containers" ]; then
info "$check_4_1" info "$check_4_1"
info " * No containers running" info " * No containers running"
logjson "4.1" "INFO" logjson "4.1" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
else else
# We have some containers running, set failure flag to 0. Check for Users. # We have some containers running, set failure flag to 0. Check for Users.
fail=0 fail=0
# Make the loop separator be a new-line in POSIX compliant fashion # Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$' set -f; IFS=$'
' '
for c in $containers; do for c in $containers; do
user=$(docker inspect --format 'User={{.Config.User}}' "$c") user=$(docker inspect --format 'User={{.Config.User}}' "$c")
@ -43,51 +48,59 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
fi fi
# Make the loop separator go back to space # Make the loop separator go back to space
set +f; unset IFS set +f; unset IFS
}
images=$(docker images -q)
# 4.2 # 4.2
check_4_2="4.2 - Ensure that containers use trusted base images" check_4_2() {
totalChecks=$((totalChecks + 1)) check_4_2="4.2 - Ensure that containers use trusted base images"
note "$check_4_2" totalChecks=$((totalChecks + 1))
logjson "4.2" "NOTE" note "$check_4_2"
currentScore=$((currentScore + 0)) logjson "4.2" "NOTE"
currentScore=$((currentScore + 0))
}
# 4.3 # 4.3
check_4_3="4.3 - Ensure unnecessary packages are not installed in the container" check_4_3() {
totalChecks=$((totalChecks + 1)) check_4_3="4.3 - Ensure unnecessary packages are not installed in the container"
note "$check_4_3" totalChecks=$((totalChecks + 1))
logjson "4.3" "NOTE" note "$check_4_3"
currentScore=$((currentScore + 0)) logjson "4.3" "NOTE"
currentScore=$((currentScore + 0))
}
# 4.4 # 4.4
check_4_4="4.4 - Ensure images are scanned and rebuilt to include security patches" check_4_4() {
totalChecks=$((totalChecks + 1)) check_4_4="4.4 - Ensure images are scanned and rebuilt to include security patches"
note "$check_4_4" totalChecks=$((totalChecks + 1))
logjson "4.4" "NOTE" note "$check_4_4"
currentScore=$((currentScore + 0)) logjson "4.4" "NOTE"
currentScore=$((currentScore + 0))
}
# 4.5 # 4.5
check_4_5="4.5 - Ensure Content trust for Docker is Enabled" check_4_5() {
totalChecks=$((totalChecks + 1)) check_4_5="4.5 - Ensure Content trust for Docker is Enabled"
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then totalChecks=$((totalChecks + 1))
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
pass "$check_4_5" pass "$check_4_5"
logjson "4.5" "PASS" logjson "4.5" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_4_5" warn "$check_4_5"
logjson "4.5" "WARN" logjson "4.5" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 4.6 # 4.6
check_4_6="4.6 - Ensure HEALTHCHECK instructions have been added to the container image" check_4_6() {
totalChecks=$((totalChecks + 1)) check_4_6="4.6 - Ensure HEALTHCHECK instructions have been added to the container image"
fail=0 totalChecks=$((totalChecks + 1))
for img in $images; do fail=0
for img in $images; do
if docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1; then if docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1; then
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
fail=1 fail=1
@ -100,20 +113,22 @@ for img in $images; do
logjson "4.6" "WARN: $imgName" logjson "4.6" "WARN: $imgName"
fi fi
fi fi
done done
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_4_6" pass "$check_4_6"
logjson "4.6" "PASS" logjson "4.6" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 4.7 # 4.7
check_4_7="4.7 - Ensure update instructions are not use alone in the Dockerfile" check_4_7() {
totalChecks=$((totalChecks + 1)) check_4_7="4.7 - Ensure update instructions are not use alone in the Dockerfile"
fail=0 totalChecks=$((totalChecks + 1))
for img in $images; do fail=0
for img in $images; do
if docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1; then if docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1; then
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
fail=1 fail=1
@ -125,27 +140,31 @@ for img in $images; do
info " * Update instruction found: $imgName" info " * Update instruction found: $imgName"
fi fi
fi fi
done done
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_4_7" pass "$check_4_7"
logjson "4.7" "PASS" logjson "4.7" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 4.8 # 4.8
check_4_8="4.8 - Ensure setuid and setgid permissions are removed in the images" check_4_8() {
totalChecks=$((totalChecks + 1)) check_4_8="4.8 - Ensure setuid and setgid permissions are removed in the images"
