GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-19 00:32:34 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #283 from konstruktoid/functionsupdate

Browse source 
Functionsupdate
This commit is contained in:
Thomas Sjögren 2018-01-16 13:53:44 +01:00 committed by GitHub
commit ed73b3728f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 1824 additions and 1277 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
README.md
View file

@ -43,7 +43,24 @@ Distribution specific Dockerfiles that fixes this issue are available in the
The [distribution specific Dockerfiles](https://github.com/docker/docker-bench-security/tree/master/distros) The [distribution specific Dockerfiles](https://github.com/docker/docker-bench-security/tree/master/distros)
may also help if the distribution you're using haven't yet shipped Docker may also help if the distribution you're using haven't yet shipped Docker
version 1.10.0 or later. version 1.13.0 or later.
### Docker Bench for Security options
```sh
-h optional Print this help message
-l FILE optional Log output in FILE
-c CHECK optional Run specific check
```
By default the Docker Bench for Security script will run all available tests and
produce logs in the current directory named `docker-bench-security.sh.log.json`
and `docker-bench-security.sh.log`.
The CIS based checks are named `check_<section>_<number>`, e.g. `check_2_6`
and community contributed checks are named `check_c_<number>`.
A complete list of checks are present in [functions_lib.sh](functions_lib.sh).
`sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -c check_2_2`
## Building Docker Bench for Security ## Building Docker Bench for Security

21
docker-bench-security.sh
View file

@ -9,8 +9,9 @@
# ------------------------------------------------------------------------------ # ------------------------------------------------------------------------------
# Load dependencies # Load dependencies
. ./output_lib.sh . ./functions_lib.sh
. ./helper_lib.sh . ./helper_lib.sh
. ./output_lib.sh
# Setup the paths # Setup the paths
this_path=$(abspath "$0") ## Path of this file including filenamel this_path=$(abspath "$0") ## Path of this file including filenamel
@ -35,18 +36,20 @@ usage () {
usage: ${myname} [options] usage: ${myname} [options]
-h optional Print this help message -h optional Print this help message
-l PATH optional Log output in PATH -l FILE optional Log output in FILE
-c CHECK optional Run specific check
EOF EOF
} }
# Get the flags # Get the flags
# If you add an option here, please # If you add an option here, please
# remember to update usage() above. # remember to update usage() above.
while getopts hl: args while getopts hl:c: args
do do
case $args in case $args in
h) usage; exit 0 ;; h) usage; exit 0 ;;
l) logger="$OPTARG" ;; l) logger="$OPTARG" ;;
c) check="$OPTARG" ;;
*) usage; exit 1 ;; *) usage; exit 1 ;;
esac esac
done done
@ -95,11 +98,23 @@ main () {
# List all running containers except docker-bench (use names to improve readability in logs) # List all running containers except docker-bench (use names to improve readability in logs)
containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont") containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont")
if [ -z "$containers" ]; then
running_containers=0
else
running_containers=1
fi
for test in tests/*.sh for test in tests/*.sh
do do
. ./"$test" . ./"$test"
done done
if [ -z "$check" ]; then
cis
else
"$check"
fi
printf "\n" printf "\n"
info "Checks: $totalChecks" info "Checks: $totalChecks"
info "Score: $currentScore" info "Score: $currentScore"

161
functions_lib.sh Normal file
View file

@ -0,0 +1,161 @@
#!/bin/sh
host_configuration() {
check_1
check_1_1
check_1_2
check_1_3
check_1_4
check_1_5
check_1_6
check_1_7
check_1_8
check_1_9
check_1_10
check_1_11
check_1_12
check_1_13
}
docker_daemon_configuration() {
check_2
check_2_1
check_2_2
check_2_3
check_2_4
check_2_5
check_2_6
check_2_7
check_2_8
check_2_9
check_2_10
check_2_11
check_2_12
check_2_13
check_2_14
check_2_15
check_2_16
check_2_17
check_2_18
}
docker_daemon_files() {
check_3
check_3_1
check_3_2
check_3_3
check_3_4
check_3_5
check_3_6
check_3_7
check_3_8
check_3_9
check_3_10
check_3_11
check_3_12
check_3_13
check_3_14
check_3_15
check_3_16
check_3_17
check_3_18
check_3_19
check_3_20
}
container_images() {
check_4
check_4_1
check_4_2
check_4_3
check_4_4
check_4_5
check_4_6
check_4_7
check_4_8
check_4_9
check_4_10
check_4_11
}
container_runtime() {
check_5
check_running_containers
check_5_1
check_5_2
check_5_3
check_5_4
check_5_5
check_5_6
check_5_7
check_5_8
check_5_9
check_5_10
check_5_11
check_5_12
check_5_13
check_5_14
check_5_15
check_5_16
check_5_17
check_5_18
check_5_19
check_5_20
check_5_21
check_5_22
check_5_23
check_5_24
check_5_25
check_5_26
check_5_27
check_5_28
check_5_29
check_5_30
check_5_31
}
docker_security_operations() {
check_6
check_6_1
check_6_2
}
docker_swarm_configuration() {
check_7
check_7_1
check_7_2
check_7_3
check_7_5
check_7_6
check_7_7
check_7_8
check_7_9
check_7_10
}
community_checks() {
# check_c_1
true;
}
# CIS
cis() {
host_configuration
docker_daemon_configuration
docker_daemon_files
container_images
container_runtime
docker_security_operations
docker_swarm_configuration
}
# Community contributed
community() {
community_checks
}
# All
all() {
cis
community
}

3
helper_lib.sh
View file

@ -3,6 +3,9 @@
# Returns the absolute path of a given string # Returns the absolute path of a given string
abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; esac; } abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; esac; }
# Audit rules default path
auditrules="/etc/audit/audit.rules"
# Compares versions of software of the format X.Y.Z # Compares versions of software of the format X.Y.Z
do_version_check() { do_version_check() {
[ "$1" = "$2" ] && return 10 [ "$1" = "$2" ] && return 10