note "$check_4_8" totalChecks=$((totalChecks + 1))
logjson "4.8" "NOTE" note "$check_4_8"
currentScore=$((currentScore + 0)) logjson "4.8" "NOTE"
currentScore=$((currentScore + 0))
}
# 4.9 # 4.9
check_4_9="4.9 - Ensure COPY is used instead of ADD in Dockerfile" check_4_9() {
totalChecks=$((totalChecks + 1)) check_4_9="4.9 - Ensure COPY is used instead of ADD in Dockerfile"
fail=0 totalChecks=$((totalChecks + 1))
for img in $images; do fail=0
for img in $images; do
docker history "$img" 2> /dev/null | grep 'ADD' >/dev/null 2>&1 docker history "$img" 2> /dev/null | grep 'ADD' >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
@ -160,23 +179,28 @@ for img in $images; do
fi fi
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
done done
if [ $fail -eq 0 ]; then if [ $fail -eq 0 ]; then
pass "$check_4_9" pass "$check_4_9"
logjson "4.9" "PASS" logjson "4.9" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 4.10 # 4.10
check_4_10="4.10 - Ensure secrets are not stored in Dockerfiles" check_4_10() {
totalChecks=$((totalChecks + 1)) check_4_10="4.10 - Ensure secrets are not stored in Dockerfiles"
note "$check_4_10" totalChecks=$((totalChecks + 1))
logjson "4.10" "NOTE" note "$check_4_10"
currentScore=$((currentScore + 0)) logjson "4.10" "NOTE"
currentScore=$((currentScore + 0))
}
# 4.11 # 4.11
check_4_11="4.11 - Ensure verified packages are only Installed" check_4_11() {
totalChecks=$((totalChecks + 1)) check_4_11="4.11 - Ensure verified packages are only Installed"
note "$check_4_11" totalChecks=$((totalChecks + 1))
logjson "4.11" "NOTE" note "$check_4_11"
currentScore=$((currentScore + 0)) logjson "4.11" "NOTE"
currentScore=$((currentScore + 0))
}

View file

@ -1,16 +1,29 @@
#!/bin/sh #!/bin/sh
check_5() {
logit "\n" logit "\n"
info "5 - Container Runtime" info "5 - Container Runtime"
}
# If containers is empty, there are no running containers check_running_containers() {
if [ -z "$containers" ]; then # If containers is empty, there are no running containers
if [ -z "$containers" ]; then
info " * No containers running, skipping Section 5" info " * No containers running, skipping Section 5"
else running_containers=0
else
running_containers=1
# Make the loop separator be a new-line in POSIX compliant fashion # Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$' set -f; IFS=$'
' '
# 5.1 fi
}
# 5.1
check_5_1() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_1="5.1 - Ensure AppArmor Profile is Enabled" check_5_1="5.1 - Ensure AppArmor Profile is Enabled"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -39,8 +52,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.2
check_5_2() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.2
check_5_2="5.2 - Ensure SELinux security options are set, if applicable" check_5_2="5.2 - Ensure SELinux security options are set, if applicable"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -69,8 +88,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.3
check_5_3() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.3
check_5_3="5.3 - Ensure Linux Kernel Capabilities are restricted within containers" check_5_3="5.3 - Ensure Linux Kernel Capabilities are restricted within containers"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -102,8 +127,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.4
check_5_4() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.4
check_5_4="5.4 - Ensure privileged containers are not used" check_5_4="5.4 - Ensure privileged containers are not used"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -132,8 +163,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.5
check_5_5() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.5
check_5_5="5.5 - Ensure sensitive host system directories are not mounted on containers" check_5_5="5.5 - Ensure sensitive host system directories are not mounted on containers"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -182,8 +219,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.6
check_5_6() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.6
check_5_6="5.6 - Ensure ssh is not run within containers" check_5_6="5.6 - Ensure ssh is not run within containers"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -226,8 +269,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.7
check_5_7() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.7
check_5_7="5.7 - Ensure privileged ports are not mapped within containers" check_5_7="5.7 - Ensure privileged ports are not mapped within containers"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -260,15 +309,27 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.8