461
tests/1_host_configuration.sh
View file

@ -1,72 +1,91 @@
#!/bin/sh #!/bin/sh
logit "" check_1() {
info "1 - Host Configuration" logit ""
auditrules="/etc/audit/audit.rules" info "1 - Host Configuration"
}
# 1.1 # 1.1
check_1_1="1.1 - Ensure a separate partition for containers has been created" check_1_1() {
totalChecks=$((totalChecks + 1)) check_1_1="1.1 - Ensure a separate partition for containers has been created"
totalChecks=$((totalChecks + 1))
if grep /var/lib/docker /etc/fstab >/dev/null 2>&1; then if grep /var/lib/docker /etc/fstab >/dev/null 2>&1; then
pass "$check_1_1" pass "$check_1_1"
logjson "1.1" "PASS" logjson "1.1" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
elif mountpoint -q -- /var/lib/docker >/dev/null 2>&1; then elif mountpoint -q -- /var/lib/docker >/dev/null 2>&1; then
pass "$check_1_1" pass "$check_1_1"
logjson "1.1" "PASS" logjson "1.1" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_1_1" warn "$check_1_1"
logjson "1.1" "WARN" logjson "1.1" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 1.2 # 1.2
check_1_2="1.2 - Ensure the container host has been Hardened" check_1_2() {
totalChecks=$((totalChecks + 1)) check_1_2="1.2 - Ensure the container host has been Hardened"
note "$check_1_2" totalChecks=$((totalChecks + 1))
logjson "1.2" "INFO" note "$check_1_2"
currentScore=$((currentScore - 0)) logjson "1.2" "INFO"
currentScore=$((currentScore - 0))
}
# 1.3 # 1.3
check_1_3="1.3 - Ensure Docker is up to date" check_1_3() {
totalChecks=$((totalChecks + 1)) check_1_3="1.3 - Ensure Docker is up to date"
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \ totalChecks=$((totalChecks + 1))
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,') docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
docker_current_version="$(date +%y.%m.0 -d @$(( $(date +%s) - 2592000)))" | awk '{print $NF; exit}' | tr -d '[:alpha:]-,')
do_version_check "$docker_current_version" "$docker_version" docker_current_version="$(date +%y.%m.0 -d @$(( $(date +%s) - 2592000)))"
if [ $? -eq 11 ]; then do_version_check "$docker_current_version" "$docker_version"
info "$check_1_3" if [ $? -eq 11 ]; then
info " * Using $docker_version, verify is it up to date as deemed necessary" info "$check_1_3"
info " * Your operating system vendor may provide support and security maintenance for Docker" info " * Using $docker_version, verify is it up to date as deemed necessary"
logjson "1.3" "INFO" info " * Your operating system vendor may provide support and security maintenance for Docker"
currentScore=$((currentScore - 0)) logjson "1.3" "INFO"
else currentScore=$((currentScore - 0))
pass "$check_1_3" else
info " * Using $docker_version which is current" pass "$check_1_3"
info " * Check with your operating system vendor for support and security maintenance for Docker" info " * Using $docker_version which is current"
logjson "1.3" "PASS" info " * Check with your operating system vendor for support and security maintenance for Docker"
currentScore=$((currentScore - 0)) logjson "1.3" "PASS"
fi currentScore=$((currentScore - 0))
fi
}
# 1.4 # 1.4
check_1_4="1.4 - Ensure only trusted users are allowed to control Docker daemon" check_1_4() {
totalChecks=$((totalChecks + 1)) check_1_4="1.4 - Ensure only trusted users are allowed to control Docker daemon"
docker_users=$(getent group docker) totalChecks=$((totalChecks + 1))
info "$check_1_4" docker_users=$(getent group docker)
for u in $docker_users; do info "$check_1_4"
info " * $u" for u in $docker_users; do
logjson "1.4" "$u" info " * $u"
done logjson "1.4" "$u"
currentScore=$((currentScore - 0)) done
currentScore=$((currentScore - 0))
}
# 1.5 # 1.5
check_1_5="1.5 - Ensure auditing is configured for the Docker daemon" check_1_5() {
totalChecks=$((totalChecks + 1)) check_1_5="1.5 - Ensure auditing is configured for the Docker daemon"
file="/usr/bin/docker " totalChecks=$((totalChecks + 1))
if command -v auditctl >/dev/null 2>&1; then file="/usr/bin/docker "
if auditctl -l | grep "$file" >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_5"
logjson "1.5" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_5"
logjson "1.5" "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_5" pass "$check_1_5"
logjson "1.5" "PASS" logjson "1.5" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
@ -75,23 +94,25 @@ if command -v auditctl >/dev/null 2>&1; then
logjson "1.5" "WARN" logjson "1.5" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then }
pass "$check_1_5"
logjson "1.5" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_5"
logjson "1.5" "WARN"
currentScore=$((currentScore - 1))
fi
# 1.6 # 1.6
check_1_6="1.6 - Ensure auditing is configured for Docker files and directories - /var/lib/docker" check_1_6() {
totalChecks=$((totalChecks + 1)) check_1_6="1.6 - Ensure auditing is configured for Docker files and directories - /var/lib/docker"
directory="/var/lib/docker" totalChecks=$((totalChecks + 1))
if [ -d "$directory" ]; then directory="/var/lib/docker"
if command -v auditctl >/dev/null 2>&1; then if [ -d "$directory" ]; then
if auditctl -l | grep $directory >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $directory >/dev/null 2>&1; then
pass "$check_1_6"
logjson "1.6" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_6"
logjson "1.6" "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_6" pass "$check_1_6"
logjson "1.6" "PASS" logjson "1.6" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
@ -100,29 +121,31 @@ if [ -d "$directory" ]; then
logjson "1.6" "WARN" logjson "1.6" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_6"
logjson "1.6" "PASS"
currentScore=$((currentScore + 1))
else else
warn "$check_1_6" info "$check_1_6"
logjson "1.6" "WARN" info " * Directory not found"
currentScore=$((currentScore - 1)) logjson "1.6" "INFO"
currentScore=$((currentScore + 0))
fi fi
else }
info "$check_1_6"
info " * Directory not found"
logjson "1.6" "INFO"
currentScore=$((currentScore + 0))
fi
# 1.7 # 1.7
check_1_7="1.7 - Ensure auditing is configured for Docker files and directories - /etc/docker" check_1_7() {
totalChecks=$((totalChecks + 1)) check_1_7="1.7 - Ensure auditing is configured for Docker files and directories - /etc/docker"
directory="/etc/docker" totalChecks=$((totalChecks + 1))
if [ -d "$directory" ]; then directory="/etc/docker"
if command -v auditctl >/dev/null 2>&1; then if [ -d "$directory" ]; then
if auditctl -l | grep $directory >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $directory >/dev/null 2>&1; then
pass "$check_1_7"
logjson "1.7" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_7"
logjson "1.7" "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_7" pass "$check_1_7"
logjson "1.7" "PASS" logjson "1.7" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
@ -131,29 +154,31 @@ if [ -d "$directory" ]; then
logjson "1.7" "WARN" logjson "1.7" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_7"
logjson "1.7" "PASS"
currentScore=$((currentScore + 1))
else else
warn "$check_1_7" info "$check_1_7"
logjson "1.7" "WARN" info " * Directory not found"
currentScore=$((currentScore - 1)) logjson "1.7" "INFO"
fi currentScore=$((currentScore + 0))
else
info "$check_1_7"
info " * Directory not found"
logjson "1.7" "INFO"
currentScore=$((currentScore + 0))
fi fi
}
# 1.8 # 1.8
check_1_8="1.8 - Ensure auditing is configured for Docker files and directories - docker.service" check_1_8() {
totalChecks=$((totalChecks + 1)) check_1_8="1.8 - Ensure auditing is configured for Docker files and directories - docker.service"
file="$(get_systemd_service_file docker.service)" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="$(get_systemd_service_file docker.service)"
if command -v auditctl >/dev/null 2>&1; then if [ -f "$file" ]; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_8"
logjson "1.8" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_8"
logjson "1.8" "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_8" pass "$check_1_8"
logjson "1.8" "PASS" logjson "1.8" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
@ -162,29 +187,31 @@ if [ -f "$file" ]; then
logjson "1.8" "WARN" logjson "1.8" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_8"
logjson "1.8" "PASS"
currentScore=$((currentScore + 1))
else else
warn "$check_1_8" info "$check_1_8"
logjson "1.8" "WARN" info " * File not found"
currentScore=$((currentScore - 1)) logjson "1.8" "INFO"
currentScore=$((currentScore + 0))
fi fi
else }
info "$check_1_8"
info " * File not found"
logjson "1.8" "INFO"
currentScore=$((currentScore + 0))
fi
# 1.9 # 1.9
check_1_9="1.9 - Ensure auditing is configured for Docker files and directories - docker.socket" check_1_9() {
totalChecks=$((totalChecks + 1)) check_1_9="1.9 - Ensure auditing is configured for Docker files and directories - docker.socket"
file="$(get_systemd_service_file docker.socket)" totalChecks=$((totalChecks + 1))
if [ -e "$file" ]; then file="$(get_systemd_service_file docker.socket)"
if command -v auditctl >/dev/null 2>&1; then if [ -e "$file" ]; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_9"
logjson "1.9" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_9"
logjson "1.9" "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_9" pass "$check_1_9"
logjson "1.9" "PASS" logjson "1.9" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
@ -193,29 +220,31 @@ if [ -e "$file" ]; then
logjson "1.9" "WARN" logjson "1.9" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_9"
logjson "1.9" "PASS"
currentScore=$((currentScore + 1))
else else
warn "$check_1_9" info "$check_1_9"
logjson "1.9" "WARN" info " * File not found"
currentScore=$((currentScore - 1)) logjson "1.9" "INFO"
currentScore=$((currentScore + 0))
fi fi
else }
info "$check_1_9"
info " * File not found"
logjson "1.9" "INFO"
currentScore=$((currentScore + 0))
fi
# 1.10 # 1.10
check_1_10="1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker" check_1_10() {
totalChecks=$((totalChecks + 1)) check_1_10="1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker"
file="/etc/default/docker" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="/etc/default/docker"
if command -v auditctl >/dev/null 2>&1; then if [ -f "$file" ]; then
if auditctl -l | grep $file >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_10"
logjson "1.10" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_10"
logjson "1.10" "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_10" pass "$check_1_10"
logjson "1.10" "PASS" logjson "1.10" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
@ -224,29 +253,31 @@ if [ -f "$file" ]; then
logjson "1.10" "WARN" logjson "1.10" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_10"
logjson "1.10" "PASS"
currentScore=$((currentScore + 1))
else else
warn "$check_1_10" info "$check_1_10"
logjson "1.10" "WARN" info " * File not found"
currentScore=$((currentScore - 1)) logjson "1.10" "INFO"
currentScore=$((currentScore + 0))
fi fi
else }
info "$check_1_10"
info " * File not found"
logjson "1.10" "INFO"
currentScore=$((currentScore + 0))
fi
# 1.11 # 1.11
check_1_11="1.11 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json" check_1_11() {
totalChecks=$((totalChecks + 1)) check_1_11="1.11 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json"
file="/etc/docker/daemon.json" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="/etc/docker/daemon.json"
if command -v auditctl >/dev/null 2>&1; then if [ -f "$file" ]; then
if auditctl -l | grep $file >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_11"
logjson "1.11" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_11"
logjson "1.11" "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_11" pass "$check_1_11"
logjson "1.11" "PASS" logjson "1.11" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
@ -255,29 +286,31 @@ if [ -f "$file" ]; then
logjson "1.11" "WARN" logjson "1.11" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_11"
logjson "1.11" "PASS"
currentScore=$((currentScore + 1))
else else
warn "$check_1_11" info "$check_1_11"
logjson "1.11" "WARN" info " * File not found"
currentScore=$((currentScore - 1)) logjson "1.11" "INFO"
currentScore=$((currentScore + 0))
fi fi
else }
info "$check_1_11"
info " * File not found"
logjson "1.11" "INFO"
currentScore=$((currentScore + 0))
fi
# 1.12 # 1.12
check_1_12="1.12 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd" check_1_12() {
totalChecks=$((totalChecks + 1)) check_1_12="1.12 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd"
file="/usr/bin/docker-containerd" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="/usr/bin/docker-containerd"
if command -v auditctl >/dev/null 2>&1; then if [ -f "$file" ]; then
if auditctl -l | grep $file >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_12"
logjson "1.12" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_12"
logjson "1.12" "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_12" pass "$check_1_12"
logjson "1.12" "PASS" logjson "1.12" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
@ -286,29 +319,31 @@ if [ -f "$file" ]; then
logjson "1.12" "WARN" logjson "1.12" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_12"
logjson "1.12" "PASS"
currentScore=$((currentScore + 1))
else else
warn "$check_1_12" info "$check_1_12"
logjson "1.12" "WARN" info " * File not found"
currentScore=$((currentScore - 1)) logjson "1.12" "INFO"
currentScore=$((currentScore + 0))
fi fi
else }
info "$check_1_12"
info " * File not found"
logjson "1.12" "INFO"
currentScore=$((currentScore + 0))
fi
# 1.13 # 1.13
check_1_13="1.13 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc" check_1_13() {
totalChecks=$((totalChecks + 1)) check_1_13="1.13 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc"
file="/usr/bin/docker-runc" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="/usr/bin/docker-runc"
if command -v auditctl >/dev/null 2>&1; then if [ -f "$file" ]; then
if auditctl -l | grep $file >/dev/null 2>&1; then if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_13"
logjson "1.13" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_1_13"
logjson "1.13" "WARN"
currentScore=$((currentScore - 1))
fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_13" pass "$check_1_13"
logjson "1.13" "PASS" logjson "1.13" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
@ -317,18 +352,10 @@ if [ -f "$file" ]; then
logjson "1.13" "WARN" logjson "1.13" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass "$check_1_13"
logjson "1.13" "PASS"
currentScore=$((currentScore + 1))
else else
warn "$check_1_13" info "$check_1_13"
logjson "1.13" "WARN" info " * File not found"
currentScore=$((currentScore - 1)) logjson "1.13" "INFO"
currentScore=$((currentScore + 0))
fi fi
else }
info "$check_1_13"
info " * File not found"
logjson "1.13" "INFO"
currentScore=$((currentScore + 0))
fi

617
tests/2_docker_daemon_configuration.sh
View file

@ -1,119 +1,151 @@
#!/bin/sh #!/bin/sh
logit "\n" check_2() {
info "2 - Docker daemon configuration" logit "\n"
info "2 - Docker daemon configuration"
}
# 2.1 # 2.1
check_2_1="2.1 - Ensure network traffic is restricted between containers on the default bridge" check_2_1() {
totalChecks=$((totalChecks + 1)) check_2_1="2.1 - Ensure network traffic is restricted between containers on the default bridge"
if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
pass "$check_2_1" if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then
logjson "2.1" "PASS" pass "$check_2_1"
currentScore=$((currentScore + 1)) logjson "2.1" "PASS"
elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then currentScore=$((currentScore + 1))
pass "$check_2_1" elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then
logjson "2.1" "PASS" pass "$check_2_1"
currentScore=$((currentScore + 1)) logjson "2.1" "PASS"
else currentScore=$((currentScore + 1))
warn "$check_2_1" else
logjson "2.1" "WARN" warn "$check_2_1"
currentScore=$((currentScore - 1)) logjson "2.1" "WARN"
fi currentScore=$((currentScore - 1))
fi
}
# 2.2 # 2.2
check_2_2="2.2 - Ensure the logging level is set to 'info'" check_2_2() {
totalChecks=$((totalChecks + 1)) check_2_2="2.2 - Ensure the logging level is set to 'info'"
if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then
pass "$check_2_2" if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then
logjson "2.2" "PASS" pass "$check_2_2"
currentScore=$((currentScore + 1)) logjson "2.2" "PASS"
elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then currentScore=$((currentScore + 1))
pass "$check_2_2" elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then
logjson "2.2" "PASS" pass "$check_2_2"
currentScore=$((currentScore + 1)) logjson "2.2" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_2"
logjson "2.2" "WARN"
currentScore=$((currentScore - 1))
fi
elif get_docker_effective_command_line_args '-l'; then
if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then
pass "$check_2_2"
logjson "2.2" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_2"
logjson "2.2" "WARN"
currentScore=$((currentScore - 1))
fi
else else
warn "$check_2_2"
logjson "2.2" "WARN"
currentScore=$((currentScore - 1))
fi
elif get_docker_effective_command_line_args '-l'; then
if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then
pass "$check_2_2" pass "$check_2_2"
logjson "2.2" "PASS" logjson "2.2" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else
warn "$check_2_2"
logjson "2.2" "WARN"
currentScore=$((currentScore - 1))
fi fi
else }
pass "$check_2_2"
logjson "2.2" "PASS"
currentScore=$((currentScore + 1))
fi
# 2.3 # 2.3
check_2_3="2.3 - Ensure Docker is allowed to make changes to iptables" check_2_3() {
totalChecks=$((totalChecks + 1)) check_2_3="2.3 - Ensure Docker is allowed to make changes to iptables"
if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
warn "$check_2_3" if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then
logjson "2.3" "WARN" warn "$check_2_3"
currentScore=$((currentScore - 1)) logjson "2.3" "WARN"
elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then currentScore=$((currentScore - 1))
warn "$check_2_3" elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then
logjson "2.3" "WARN" warn "$check_2_3"
currentScore=$((currentScore - 1)) logjson "2.3" "WARN"
else currentScore=$((currentScore - 1))
pass "$check_2_3" else
logjson "2.3" "PASS" pass "$check_2_3"
currentScore=$((currentScore + 1)) logjson "2.3" "PASS"
fi currentScore=$((currentScore + 1))
fi
}
# 2.4 # 2.4
check_2_4="2.4 - Ensure insecure registries are not used" check_2_4() {
totalChecks=$((totalChecks + 1)) check_2_4="2.4 - Ensure insecure registries are not used"
if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
warn "$check_2_4" if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then
logjson "2.4" "WARN"
currentScore=$((currentScore - 1))
elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then
pass "$check_2_4"
logjson "2.4" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_4" warn "$check_2_4"
logjson "2.4" "WARN" logjson "2.4" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then
pass "$check_2_4"
logjson "2.4" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_4"
logjson "2.4" "WARN"
currentScore=$((currentScore - 1))
fi
else
pass "$check_2_4"
logjson "2.4" "PASS"
currentScore=$((currentScore + 1))
fi fi
else }
pass "$check_2_4"
logjson "2.4" "PASS"
currentScore=$((currentScore + 1))
fi
# 2.5 # 2.5
check_2_5="2.5 - Ensure aufs storage driver is not used" check_2_5() {
totalChecks=$((totalChecks + 1)) check_2_5="2.5 - Ensure aufs storage driver is not used"
if docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
warn "$check_2_5" if docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1; then
logjson "2.5" "WARN" warn "$check_2_5"
currentScore=$((currentScore - 1)) logjson "2.5" "WARN"
else currentScore=$((currentScore - 1))
pass "$check_2_5" else
logjson "2.5" "PASS" pass "$check_2_5"
currentScore=$((currentScore + 1)) logjson "2.5" "PASS"
fi currentScore=$((currentScore + 1))
fi
}
# 2.6 # 2.6
check_2_6="2.6 - Ensure TLS authentication for Docker daemon is configured" check_2_6() {
totalChecks=$((totalChecks + 1)) check_2_6="2.6 - Ensure TLS authentication for Docker daemon is configured"
if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then totalChecks=$((totalChecks + 1))
if [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \ if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then
[ $(get_docker_configuration_file_args '"tlsverify' | grep 'true') ] ; then if [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \
if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then [ $(get_docker_configuration_file_args '"tlsverify' | grep 'true') ] ; then
if get_docker_configuration_file_args 'tlsverify' | grep 'true' >/dev/null 2>&1; then if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then
if get_docker_configuration_file_args 'tlsverify' | grep 'true' >/dev/null 2>&1; then
pass "$check_2_6"
logjson "2.6" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_6"
warn " * Docker daemon currently listening on TCP with TLS, but no verification"
logjson "2.6" "WARN"
currentScore=$((currentScore - 1))
fi
fi
else
warn "$check_2_6"
warn " * Docker daemon currently listening on TCP without TLS"
logjson "2.6" "WARN"
currentScore=$((currentScore - 1))
fi
elif get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1; then
if get_docker_cumulative_command_line_args '--tlskey' | grep 'tlskey=' >/dev/null 2>&1; then
if get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify' >/dev/null 2>&1; then
pass "$check_2_6" pass "$check_2_6"
logjson "2.6" "PASS" logjson "2.6" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
@ -123,236 +155,241 @@ if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then
logjson "2.6" "WARN" logjson "2.6" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
fi
else
warn "$check_2_6"
warn " * Docker daemon currently listening on TCP without TLS"
logjson "2.6" "WARN"
currentScore=$((currentScore - 1))
fi
elif get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1; then
if get_docker_cumulative_command_line_args '--tlskey' | grep 'tlskey=' >/dev/null 2>&1; then
if get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify' >/dev/null 2>&1; then
pass "$check_2_6"
logjson "2.6" "PASS"
currentScore=$((currentScore + 1))
else else
warn "$check_2_6" warn "$check_2_6"
warn " * Docker daemon currently listening on TCP with TLS, but no verification" warn " * Docker daemon currently listening on TCP without TLS"
logjson "2.6" "WARN" logjson "2.6" "WARN"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
else else
warn "$check_2_6" info "$check_2_6"
warn " * Docker daemon currently listening on TCP without TLS" info " * Docker daemon not listening on TCP"
logjson "2.6" "WARN" logjson "2.6" "INFO"
currentScore=$((currentScore - 1)) currentScore=$((currentScore +0))
fi fi
else }
info "$check_2_6"
info " * Docker daemon not listening on TCP"
logjson "2.6" "INFO"
currentScore=$((currentScore +0))
fi
# 2.7 # 2.7
check_2_7="2.7 - Ensure the default ulimit is configured appropriately" check_2_7() {
totalChecks=$((totalChecks + 1)) check_2_7="2.7 - Ensure the default ulimit is configured appropriately"
if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
pass "$check_2_7" if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then
logjson "2.7" "PASS" pass "$check_2_7"
currentScore=$((currentScore + 1)) logjson "2.7" "PASS"
elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then currentScore=$((currentScore + 1))
pass "$check_2_7" elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
logjson "2.7" "PASS" pass "$check_2_7"
currentScore=$((currentScore + 1)) logjson "2.7" "PASS"
else currentScore=$((currentScore + 1))
info "$check_2_7" else
info " * Default ulimit doesn't appear to be set" info "$check_2_7"
logjson "2.7" "INFO" info " * Default ulimit doesn't appear to be set"
currentScore=$((currentScore + 0)) logjson "2.7" "INFO"
fi currentScore=$((currentScore + 0))
fi
}
# 2.8 # 2.8
check_2_8="2.8 - Enable user namespace support" check_2_8() {
totalChecks=$((totalChecks + 1)) check_2_8="2.8 - Enable user namespace support"
if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then totalChecks=$((totalChecks + 1))
pass "$check_2_8" if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then
logjson "2.8" "PASS" pass "$check_2_8"