check_5_8() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.8
check_5_8="5.8 - Ensure only needed ports are open on the container" check_5_8="5.8 - Ensure only needed ports are open on the container"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
note "$check_5_8" note "$check_5_8"
logjson "5.8" "NOTE" logjson "5.8" "NOTE"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}
# 5.9
check_5_9() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.9
check_5_9="5.9 - Ensure the host's network namespace is not shared" check_5_9="5.9 - Ensure the host's network namespace is not shared"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -297,8 +358,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.10
check_5_10() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.10
check_5_10="5.10 - Ensure memory usage for container is limited" check_5_10="5.10 - Ensure memory usage for container is limited"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -331,8 +398,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.11
check_5_11() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.11
check_5_11="5.11 - Ensure CPU priority is set appropriately on the container" check_5_11="5.11 - Ensure CPU priority is set appropriately on the container"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -365,8 +438,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.12
check_5_12() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.12
check_5_12="5.12 - Ensure the container's root filesystem is mounted as read only" check_5_12="5.12 - Ensure the container's root filesystem is mounted as read only"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -395,8 +474,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.13
check_5_13() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.13
check_5_13="5.13 - Ensure incoming container traffic is binded to a specific host interface" check_5_13="5.13 - Ensure incoming container traffic is binded to a specific host interface"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -425,8 +510,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.14
check_5_14() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.14
check_5_14="5.14 - Ensure 'on-failure' container restart policy is set to '5'" check_5_14="5.14 - Ensure 'on-failure' container restart policy is set to '5'"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -455,8 +546,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.15
check_5_15() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.15
check_5_15="5.15 - Ensure the host's process namespace is not shared" check_5_15="5.15 - Ensure the host's process namespace is not shared"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -485,8 +582,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.16
check_5_16() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.16
check_5_16="5.16 - Ensure the host's IPC namespace is not shared" check_5_16="5.16 - Ensure the host's IPC namespace is not shared"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -515,8 +618,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.17
check_5_17() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.17
check_5_17="5.17 - Ensure host devices are not directly exposed to containers" check_5_17="5.17 - Ensure host devices are not directly exposed to containers"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -545,8 +654,14 @@ else
else else
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 5.18
check_5_18() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.18
check_5_18="5.18 - Ensure the default ulimit is overwritten at runtime, only if needed" check_5_18="5.18 - Ensure the default ulimit is overwritten at runtime, only if needed"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -575,8 +690,14 @@ else
else else
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 5.19
check_5_19() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.19
check_5_19="5.19 - Ensure mount propagation mode is not set to shared" check_5_19="5.19 - Ensure mount propagation mode is not set to shared"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -604,8 +725,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.20
check_5_20() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.20
check_5_20="5.20 - Ensure the host's UTS namespace is not shared" check_5_20="5.20 - Ensure the host's UTS namespace is not shared"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -634,8 +761,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.21