currentScore=$((currentScore + 1)) logjson "2.8" "PASS"
elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then currentScore=$((currentScore + 1))
pass "$check_2_8" elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
logjson "2.8" "PASS" pass "$check_2_8"
currentScore=$((currentScore + 1)) logjson "2.8" "PASS"
else currentScore=$((currentScore + 1))
warn "$check_2_8" else
logjson "2.8" "WARN" warn "$check_2_8"
currentScore=$((currentScore - 1)) logjson "2.8" "WARN"
fi currentScore=$((currentScore - 1))
fi
}
# 2.9 # 2.9
check_2_9="2.9 - Ensure the default cgroup usage has been confirmed" check_2_9() {
totalChecks=$((totalChecks + 1)) check_2_9="2.9 - Ensure the default cgroup usage has been confirmed"
if get_docker_configuration_file_args 'cgroup-parent' | grep -v '""'; then totalChecks=$((totalChecks + 1))
warn "$check_2_9" if get_docker_configuration_file_args 'cgroup-parent' | grep -v '""'; then
info " * Confirm cgroup usage" warn "$check_2_9"
logjson "2.9" "INFO" info " * Confirm cgroup usage"
currentScore=$((currentScore + 0)) logjson "2.9" "INFO"
elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then currentScore=$((currentScore + 0))
warn "$check_2_9" elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
info " * Confirm cgroup usage" warn "$check_2_9"
logjson "2.9" "INFO" info " * Confirm cgroup usage"
currentScore=$((currentScore + 0)) logjson "2.9" "INFO"
else currentScore=$((currentScore + 0))
pass "$check_2_9" else
logjson "2.9" "PASS" pass "$check_2_9"
currentScore=$((currentScore + 1)) logjson "2.9" "PASS"
fi currentScore=$((currentScore + 1))
fi
}
# 2.10 # 2.10
check_2_10="2.10 - Ensure base device size is not changed until needed" check_2_10() {
totalChecks=$((totalChecks + 1)) check_2_10="2.10 - Ensure base device size is not changed until needed"
if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
warn "$check_2_10" if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then
logjson "2.10" "WARN" warn "$check_2_10"
currentScore=$((currentScore - 1)) logjson "2.10" "WARN"
elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then currentScore=$((currentScore - 1))
warn "$check_2_10" elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
logjson "2.10" "WARN" warn "$check_2_10"
currentScore=$((currentScore - 1)) logjson "2.10" "WARN"
else currentScore=$((currentScore - 1))
pass "$check_2_10" else
logjson "2.10" "PASS" pass "$check_2_10"
currentScore=$((currentScore + 1)) logjson "2.10" "PASS"
fi currentScore=$((currentScore + 1))
fi
}
# 2.11 # 2.11
check_2_11="2.11 - Ensure that authorization for Docker client commands is enabled" check_2_11() {
totalChecks=$((totalChecks + 1)) check_2_11="2.11 - Ensure that authorization for Docker client commands is enabled"
if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then totalChecks=$((totalChecks + 1))
pass "$check_2_11" if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then
logjson "2.11" "PASS" pass "$check_2_11"
currentScore=$((currentScore + 1)) logjson "2.11" "PASS"
elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then currentScore=$((currentScore + 1))
pass "$check_2_11" elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
logjson "2.11" "PASS" pass "$check_2_11"
currentScore=$((currentScore + 1)) logjson "2.11" "PASS"
else currentScore=$((currentScore + 1))
warn "$check_2_11" else
logjson "2.11" "WARN" warn "$check_2_11"
currentScore=$((currentScore - 1)) logjson "2.11" "WARN"
fi currentScore=$((currentScore - 1))
fi
}
# 2.12 # 2.12
check_2_12="2.12 - Ensure centralized and remote logging is configured" check_2_12() {
totalChecks=$((totalChecks + 1)) check_2_12="2.12 - Ensure centralized and remote logging is configured"
if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
warn "$check_2_12" if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then
logjson "2.12" "WARN" warn "$check_2_12"
currentScore=$((currentScore - 1)) logjson "2.12" "WARN"
else currentScore=$((currentScore - 1))
pass "$check_2_12" else
logjson "2.12" "PASS" pass "$check_2_12"
currentScore=$((currentScore + 1)) logjson "2.12" "PASS"
fi currentScore=$((currentScore + 1))
fi
}
# 2.13 # 2.13
check_2_13="2.13 - Ensure operations on legacy registry (v1) are Disabled" check_2_13() {
totalChecks=$((totalChecks + 1)) check_2_13="2.13 - Ensure operations on legacy registry (v1) are Disabled"
if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
pass "$check_2_13" if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then
logjson "2.13" "PASS" pass "$check_2_13"
currentScore=$((currentScore + 1)) logjson "2.13" "PASS"
elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then currentScore=$((currentScore + 1))
pass "$check_2_13" elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then
logjson "2.13" "PASS" pass "$check_2_13"
currentScore=$((currentScore + 1)) logjson "2.13" "PASS"
else currentScore=$((currentScore + 1))
warn "$check_2_13" else
logjson "2.13" "WARN" warn "$check_2_13"
currentScore=$((currentScore - 1)) logjson "2.13" "WARN"
fi currentScore=$((currentScore - 1))
fi
}
# 2.14 # 2.14
check_2_14="2.14 - Ensure live restore is Enabled" check_2_14() {
totalChecks=$((totalChecks + 1)) check_2_14="2.14 - Ensure live restore is Enabled"
if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
pass "$check_2_14" if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then
logjson "2.14" "PASS"
currentScore=$((currentScore + 1))
else
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
pass "$check_2_14 (Incompatible with swarm mode)"
logjson "2.14" "PASS"
currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then
pass "$check_2_14" pass "$check_2_14"
logjson "2.14" "PASS" logjson "2.14" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else else
warn "$check_2_14" if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
logjson "2.14" "WARN" pass "$check_2_14 (Incompatible with swarm mode)"
currentScore=$((currentScore - 1)) logjson "2.14" "PASS"
currentScore=$((currentScore + 1))
elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then
pass "$check_2_14"
logjson "2.14" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_2_14"
logjson "2.14" "WARN"
currentScore=$((currentScore - 1))
fi
fi fi
fi }
# 2.15 # 2.15
check_2_15="2.15 - Ensure Userland Proxy is Disabled" check_2_15() {
totalChecks=$((totalChecks + 1)) check_2_15="2.15 - Ensure Userland Proxy is Disabled"
if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
pass "$check_2_15" if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then
logjson "2.15" "PASS" pass "$check_2_15"
currentScore=$((currentScore + 1)) logjson "2.15" "PASS"
elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then currentScore=$((currentScore + 1))
pass "$check_2_15" elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
logjson "2.15" "PASS" pass "$check_2_15"
currentScore=$((currentScore + 1)) logjson "2.15" "PASS"
else currentScore=$((currentScore + 1))
warn "$check_2_15" else
logjson "2.15" "WARN" warn "$check_2_15"
currentScore=$((currentScore - 1)) logjson "2.15" "WARN"
fi currentScore=$((currentScore - 1))
fi
}
# 2.16 # 2.16
check_2_16="2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed" check_2_16() {
totalChecks=$((totalChecks + 1)) check_2_16="2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed"
if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then totalChecks=$((totalChecks + 1))
pass "$check_2_16" if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then
logjson "2.16" "PASS" pass "$check_2_16"
currentScore=$((currentScore + 1)) logjson "2.16" "PASS"
else currentScore=$((currentScore + 1))
info "$check_2_16" else
logjson "2.16" "INFO" info "$check_2_16"
currentScore=$((currentScore + 0)) logjson "2.16" "INFO"
fi currentScore=$((currentScore + 0))
fi
}
# 2.17 # 2.17
check_2_17="2.17 - Ensure experimental features are avoided in production" check_2_17() {
totalChecks=$((totalChecks + 1)) check_2_17="2.17 - Ensure experimental features are avoided in production"
if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then totalChecks=$((totalChecks + 1))
pass "$check_2_17" if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then
logjson "2.17" "PASS" pass "$check_2_17"
currentScore=$((currentScore + 1)) logjson "2.17" "PASS"
else currentScore=$((currentScore + 1))
warn "$check_2_17" else
logjson "2.17" "WARN" warn "$check_2_17"
currentScore=$((currentScore - 1)) logjson "2.17" "WARN"
fi currentScore=$((currentScore - 1))
fi
}
# 2.18 # 2.18
check_2_18="2.18 - Ensure containers are restricted from acquiring new privileges" check_2_18() {
totalChecks=$((totalChecks + 1)) check_2_18="2.18 - Ensure containers are restricted from acquiring new privileges"
if get_docker_effective_command_line_args '--no-new-privileges' >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
pass "$check_2_18" if get_docker_effective_command_line_args '--no-new-privileges' >/dev/null 2>&1; then
logjson "2.18" "PASS" pass "$check_2_18"
currentScore=$((currentScore + 1)) logjson "2.18" "PASS"
elif get_docker_configuration_file_args 'no-new-privileges' >/dev/null 2>&1; then currentScore=$((currentScore + 1))
pass "$check_2_18" elif get_docker_configuration_file_args 'no-new-privileges' >/dev/null 2>&1; then
logjson "2.18" "PASS" pass "$check_2_18"
currentScore=$((currentScore + 1)) logjson "2.18" "PASS"
else currentScore=$((currentScore + 1))
warn "$check_2_18" else
logjson "2.18" "WARN" warn "$check_2_18"
currentScore=$((currentScore - 1)) logjson "2.18" "WARN"
fi currentScore=$((currentScore - 1))
fi
}

838
tests/3_docker_daemon_configuration_files.sh
View file

@ -1,482 +1,524 @@
#!/bin/sh #!/bin/sh
logit "\n" check_3() {
info "3 - Docker daemon configuration files" logit "\n"
info "3 - Docker daemon configuration files"
}
# 3.1 # 3.1
check_3_1="3.1 - Ensure that docker.service file ownership is set to root:root" check_3_1() {
totalChecks=$((totalChecks + 1)) check_3_1="3.1 - Ensure that docker.service file ownership is set to root:root"
file="$(get_systemd_service_file docker.service)" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="$(get_systemd_service_file docker.service)"
if [ "$(stat -c %u%g $file)" -eq 00 ]; then if [ -f "$file" ]; then
pass "$check_3_1" if [ "$(stat -c %u%g $file)" -eq 00 ]; then
logjson "3.1" "PASS" pass "$check_3_1"
currentScore=$((currentScore + 1)) logjson "3.1" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_1"
warn " * Wrong ownership for $file"
logjson "3.1" "WARN"
currentScore=$((currentScore - 1))
fi
else else
warn "$check_3_1" info "$check_3_1"
warn " * Wrong ownership for $file" info " * File not found"
logjson "3.1" "WARN" logjson "3.1" "INFO"
currentScore=$((currentScore - 1)) currentScore=$((currentScore + 0))
fi fi
else }
info "$check_3_1"
info " * File not found"
logjson "3.1" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.2 # 3.2
check_3_2="3.2 - Ensure that docker.service file permissions are set to 644 or more restrictive" check_3_2() {
totalChecks=$((totalChecks + 1)) check_3_2="3.2 - Ensure that docker.service file permissions are set to 644 or more restrictive"
file="$(get_systemd_service_file docker.service)" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="$(get_systemd_service_file docker.service)"
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then if [ -f "$file" ]; then
pass "$check_3_2" if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
logjson "3.2" "PASS" pass "$check_3_2"
currentScore=$((currentScore + 1)) logjson "3.2" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_2"
warn " * Wrong permissions for $file"
logjson "3.2" "WARN"
currentScore=$((currentScore - 1))
fi
else else
warn "$check_3_2" info "$check_3_2"
warn " * Wrong permissions for $file" info " * File not found"
logjson "3.2" "WARN" logjson "3.2" "INFO"
currentScore=$((currentScore - 1)) currentScore=$((currentScore + 0))
fi fi
else }
info "$check_3_2"
info " * File not found"
logjson "3.2" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.3 # 3.3
check_3_3="3.3 - Ensure that docker.socket file ownership is set to root:root" check_3_3() {
totalChecks=$((totalChecks + 1)) check_3_3="3.3 - Ensure that docker.socket file ownership is set to root:root"
file="$(get_systemd_service_file docker.socket)" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="$(get_systemd_service_file docker.socket)"
if [ "$(stat -c %u%g $file)" -eq 00 ]; then if [ -f "$file" ]; then
pass "$check_3_3" if [ "$(stat -c %u%g $file)" -eq 00 ]; then
logjson "3.3" "PASS" pass "$check_3_3"
currentScore=$((currentScore + 1)) logjson "3.3" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_3"
warn " * Wrong ownership for $file"
logjson "3.3" "WARN"
currentScore=$((currentScore - 1))
fi
else else
warn "$check_3_3" info "$check_3_3"
warn " * Wrong ownership for $file" info " * File not found"
logjson "3.3" "WARN" logjson "3.3" "INFO"
currentScore=$((currentScore - 1)) currentScore=$((currentScore + 0))
fi fi
else }
info "$check_3_3"
info " * File not found"
logjson "3.3" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.4 # 3.4
check_3_4="3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive" check_3_4() {
totalChecks=$((totalChecks + 1)) check_3_4="3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive"
file="$(get_systemd_service_file docker.socket)" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="$(get_systemd_service_file docker.socket)"
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then if [ -f "$file" ]; then
pass "$check_3_4" if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
logjson "3.4" "PASS" pass "$check_3_4"
currentScore=$((currentScore + 1)) logjson "3.4" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_4"
warn " * Wrong permissions for $file"
logjson "3.4" "WARN"
currentScore=$((currentScore - 1))
fi
else else
warn "$check_3_4" info "$check_3_4"
warn " * Wrong permissions for $file" info " * File not found"
logjson "3.4" "WARN" logjson "3.4" "INFO"
currentScore=$((currentScore - 1)) currentScore=$((currentScore + 0))
fi fi
else }
info "$check_3_4"
info " * File not found"
logjson "3.4" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.5 # 3.5
check_3_5="3.5 - Ensure that /etc/docker directory ownership is set to root:root" check_3_5() {
totalChecks=$((totalChecks + 1)) check_3_5="3.5 - Ensure that /etc/docker directory ownership is set to root:root"
directory="/etc/docker" totalChecks=$((totalChecks + 1))
if [ -d "$directory" ]; then directory="/etc/docker"
if [ "$(stat -c %u%g $directory)" -eq 00 ]; then if [ -d "$directory" ]; then
pass "$check_3_5" if [ "$(stat -c %u%g $directory)" -eq 00 ]; then
logjson "3.5" "PASS" pass "$check_3_5"
currentScore=$((currentScore + 1)) logjson "3.5" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_5"
warn " * Wrong ownership for $directory"
logjson "3.5" "WARN"
currentScore=$((currentScore - 1))
fi
else else
warn "$check_3_5" info "$check_3_5"
warn " * Wrong ownership for $directory" info " * Directory not found"
logjson "3.5" "WARN" logjson "3.5" "INFO"
currentScore=$((currentScore - 1)) currentScore=$((currentScore + 0))
fi fi
else }
info "$check_3_5"
info " * Directory not found"
logjson "3.5" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.6 # 3.6
check_3_6="3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive" check_3_6() {
totalChecks=$((totalChecks + 1)) check_3_6="3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive"
directory="/etc/docker" totalChecks=$((totalChecks + 1))
if [ -d "$directory" ]; then directory="/etc/docker"
if [ "$(stat -c %a $directory)" -eq 755 -o "$(stat -c %a $directory)" -eq 700 ]; then if [ -d "$directory" ]; then
pass "$check_3_6" if [ "$(stat -c %a $directory)" -eq 755 -o "$(stat -c %a $directory)" -eq 700 ]; then
logjson "3.6" "PASS" pass "$check_3_6"
currentScore=$((currentScore + 1)) logjson "3.6" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_6"
warn " * Wrong permissions for $directory"
logjson "3.6" "WARN"
currentScore=$((currentScore - 1))
fi
else else
warn "$check_3_6" info "$check_3_6"
warn " * Wrong permissions for $directory" info " * Directory not found"
logjson "3.6" "WARN" logjson "3.6" "INFO"
currentScore=$((currentScore - 1)) currentScore=$((currentScore + 0))
fi fi
else }
info "$check_3_6"
info " * Directory not found"
logjson "3.6" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.7 # 3.7
check_3_7="3.7 - Ensure that registry certificate file ownership is set to root:root" check_3_7() {
totalChecks=$((totalChecks + 1)) check_3_7="3.7 - Ensure that registry certificate file ownership is set to root:root"
directory="/etc/docker/certs.d/" totalChecks=$((totalChecks + 1))
if [ -d "$directory" ]; then directory="/etc/docker/certs.d/"
fail=0 if [ -d "$directory" ]; then
owners=$(find "$directory" -type f -name '*.crt') fail=0
for p in $owners; do owners=$(find "$directory" -type f -name '*.crt')
if [ "$(stat -c %u $p)" -ne 0 ]; then for p in $owners; do
fail=1 if [ "$(stat -c %u $p)" -ne 0 ]; then
fail=1
fi
done
if [ $fail -eq 1 ]; then
warn "$check_3_7"
warn " * Wrong ownership for $directory"
logjson "3.7" "WARN"
currentScore=$((currentScore - 1))
else
pass "$check_3_7"
logjson "3.7" "PASS"
currentScore=$((currentScore + 1))
fi fi
done
if [ $fail -eq 1 ]; then
warn "$check_3_7"
warn " * Wrong ownership for $directory"
logjson "3.7" "WARN"
currentScore=$((currentScore - 1))
else else
pass "$check_3_7" info "$check_3_7"
logjson "3.7" "PASS" info " * Directory not found"
currentScore=$((currentScore + 1)) logjson "3.7" "INFO"
currentScore=$((currentScore + 0))
fi fi
else }
info "$check_3_7"
info " * Directory not found"
logjson "3.7" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.8 # 3.8
check_3_8="3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive" check_3_8() {
totalChecks=$((totalChecks + 1)) check_3_8="3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive"
directory="/etc/docker/certs.d/" totalChecks=$((totalChecks + 1))
if [ -d "$directory" ]; then directory="/etc/docker/certs.d/"
fail=0 if [ -d "$directory" ]; then
perms=$(find "$directory" -type f -name '*.crt') fail=0
for p in $perms; do perms=$(find "$directory" -type f -name '*.crt')
if [ "$(stat -c %a $p)" -ne 444 -a "$(stat -c %a $p)" -ne 400 ]; then for p in $perms; do
fail=1 if [ "$(stat -c %a $p)" -ne 444 -a "$(stat -c %a $p)" -ne 400 ]; then
fail=1
fi
done
if [ $fail -eq 1 ]; then
warn "$check_3_8"
warn " * Wrong permissions for $directory"
logjson "3.8" "WARN"
currentScore=$((currentScore - 1))
else
pass "$check_3_8"
logjson "3.8" "PASS"
currentScore=$((currentScore + 1))
fi fi
done
if [ $fail -eq 1 ]; then
warn "$check_3_8"
warn " * Wrong permissions for $directory"
logjson "3.8" "WARN"
currentScore=$((currentScore - 1))
else else
pass "$check_3_8" info "$check_3_8"
logjson "3.8" "PASS" info " * Directory not found"
currentScore=$((currentScore + 1)) logjson "3.8" "INFO"
currentScore=$((currentScore + 0))
fi fi
else }
info "$check_3_8"
info " * Directory not found"
logjson "3.8" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.9 # 3.9
check_3_9="3.9 - Ensure that TLS CA certificate file ownership is set to root:root" check_3_9() {
totalChecks=$((totalChecks + 1)) check_3_9="3.9 - Ensure that TLS CA certificate file ownership is set to root:root"
if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then totalChecks=$((totalChecks + 1))
tlscacert=$(get_docker_configuration_file_args 'tlscacert') if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then
else tlscacert=$(get_docker_configuration_file_args 'tlscacert')
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi
if [ -f "$tlscacert" ]; then
if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
pass "$check_3_9"
logjson "3.9" "PASS"
currentScore=$((currentScore + 1))
else else
warn "$check_3_9" tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
warn " * Wrong ownership for $tlscacert"
logjson "3.9" "WARN"
currentScore=$((currentScore - 1))
fi fi
else if [ -f "$tlscacert" ]; then
info "$check_3_9" if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
info " * No TLS CA certificate found" pass "$check_3_9"
logjson "3.9" "INFO" logjson "3.9" "PASS"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 1))
fi else
warn "$check_3_9"
warn " * Wrong ownership for $tlscacert"
logjson "3.9" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_9"
info " * No TLS CA certificate found"
logjson "3.9" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.10 # 3.10
check_3_10="3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive" check_3_10() {
totalChecks=$((totalChecks + 1)) check_3_10="3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive"
if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then totalChecks=$((totalChecks + 1))
tlscacert=$(get_docker_configuration_file_args 'tlscacert') if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then
else tlscacert=$(get_docker_configuration_file_args 'tlscacert')
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi
if [ -f "$tlscacert" ]; then
if [ "$(stat -c %a $tlscacert)" -eq 444 -o "$(stat -c %a $tlscacert)" -eq 400 ]; then
pass "$check_3_10"
logjson "3.10" "PASS"
currentScore=$((currentScore + 1))
else else
warn "$check_3_10" tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
warn " * Wrong permissions for $tlscacert"
logjson "3.10" "WARN"
currentScore=$((currentScore - 1))
fi fi
else if [ -f "$tlscacert" ]; then
info "$check_3_10" if [ "$(stat -c %a $tlscacert)" -eq 444 -o "$(stat -c %a $tlscacert)" -eq 400 ]; then
info " * No TLS CA certificate found" pass "$check_3_10"
logjson "3.10" "INFO" logjson "3.10" "PASS"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 1))
fi else
warn "$check_3_10"
warn " * Wrong permissions for $tlscacert"
logjson "3.10" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_10"