check_5_21() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.21
check_5_21="5.21 - Ensure the default seccomp profile is not Disabled" check_5_21="5.21 - Ensure the default seccomp profile is not Disabled"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -663,22 +796,40 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.22
check_5_22() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.22
check_5_22="5.22 - Ensure docker exec commands are not used with privileged option" check_5_22="5.22 - Ensure docker exec commands are not used with privileged option"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
note "$check_5_22" note "$check_5_22"
logjson "5.22" "NOTE" logjson "5.22" "NOTE"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}
# 5.23
check_5_23() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.23
check_5_23="5.23 - Ensure docker exec commands are not used with user option" check_5_23="5.23 - Ensure docker exec commands are not used with user option"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
note "$check_5_23" note "$check_5_23"
logjson "5.23" "NOTE" logjson "5.23" "NOTE"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}
# 5.24
check_5_24() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.24
check_5_24="5.24 - Ensure cgroup usage is confirmed" check_5_24="5.24 - Ensure cgroup usage is confirmed"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -707,8 +858,13 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.25 # 5.25
check_5_25() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_25="5.25 - Ensure the container is restricted from acquiring additional privileges" check_5_25="5.25 - Ensure the container is restricted from acquiring additional privileges"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -735,8 +891,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.26
check_5_26() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.26
check_5_26="5.26 - Ensure container health is checked at runtime" check_5_26="5.26 - Ensure container health is checked at runtime"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -761,15 +923,27 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.27
check_5_27() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.27
check_5_27="5.27 - Ensure docker commands always get the latest version of the image" check_5_27="5.27 - Ensure docker commands always get the latest version of the image"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
info "$check_5_27" info "$check_5_27"
logjson "5.27" "INFO" logjson "5.27" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}
# 5.28
check_5_28() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.28
check_5_28="5.28 - Ensure PIDs cgroup limit is used" check_5_28="5.28 - Ensure PIDs cgroup limit is used"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -798,8 +972,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.29
check_5_29() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.29
check_5_29="5.29 - Ensure Docker's default bridge docker0 is not used" check_5_29="5.29 - Ensure Docker's default bridge docker0 is not used"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -832,8 +1012,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.30
check_5_30() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.30
check_5_30="5.30 - Ensure the host's user namespaces is not shared" check_5_30="5.30 - Ensure the host's user namespaces is not shared"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -860,8 +1046,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.31
check_5_31() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.31
check_5_31="5.31 - Ensure the Docker socket is not mounted inside any containers" check_5_31="5.31 - Ensure the Docker socket is not mounted inside any containers"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -888,4 +1080,5 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
fi }

View file

@ -1,42 +1,48 @@
#!/bin/sh #!/bin/sh
logit "\n" check_6() {
info "6 - Docker Security Operations" logit "\n"
info "6 - Docker Security Operations"
}
# 6.1 # 6.1
check_6_1="6.1 - Avoid image sprawl" check_6_1() {
totalChecks=$((totalChecks + 1)) check_6_1="6.1 - Avoid image sprawl"
images=$(docker images -q | sort -u | wc -l | awk '{print $1}') totalChecks=$((totalChecks + 1))
active_images=0 images=$(docker images -q | sort -u | wc -l | awk '{print $1}')
active_images=0
for c in $(docker inspect --format "{{.Image}}" $(docker ps -qa) 2>/dev/null); do for c in $(docker inspect --format "{{.Image}}" $(docker ps -qa) 2>/dev/null); do