info " * No TLS CA certificate found"
logjson "3.10" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.11 # 3.11
check_3_11="3.11 - Ensure that Docker server certificate file ownership is set to root:root" check_3_11() {
totalChecks=$((totalChecks + 1)) check_3_11="3.11 - Ensure that Docker server certificate file ownership is set to root:root"
if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then totalChecks=$((totalChecks + 1))
tlscert=$(get_docker_configuration_file_args 'tlscert') if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then
else tlscert=$(get_docker_configuration_file_args 'tlscert')
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi
if [ -f "$tlscert" ]; then
if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
pass "$check_3_11"
logjson "3.11" "PASS"
currentScore=$((currentScore + 1))
else else
warn "$check_3_11" tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
warn " * Wrong ownership for $tlscert"
logjson "3.11" "WARN"
currentScore=$((currentScore - 1))
fi fi
else if [ -f "$tlscert" ]; then
info "$check_3_11" if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
info " * No TLS Server certificate found" pass "$check_3_11"
logjson "3.11" "INFO" logjson "3.11" "PASS"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 1))
fi else
warn "$check_3_11"
warn " * Wrong ownership for $tlscert"
logjson "3.11" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_11"
info " * No TLS Server certificate found"
logjson "3.11" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.12 # 3.12
check_3_12="3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive" check_3_12() {
totalChecks=$((totalChecks + 1)) check_3_12="3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive"
if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then totalChecks=$((totalChecks + 1))
tlscert=$(get_docker_configuration_file_args 'tlscert') if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then
else tlscert=$(get_docker_configuration_file_args 'tlscert')
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi
if [ -f "$tlscert" ]; then
if [ "$(stat -c %a $tlscert)" -eq 444 -o "$(stat -c %a $tlscert)" -eq 400 ]; then
pass "$check_3_12"
logjson "3.12" "PASS"
currentScore=$((currentScore + 1))
else else
warn "$check_3_12" tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
warn " * Wrong permissions for $tlscert"
logjson "3.12" "WARN"
currentScore=$((currentScore - 1))
fi fi
else if [ -f "$tlscert" ]; then
info "$check_3_12" if [ "$(stat -c %a $tlscert)" -eq 444 -o "$(stat -c %a $tlscert)" -eq 400 ]; then
info " * No TLS Server certificate found" pass "$check_3_12"
logjson "3.12" "INFO" logjson "3.12" "PASS"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 1))
fi else
warn "$check_3_12"
warn " * Wrong permissions for $tlscert"
logjson "3.12" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_12"
info " * No TLS Server certificate found"
logjson "3.12" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.13 # 3.13
check_3_13="3.13 - Ensure that Docker server certificate key file ownership is set to root:root" check_3_13() {
totalChecks=$((totalChecks + 1)) check_3_13="3.13 - Ensure that Docker server certificate key file ownership is set to root:root"
if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then totalChecks=$((totalChecks + 1))
tlskey=$(get_docker_configuration_file_args 'tlskey') if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then
else tlskey=$(get_docker_configuration_file_args 'tlskey')
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi
if [ -f "$tlskey" ]; then
if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
pass "$check_3_13"
logjson "3.13" "PASS"
currentScore=$((currentScore + 1))
else else
warn "$check_3_13" tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
warn " * Wrong ownership for $tlskey"
logjson "3.13" "WARN"
currentScore=$((currentScore - 1))
fi fi
else if [ -f "$tlskey" ]; then
info "$check_3_13" if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
info " * No TLS Key found" pass "$check_3_13"
logjson "3.13" "INFO" logjson "3.13" "PASS"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 1))
fi else
warn "$check_3_13"
warn " * Wrong ownership for $tlskey"
logjson "3.13" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_13"
info " * No TLS Key found"
logjson "3.13" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.14 # 3.14
check_3_14="3.14 - Ensure that Docker server certificate key file permissions are set to 400" check_3_14() {
totalChecks=$((totalChecks + 1)) check_3_14="3.14 - Ensure that Docker server certificate key file permissions are set to 400"
if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then totalChecks=$((totalChecks + 1))
tlskey=$(get_docker_configuration_file_args 'tlskey') if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then
else tlskey=$(get_docker_configuration_file_args 'tlskey')
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
fi
if [ -f "$tlskey" ]; then
if [ "$(stat -c %a $tlskey)" -eq 400 ]; then
pass "$check_3_14"
logjson "3.14" "PASS"
currentScore=$((currentScore + 1))
else else
warn "$check_3_14" tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
warn " * Wrong permissions for $tlskey"
logjson "3.14" "WARN"
currentScore=$((currentScore - 1))
fi fi
else if [ -f "$tlskey" ]; then
info "$check_3_14" if [ "$(stat -c %a $tlskey)" -eq 400 ]; then
info " * No TLS Key found" pass "$check_3_14"
logjson "3.14" "INFO" logjson "3.14" "PASS"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 1))
fi else
warn "$check_3_14"
warn " * Wrong permissions for $tlskey"
logjson "3.14" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_14"
info " * No TLS Key found"
logjson "3.14" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.15 # 3.15
check_3_15="3.15 - Ensure that Docker socket file ownership is set to root:docker" check_3_15() {
totalChecks=$((totalChecks + 1)) check_3_15="3.15 - Ensure that Docker socket file ownership is set to root:docker"
file="/var/run/docker.sock" totalChecks=$((totalChecks + 1))
if [ -S "$file" ]; then file="/var/run/docker.sock"
if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then if [ -S "$file" ]; then
pass "$check_3_15" if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then
logjson "3.15" "PASS" pass "$check_3_15"
currentScore=$((currentScore + 1)) logjson "3.15" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_15"
warn " * Wrong ownership for $file"
logjson "3.15" "WARN"
currentScore=$((currentScore - 1))
fi
else else
warn "$check_3_15" info "$check_3_15"
warn " * Wrong ownership for $file" info " * File not found"
logjson "3.15" "WARN" logjson "3.15" "INFO"
currentScore=$((currentScore - 1)) currentScore=$((currentScore + 0))
fi fi
else }
info "$check_3_15"
info " * File not found"
logjson "3.15" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.16 # 3.16
check_3_16="3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive" check_3_16() {
totalChecks=$((totalChecks + 1)) check_3_16="3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive"
file="/var/run/docker.sock" totalChecks=$((totalChecks + 1))
if [ -S "$file" ]; then file="/var/run/docker.sock"
if [ "$(stat -c %a $file)" -eq 660 -o "$(stat -c %a $file)" -eq 600 ]; then if [ -S "$file" ]; then
pass "$check_3_16" if [ "$(stat -c %a $file)" -eq 660 -o "$(stat -c %a $file)" -eq 600 ]; then
logjson "3.16" "PASS" pass "$check_3_16"
currentScore=$((currentScore + 1)) logjson "3.16" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_16"
warn " * Wrong permissions for $file"
logjson "3.16" "WARN"
currentScore=$((currentScore - 1))
fi
else else
warn "$check_3_16" info "$check_3_16"
warn " * Wrong permissions for $file" info " * File not found"
logjson "3.16" "WARN" logjson "3.16" "INFO"
currentScore=$((currentScore - 1)) currentScore=$((currentScore + 0))
fi fi
else }
info "$check_3_16"
info " * File not found"
logjson "3.16" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.17 # 3.17
check_3_17="3.17 - Ensure that daemon.json file ownership is set to root:root" check_3_17() {
totalChecks=$((totalChecks + 1)) check_3_17="3.17 - Ensure that daemon.json file ownership is set to root:root"
file="/etc/docker/daemon.json" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="/etc/docker/daemon.json"
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then if [ -f "$file" ]; then
pass "$check_3_17" if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
logjson "3.17" "PASS" pass "$check_3_17"
currentScore=$((currentScore + 1)) logjson "3.17" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_17"
warn " * Wrong ownership for $file"
logjson "3.17" "WARN"
currentScore=$((currentScore - 1))
fi
else else
warn "$check_3_17" info "$check_3_17"
warn " * Wrong ownership for $file" info " * File not found"
logjson "3.17" "WARN" logjson "3.17" "INFO"
currentScore=$((currentScore - 1)) currentScore=$((currentScore + 0))
fi fi
else }
info "$check_3_17"
info " * File not found"
logjson "3.17" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.18 # 3.18
check_3_18="3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive" check_3_18() {
totalChecks=$((totalChecks + 1)) check_3_18="3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive"
file="/etc/docker/daemon.json" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="/etc/docker/daemon.json"
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then if [ -f "$file" ]; then
pass "$check_3_18" if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
logjson "3.18" "PASS" pass "$check_3_18"
currentScore=$((currentScore + 1)) logjson "3.18" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_18"
warn " * Wrong permissions for $file"
logjson "3.18" "WARN"
currentScore=$((currentScore - 1))
fi
else else
warn "$check_3_18" info "$check_3_18"
warn " * Wrong permissions for $file" info " * File not found"
logjson "3.18" "WARN" logjson "3.18" "INFO"
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 0))
fi fi
else }
info "$check_3_18"
info " * File not found"
logjson "3.18" "INFO"
currentScore=$((currentScore - 0))
fi
# 3.19 # 3.19
check_3_19="3.19 - Ensure that /etc/default/docker file ownership is set to root:root" check_3_19() {
totalChecks=$((totalChecks + 1)) check_3_19="3.19 - Ensure that /etc/default/docker file ownership is set to root:root"
file="/etc/default/docker" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="/etc/default/docker"
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then if [ -f "$file" ]; then
pass "$check_3_19" if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
logjson "3.19" "PASS" pass "$check_3_19"
currentScore=$((currentScore + 1)) logjson "3.19" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_19"
warn " * Wrong ownership for $file"
logjson "3.19" "WARN"
currentScore=$((currentScore - 1))
fi
else else
warn "$check_3_19" info "$check_3_19"
warn " * Wrong ownership for $file" info " * File not found"
logjson "3.19" "WARN" logjson "3.19" "INFO"
currentScore=$((currentScore - 1)) currentScore=$((currentScore + 0))
fi fi
else }
info "$check_3_19"
info " * File not found"
logjson "3.19" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.20 # 3.20
check_3_20="3.20 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive" check_3_20() {
totalChecks=$((totalChecks + 1)) check_3_20="3.20 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive"
file="/etc/default/docker" totalChecks=$((totalChecks + 1))
if [ -f "$file" ]; then file="/etc/default/docker"
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then if [ -f "$file" ]; then
pass "$check_3_20" if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
logjson "3.20" "PASS" pass "$check_3_20"
currentScore=$((currentScore + 1)) logjson "3.20" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_20"
warn " * Wrong permissions for $file"
logjson "3.20" "WARN"
currentScore=$((currentScore - 1))
fi
else else
warn "$check_3_20" info "$check_3_20"
warn " * Wrong permissions for $file" info " * File not found"
logjson "3.20" "WARN" logjson "3.20" "INFO"
currentScore=$((currentScore - 1)) currentScore=$((currentScore + 0))
fi fi
else }
info "$check_3_20"
info " * File not found"
logjson "3.20" "INFO"
currentScore=$((currentScore + 0))
fi