if docker images --no-trunc -a | grep "$c" > /dev/null ; then if docker images --no-trunc -a | grep "$c" > /dev/null ; then
active_images=$(( active_images += 1 )) active_images=$(( active_images += 1 ))
fi fi
done done
info "$check_6_1" info "$check_6_1"
info " * There are currently: $images images" info " * There are currently: $images images"
if [ "$active_images" -lt "$((images / 2))" ]; then if [ "$active_images" -lt "$((images / 2))" ]; then
info " * Only $active_images out of $images are in use" info " * Only $active_images out of $images are in use"
logjson "6.1" "INFO: $active_images" logjson "6.1" "INFO: $active_images"
fi fi
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}
# 6.2 # 6.2
check_6_2="6.2 - Avoid container sprawl" check_6_2() {
totalChecks=$((totalChecks + 1)) check_6_2="6.2 - Avoid container sprawl"
total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}') totalChecks=$((totalChecks + 1))
running_containers=$(docker ps -q | wc -l | awk '{print $1}') total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}')
diff="$((total_containers - running_containers))" running_containers=$(docker ps -q | wc -l | awk '{print $1}')
if [ "$diff" -gt 25 ]; then diff="$((total_containers - running_containers))"
if [ "$diff" -gt 25 ]; then
info "$check_6_2" info "$check_6_2"
info " * There are currently a total of $total_containers containers, with only $running_containers of them currently running" info " * There are currently a total of $total_containers containers, with only $running_containers of them currently running"
logjson "6.2" "INFO: $running_containers" logjson "6.2" "INFO: $running_containers"
else else
info "$check_6_2" info "$check_6_2"
info " * There are currently a total of $total_containers containers, with $running_containers of them currently running" info " * There are currently a total of $total_containers containers, with $running_containers of them currently running"
logjson "6.2" "INFO: $running_containers" logjson "6.2" "INFO: $running_containers"
fi fi
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}

View file

@ -1,25 +1,30 @@
#!/bin/sh #!/bin/sh
logit "\n" check_7() {
info "7 - Docker Swarm Configuration" logit "\n"
info "7 - Docker Swarm Configuration"
}
# 7.1 # 7.1
check_7_1="7.1 - Ensure swarm mode is not Enabled, if not needed" check_7_1() {
totalChecks=$((totalChecks + 1)) check_7_1="7.1 - Ensure swarm mode is not Enabled, if not needed"
if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
pass "$check_7_1" pass "$check_7_1"
logjson "7.1" "PASS" logjson "7.1" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_7_1" warn "$check_7_1"
logjson "7.1" "WARN" logjson "7.1" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 7.2 # 7.2
check_7_2="7.2 - Ensure the minimum number of manager nodes have been created in a swarm" check_7_2() {
totalChecks=$((totalChecks + 1)) check_7_2="7.2 - Ensure the minimum number of manager nodes have been created in a swarm"
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
managernodes=$(docker node ls | grep -c "Leader") managernodes=$(docker node ls | grep -c "Leader")
if [ "$managernodes" -le 1 ]; then if [ "$managernodes" -le 1 ]; then
pass "$check_7_2" pass "$check_7_2"
@ -30,16 +35,18 @@ if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
logjson "7.2" "WARN" logjson "7.2" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
pass "$check_7_2 (Swarm mode not enabled)" pass "$check_7_2 (Swarm mode not enabled)"
logjson "7.2" "PASS" logjson "7.2" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 7.3 # 7.3
check_7_3="7.3 - Ensure swarm services are binded to a specific host interface" check_7_3() {
totalChecks=$((totalChecks + 1)) check_7_3="7.3 - Ensure swarm services are binded to a specific host interface"
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
ss -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1 ss -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1
if [ $? -eq 1 ]; then if [ $? -eq 1 ]; then
pass "$check_7_3" pass "$check_7_3"
@ -50,16 +57,18 @@ if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
logjson "7.3" "WARN" logjson "7.3" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
pass "$check_7_3 (Swarm mode not enabled)" pass "$check_7_3 (Swarm mode not enabled)"
logjson "7.3" "PASS" logjson "7.3" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 7.4 # 7.4
check_7_4="7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network" check_7_4(){
totalChecks=$((totalChecks + 1)) check_7_4="7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network"
if docker network ls --filter driver=overlay --quiet | \ totalChecks=$((totalChecks + 1))
if docker network ls --filter driver=overlay --quiet | \
xargs docker network inspect --format '{{.Name}} {{ .Options }}' 2>/dev/null | \ xargs docker network inspect --format '{{.Name}} {{ .Options }}' 2>/dev/null | \
grep -v 'encrypted:' 2>/dev/null 1>&2; then grep -v 'encrypted:' 2>/dev/null 1>&2; then
warn "$check_7_4" warn "$check_7_4"
@ -71,16 +80,18 @@ if docker network ls --filter driver=overlay --quiet | \
logjson "7.4" "WARN: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")" logjson "7.4" "WARN: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
fi fi
done done
else else
pass "$check_7_4" pass "$check_7_4"
logjson "7.4" "PASS" logjson "7.4" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 7.5 # 7.5
check_7_5="7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster" check_7_5() {
totalChecks=$((totalChecks + 1)) check_7_5="7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then
pass "$check_7_5" pass "$check_7_5"
logjson "7.5" "PASS" logjson "7.5" "PASS"
@ -90,16 +101,18 @@ if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
logjson "7.5" "INFO" logjson "7.5" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
else else
pass "$check_7_5 (Swarm mode not enabled)" pass "$check_7_5 (Swarm mode not enabled)"
logjson "7.5" "PASS" logjson "7.5" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 7.6 # 7.6
check_7_6="7.6 - Ensure swarm manager is run in auto-lock mode" check_7_6() {
totalChecks=$((totalChecks + 1)) check_7_6="7.6 - Ensure swarm manager is run in auto-lock mode"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then
warn "$check_7_6" warn "$check_7_6"
logjson "7.6" "WARN" logjson "7.6" "WARN"
@ -109,29 +122,33 @@ if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
logjson "7.6" "PASS" logjson "7.6" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
else else
pass "$check_7_6 (Swarm mode not enabled)" pass "$check_7_6 (Swarm mode not enabled)"
logjson "7.6" "PASS" logjson "7.6" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 7.7 # 7.7
check_7_7="7.7 - Ensure swarm manager auto-lock key is rotated periodically" check_7_7() {
totalChecks=$((totalChecks + 1)) check_7_7="7.7 - Ensure swarm manager auto-lock key is rotated periodically"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
note "$check_7_7" note "$check_7_7"
logjson "7.7" "NOTE" logjson "7.7" "NOTE"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
else else
pass "$check_7_7 (Swarm mode not enabled)" pass "$check_7_7 (Swarm mode not enabled)"
logjson "7.7" "PASS" logjson "7.7" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 7.8 # 7.8
check_7_8="7.8 - Ensure node certificates are rotated as appropriate" check_7_8() {
totalChecks=$((totalChecks + 1)) check_7_8="7.8 - Ensure node certificates are rotated as appropriate"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then
pass "$check_7_8" pass "$check_7_8"
logjson "7.8" "PASS" logjson "7.8" "PASS"
@ -141,34 +158,39 @@ if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
logjson "7.8" "INFO" logjson "7.8" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
else else
pass "$check_7_8 (Swarm mode not enabled)" pass "$check_7_8 (Swarm mode not enabled)"
logjson "7.8" "PASS" logjson "7.8" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 7.9 # 7.9
check_7_9="7.9 - Ensure CA certificates are rotated as appropriate" check_7_9() {
totalChecks=$((totalChecks + 1)) check_7_9="7.9 - Ensure CA certificates are rotated as appropriate"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
info "$check_7_9" info "$check_7_9"
logjson "7.9" "INFO" logjson "7.9" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
else else
pass "$check_7_9 (Swarm mode not enabled)" pass "$check_7_9 (Swarm mode not enabled)"
logjson "7.9" "PASS" logjson "7.9" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}
# 7.10 # 7.10
check_7_10="7.10 - Ensure management plane traffic has been separated from data plane traffic" check_7_10() {
totalChecks=$((totalChecks + 1)) check_7_10="7.10 - Ensure management plane traffic has been separated from data plane traffic"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
info "$check_7_10" info "$check_7_10"
logjson "7.10" "INFO" logjson "7.10" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
else else
pass "$check_7_10 (Swarm mode not enabled)" pass "$check_7_10 (Swarm mode not enabled)"
logjson "7.10" "PASS" logjson "7.10" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
}