340
tests/4_container_images.sh
View file

@ -1,182 +1,206 @@
#!/bin/sh #!/bin/sh
logit "\n"
info "4 - Container Images and Build File"
# 4.1
check_4_1="4.1 - Ensure a user for the container has been created"
totalChecks=$((totalChecks + 1))
# If container_users is empty, there are no running containers
if [ -z "$containers" ]; then
info "$check_4_1"
info " * No containers running"
logjson "4.1" "INFO"
currentScore=$((currentScore + 0))
else
# We have some containers running, set failure flag to 0. Check for Users.
fail=0
# Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$'
'
for c in $containers; do
user=$(docker inspect --format 'User={{.Config.User}}' "$c")
if [ "$user" = "User=" -o "$user" = "User=[]" -o "$user" = "User=<no value>" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_4_1"
warn " * Running as root: $c"
logjson "4.1" "WARN: $c"
fail=1
else
warn " * Running as root: $c"
logjson "4.1" "WARN: $c"
fi
fi
done
# We went through all the containers and found none running as root
if [ $fail -eq 0 ]; then
pass "$check_4_1"
logjson "4.1" "PASS"
currentScore=$((currentScore + 1))
else
currentScore=$((currentScore - 1))
fi
fi
# Make the loop separator go back to space
set +f; unset IFS
images=$(docker images -q) images=$(docker images -q)
check_4() {
logit "\n"
info "4 - Container Images and Build File"
}
# 4.1
check_4_1() {
check_4_1="4.1 - Ensure a user for the container has been created"
totalChecks=$((totalChecks + 1))
# If container_users is empty, there are no running containers
if [ -z "$containers" ]; then
info "$check_4_1"
info " * No containers running"
logjson "4.1" "INFO"
currentScore=$((currentScore + 0))
else
# We have some containers running, set failure flag to 0. Check for Users.
fail=0
# Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$'
'
for c in $containers; do
user=$(docker inspect --format 'User={{.Config.User}}' "$c")
if [ "$user" = "User=" -o "$user" = "User=[]" -o "$user" = "User=<no value>" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_4_1"
warn " * Running as root: $c"
logjson "4.1" "WARN: $c"
fail=1
else
warn " * Running as root: $c"
logjson "4.1" "WARN: $c"
fi
fi
done
# We went through all the containers and found none running as root
if [ $fail -eq 0 ]; then
pass "$check_4_1"
logjson "4.1" "PASS"
currentScore=$((currentScore + 1))
else
currentScore=$((currentScore - 1))
fi
fi
# Make the loop separator go back to space
set +f; unset IFS
}
# 4.2 # 4.2
check_4_2="4.2 - Ensure that containers use trusted base images" check_4_2() {
totalChecks=$((totalChecks + 1)) check_4_2="4.2 - Ensure that containers use trusted base images"
note "$check_4_2" totalChecks=$((totalChecks + 1))
logjson "4.2" "NOTE" note "$check_4_2"
currentScore=$((currentScore + 0)) logjson "4.2" "NOTE"
currentScore=$((currentScore + 0))
}
# 4.3 # 4.3
check_4_3="4.3 - Ensure unnecessary packages are not installed in the container" check_4_3() {
totalChecks=$((totalChecks + 1)) check_4_3="4.3 - Ensure unnecessary packages are not installed in the container"
note "$check_4_3" totalChecks=$((totalChecks + 1))
logjson "4.3" "NOTE" note "$check_4_3"
currentScore=$((currentScore + 0)) logjson "4.3" "NOTE"
currentScore=$((currentScore + 0))
}
# 4.4 # 4.4
check_4_4="4.4 - Ensure images are scanned and rebuilt to include security patches" check_4_4() {
totalChecks=$((totalChecks + 1)) check_4_4="4.4 - Ensure images are scanned and rebuilt to include security patches"
note "$check_4_4" totalChecks=$((totalChecks + 1))
logjson "4.4" "NOTE" note "$check_4_4"
currentScore=$((currentScore + 0)) logjson "4.4" "NOTE"
currentScore=$((currentScore + 0))
}
# 4.5 # 4.5
check_4_5="4.5 - Ensure Content trust for Docker is Enabled" check_4_5() {
totalChecks=$((totalChecks + 1)) check_4_5="4.5 - Ensure Content trust for Docker is Enabled"
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then totalChecks=$((totalChecks + 1))
pass "$check_4_5" if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
logjson "4.5" "PASS" pass "$check_4_5"
currentScore=$((currentScore + 1)) logjson "4.5" "PASS"
else currentScore=$((currentScore + 1))
warn "$check_4_5" else
logjson "4.5" "WARN" warn "$check_4_5"
currentScore=$((currentScore - 1)) logjson "4.5" "WARN"
fi currentScore=$((currentScore - 1))
fi
}
# 4.6 # 4.6
check_4_6="4.6 - Ensure HEALTHCHECK instructions have been added to the container image" check_4_6() {
totalChecks=$((totalChecks + 1)) check_4_6="4.6 - Ensure HEALTHCHECK instructions have been added to the container image"
fail=0 totalChecks=$((totalChecks + 1))
for img in $images; do fail=0
if docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1; then for img in $images; do
if [ $fail -eq 0 ]; then if docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1; then
fail=1 if [ $fail -eq 0 ]; then
warn "$check_4_6" fail=1
logjson "4.6" "WARN" warn "$check_4_6"
fi logjson "4.6" "WARN"
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) fi
if ! [ "$imgName" = '[]' ]; then imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
warn " * No Healthcheck found: $imgName" if ! [ "$imgName" = '[]' ]; then
logjson "4.6" "WARN: $imgName" warn " * No Healthcheck found: $imgName"
logjson "4.6" "WARN: $imgName"
fi
fi fi
done
if [ $fail -eq 0 ]; then
pass "$check_4_6"
logjson "4.6" "PASS"
currentScore=$((currentScore + 1))
else
currentScore=$((currentScore - 1))
fi fi
done }
if [ $fail -eq 0 ]; then
pass "$check_4_6"
logjson "4.6" "PASS"
currentScore=$((currentScore + 1))
else
currentScore=$((currentScore - 1))
fi
# 4.7 # 4.7
check_4_7="4.7 - Ensure update instructions are not use alone in the Dockerfile" check_4_7() {
totalChecks=$((totalChecks + 1)) check_4_7="4.7 - Ensure update instructions are not use alone in the Dockerfile"
fail=0 totalChecks=$((totalChecks + 1))
for img in $images; do fail=0
if docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1; then for img in $images; do
if [ $fail -eq 0 ]; then if docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1; then
fail=1 if [ $fail -eq 0 ]; then
info "$check_4_7" fail=1
logjson "4.7" "INFO" info "$check_4_7"
fi logjson "4.7" "INFO"
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null) fi
if ! [ "$imgName" = '[]' ]; then imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
info " * Update instruction found: $imgName" if ! [ "$imgName" = '[]' ]; then
fi info " * Update instruction found: $imgName"
fi fi
done
if [ $fail -eq 0 ]; then
pass "$check_4_7"
logjson "4.7" "PASS"
currentScore=$((currentScore + 1))
else
currentScore=$((currentScore + 0))
fi
# 4.8
check_4_8="4.8 - Ensure setuid and setgid permissions are removed in the images"
totalChecks=$((totalChecks + 1))
note "$check_4_8"
logjson "4.8" "NOTE"
currentScore=$((currentScore + 0))
# 4.9
check_4_9="4.9 - Ensure COPY is used instead of ADD in Dockerfile"
totalChecks=$((totalChecks + 1))
fail=0
for img in $images; do
docker history "$img" 2> /dev/null | grep 'ADD' >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ $fail -eq 0 ]; then
fail=1
info "$check_4_9"
logjson "4.9" "INFO"
fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then
info " * ADD in image history: $imgName"
logjson "4.9" "INFO: $imgName"
fi fi
done
if [ $fail -eq 0 ]; then
pass "$check_4_7"
logjson "4.7" "PASS"
currentScore=$((currentScore + 1))
else
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
done }
if [ $fail -eq 0 ]; then
pass "$check_4_9" # 4.8
logjson "4.9" "PASS" check_4_8() {
currentScore=$((currentScore + 1)) check_4_8="4.8 - Ensure setuid and setgid permissions are removed in the images"
fi totalChecks=$((totalChecks + 1))
note "$check_4_8"
logjson "4.8" "NOTE"
currentScore=$((currentScore + 0))
}
# 4.9
check_4_9() {
check_4_9="4.9 - Ensure COPY is used instead of ADD in Dockerfile"
totalChecks=$((totalChecks + 1))
fail=0
for img in $images; do
docker history "$img" 2> /dev/null | grep 'ADD' >/dev/null 2>&1
if [ $? -eq 0 ]; then
if [ $fail -eq 0 ]; then
fail=1
info "$check_4_9"
logjson "4.9" "INFO"
fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then
info " * ADD in image history: $imgName"
logjson "4.9" "INFO: $imgName"
fi
currentScore=$((currentScore + 0))
fi
done
if [ $fail -eq 0 ]; then
pass "$check_4_9"
logjson "4.9" "PASS"
currentScore=$((currentScore + 1))
fi
}
# 4.10 # 4.10
check_4_10="4.10 - Ensure secrets are not stored in Dockerfiles" check_4_10() {
totalChecks=$((totalChecks + 1)) check_4_10="4.10 - Ensure secrets are not stored in Dockerfiles"
note "$check_4_10" totalChecks=$((totalChecks + 1))
logjson "4.10" "NOTE" note "$check_4_10"
currentScore=$((currentScore + 0)) logjson "4.10" "NOTE"
currentScore=$((currentScore + 0))
}
# 4.11 # 4.11
check_4_11="4.11 - Ensure verified packages are only Installed" check_4_11() {
totalChecks=$((totalChecks + 1)) check_4_11="4.11 - Ensure verified packages are only Installed"
note "$check_4_11" totalChecks=$((totalChecks + 1))
logjson "4.11" "NOTE" note "$check_4_11"
currentScore=$((currentScore + 0)) logjson "4.11" "NOTE"
currentScore=$((currentScore + 0))
}

273
tests/5_container_runtime.sh
View file

@ -1,16 +1,29 @@
#!/bin/sh #!/bin/sh
check_5() {
logit "\n" logit "\n"
info "5 - Container Runtime" info "5 - Container Runtime"
}
check_running_containers() {
# If containers is empty, there are no running containers
if [ -z "$containers" ]; then
info " * No containers running, skipping Section 5"
running_containers=0
else
running_containers=1
# Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$'
'
fi
}
# 5.1
check_5_1() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# If containers is empty, there are no running containers
if [ -z "$containers" ]; then
info " * No containers running, skipping Section 5"
else
# Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$'
'
# 5.1
check_5_1="5.1 - Ensure AppArmor Profile is Enabled" check_5_1="5.1 - Ensure AppArmor Profile is Enabled"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -39,8 +52,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.2
check_5_2() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.2
check_5_2="5.2 - Ensure SELinux security options are set, if applicable" check_5_2="5.2 - Ensure SELinux security options are set, if applicable"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -69,8 +88,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.3
check_5_3() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.3
check_5_3="5.3 - Ensure Linux Kernel Capabilities are restricted within containers" check_5_3="5.3 - Ensure Linux Kernel Capabilities are restricted within containers"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -102,8 +127,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.4
check_5_4() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.4
check_5_4="5.4 - Ensure privileged containers are not used" check_5_4="5.4 - Ensure privileged containers are not used"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -132,8 +163,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.5
check_5_5() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.5
check_5_5="5.5 - Ensure sensitive host system directories are not mounted on containers" check_5_5="5.5 - Ensure sensitive host system directories are not mounted on containers"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -182,8 +219,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.6
check_5_6() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.6
check_5_6="5.6 - Ensure ssh is not run within containers" check_5_6="5.6 - Ensure ssh is not run within containers"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -226,8 +269,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.7
check_5_7() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.7
check_5_7="5.7 - Ensure privileged ports are not mapped within containers" check_5_7="5.7 - Ensure privileged ports are not mapped within containers"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -260,15 +309,27 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.8
check_5_8() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.8
check_5_8="5.8 - Ensure only needed ports are open on the container" check_5_8="5.8 - Ensure only needed ports are open on the container"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
note "$check_5_8" note "$check_5_8"
logjson "5.8" "NOTE" logjson "5.8" "NOTE"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}
# 5.9
check_5_9() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.9
check_5_9="5.9 - Ensure the host's network namespace is not shared" check_5_9="5.9 - Ensure the host's network namespace is not shared"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -297,8 +358,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.10
check_5_10() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.10
check_5_10="5.10 - Ensure memory usage for container is limited" check_5_10="5.10 - Ensure memory usage for container is limited"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -331,8 +398,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.11
check_5_11() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.11
check_5_11="5.11 - Ensure CPU priority is set appropriately on the container" check_5_11="5.11 - Ensure CPU priority is set appropriately on the container"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -365,8 +438,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.12
check_5_12() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.12
check_5_12="5.12 - Ensure the container's root filesystem is mounted as read only" check_5_12="5.12 - Ensure the container's root filesystem is mounted as read only"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -395,8 +474,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.13
check_5_13() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.13
check_5_13="5.13 - Ensure incoming container traffic is binded to a specific host interface" check_5_13="5.13 - Ensure incoming container traffic is binded to a specific host interface"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -425,8 +510,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.14
check_5_14() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.14
check_5_14="5.14 - Ensure 'on-failure' container restart policy is set to '5'" check_5_14="5.14 - Ensure 'on-failure' container restart policy is set to '5'"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -455,8 +546,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.15
check_5_15() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.15
check_5_15="5.15 - Ensure the host's process namespace is not shared" check_5_15="5.15 - Ensure the host's process namespace is not shared"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -485,8 +582,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.16
check_5_16() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.16
check_5_16="5.16 - Ensure the host's IPC namespace is not shared" check_5_16="5.16 - Ensure the host's IPC namespace is not shared"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -515,8 +618,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.17
check_5_17() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.17
check_5_17="5.17 - Ensure host devices are not directly exposed to containers" check_5_17="5.17 - Ensure host devices are not directly exposed to containers"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -545,8 +654,14 @@ else
else else
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 5.18
check_5_18() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.18
check_5_18="5.18 - Ensure the default ulimit is overwritten at runtime, only if needed" check_5_18="5.18 - Ensure the default ulimit is overwritten at runtime, only if needed"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -575,8 +690,14 @@ else
else else
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
fi fi
}
# 5.19
check_5_19() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.19
check_5_19="5.19 - Ensure mount propagation mode is not set to shared" check_5_19="5.19 - Ensure mount propagation mode is not set to shared"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -604,8 +725,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.20
check_5_20() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.20
check_5_20="5.20 - Ensure the host's UTS namespace is not shared" check_5_20="5.20 - Ensure the host's UTS namespace is not shared"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -634,8 +761,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.21
check_5_21() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.21
check_5_21="5.21 - Ensure the default seccomp profile is not Disabled" check_5_21="5.21 - Ensure the default seccomp profile is not Disabled"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -663,22 +796,40 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.22
check_5_22() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.22
check_5_22="5.22 - Ensure docker exec commands are not used with privileged option" check_5_22="5.22 - Ensure docker exec commands are not used with privileged option"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
note "$check_5_22" note "$check_5_22"
logjson "5.22" "NOTE" logjson "5.22" "NOTE"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}
# 5.23
check_5_23() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.23
check_5_23="5.23 - Ensure docker exec commands are not used with user option" check_5_23="5.23 - Ensure docker exec commands are not used with user option"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
note "$check_5_23" note "$check_5_23"
logjson "5.23" "NOTE" logjson "5.23" "NOTE"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}
# 5.24
check_5_24() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.24
check_5_24="5.24 - Ensure cgroup usage is confirmed" check_5_24="5.24 - Ensure cgroup usage is confirmed"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -707,8 +858,13 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.25 # 5.25
check_5_25() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_25="5.25 - Ensure the container is restricted from acquiring additional privileges" check_5_25="5.25 - Ensure the container is restricted from acquiring additional privileges"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -735,8 +891,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.26
check_5_26() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.26
check_5_26="5.26 - Ensure container health is checked at runtime" check_5_26="5.26 - Ensure container health is checked at runtime"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -761,15 +923,27 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.27
check_5_27() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.27
check_5_27="5.27 - Ensure docker commands always get the latest version of the image" check_5_27="5.27 - Ensure docker commands always get the latest version of the image"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
info "$check_5_27" info "$check_5_27"
logjson "5.27" "INFO" logjson "5.27" "INFO"
currentScore=$((currentScore + 0)) currentScore=$((currentScore + 0))
}
# 5.28
check_5_28() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.28
check_5_28="5.28 - Ensure PIDs cgroup limit is used" check_5_28="5.28 - Ensure PIDs cgroup limit is used"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -798,8 +972,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.29
check_5_29() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.29
check_5_29="5.29 - Ensure Docker's default bridge docker0 is not used" check_5_29="5.29 - Ensure Docker's default bridge docker0 is not used"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -832,8 +1012,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.30
check_5_30() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.30
check_5_30="5.30 - Ensure the host's user namespaces is not shared" check_5_30="5.30 - Ensure the host's user namespaces is not shared"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -860,8 +1046,14 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
}
# 5.31
check_5_31() {
if [ "$running_containers" -ne 1 ]; then
return
fi
# 5.31
check_5_31="5.31 - Ensure the Docker socket is not mounted inside any containers" check_5_31="5.31 - Ensure the Docker socket is not mounted inside any containers"
totalChecks=$((totalChecks + 1)) totalChecks=$((totalChecks + 1))
@ -888,4 +1080,5 @@ else
else else
currentScore=$((currentScore - 1)) currentScore=$((currentScore - 1))
fi fi
fi }

74
tests/6_docker_security_operations.sh
View file

@ -1,42 +1,48 @@
#!/bin/sh #!/bin/sh
logit "\n" check_6() {
info "6 - Docker Security Operations" logit "\n"
info "6 - Docker Security Operations"
}
# 6.1 # 6.1
check_6_1="6.1 - Avoid image sprawl" check_6_1() {
totalChecks=$((totalChecks + 1)) check_6_1="6.1 - Avoid image sprawl"
images=$(docker images -q | sort -u | wc -l | awk '{print $1}') totalChecks=$((totalChecks + 1))
active_images=0 images=$(docker images -q | sort -u | wc -l | awk '{print $1}')
active_images=0
for c in $(docker inspect --format "{{.Image}}" $(docker ps -qa) 2>/dev/null); do for c in $(docker inspect --format "{{.Image}}" $(docker ps -qa) 2>/dev/null); do
if docker images --no-trunc -a | grep "$c" > /dev/null ; then if docker images --no-trunc -a | grep "$c" > /dev/null ; then
active_images=$(( active_images += 1 )) active_images=$(( active_images += 1 ))
fi
done
info "$check_6_1"
info " * There are currently: $images images"
if [ "$active_images" -lt "$((images / 2))" ]; then
info " * Only $active_images out of $images are in use"
logjson "6.1" "INFO: $active_images"
fi fi
done currentScore=$((currentScore + 0))
}
info "$check_6_1"
info " * There are currently: $images images"
if [ "$active_images" -lt "$((images / 2))" ]; then
info " * Only $active_images out of $images are in use"
logjson "6.1" "INFO: $active_images"
fi
currentScore=$((currentScore + 0))
# 6.2 # 6.2
check_6_2="6.2 - Avoid container sprawl" check_6_2() {
totalChecks=$((totalChecks + 1)) check_6_2="6.2 - Avoid container sprawl"
total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}') totalChecks=$((totalChecks + 1))
running_containers=$(docker ps -q | wc -l | awk '{print $1}') total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}')
diff="$((total_containers - running_containers))" running_containers=$(docker ps -q | wc -l | awk '{print $1}')
if [ "$diff" -gt 25 ]; then diff="$((total_containers - running_containers))"
info "$check_6_2" if [ "$diff" -gt 25 ]; then
info " * There are currently a total of $total_containers containers, with only $running_containers of them currently running" info "$check_6_2"
logjson "6.2" "INFO: $running_containers" info " * There are currently a total of $total_containers containers, with only $running_containers of them currently running"
else logjson "6.2" "INFO: $running_containers"
info "$check_6_2" else
info " * There are currently a total of $total_containers containers, with $running_containers of them currently running" info "$check_6_2"
logjson "6.2" "INFO: $running_containers" info " * There are currently a total of $total_containers containers, with $running_containers of them currently running"
fi logjson "6.2" "INFO: $running_containers"
currentScore=$((currentScore + 0)) fi
currentScore=$((currentScore + 0))
}

294
tests/7_docker_swarm_configuration.sh
View file

@ -1,174 +1,196 @@
#!/bin/sh #!/bin/sh
logit "\n" check_7() {
info "7 - Docker Swarm Configuration" logit "\n"
info "7 - Docker Swarm Configuration"
}
# 7.1 # 7.1
check_7_1="7.1 - Ensure swarm mode is not Enabled, if not needed" check_7_1() {
totalChecks=$((totalChecks + 1)) check_7_1="7.1 - Ensure swarm mode is not Enabled, if not needed"
if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
pass "$check_7_1" if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
logjson "7.1" "PASS" pass "$check_7_1"
currentScore=$((currentScore + 1)) logjson "7.1" "PASS"
else currentScore=$((currentScore + 1))
warn "$check_7_1" else
logjson "7.1" "WARN" warn "$check_7_1"
currentScore=$((currentScore - 1)) logjson "7.1" "WARN"
fi currentScore=$((currentScore - 1))
fi
}
# 7.2 # 7.2
check_7_2="7.2 - Ensure the minimum number of manager nodes have been created in a swarm" check_7_2() {
totalChecks=$((totalChecks + 1)) check_7_2="7.2 - Ensure the minimum number of manager nodes have been created in a swarm"
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
managernodes=$(docker node ls | grep -c "Leader") if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
if [ "$managernodes" -le 1 ]; then managernodes=$(docker node ls | grep -c "Leader")
pass "$check_7_2" if [ "$managernodes" -le 1 ]; then
pass "$check_7_2"
logjson "7.2" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_7_2"
logjson "7.2" "WARN"
currentScore=$((currentScore - 1))
fi
else
pass "$check_7_2 (Swarm mode not enabled)"
logjson "7.2" "PASS" logjson "7.2" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else
warn "$check_7_2"
logjson "7.2" "WARN"
currentScore=$((currentScore - 1))
fi fi
else }
pass "$check_7_2 (Swarm mode not enabled)"
logjson "7.2" "PASS"
currentScore=$((currentScore + 1))
fi
# 7.3 # 7.3
check_7_3="7.3 - Ensure swarm services are binded to a specific host interface" check_7_3() {
totalChecks=$((totalChecks + 1)) check_7_3="7.3 - Ensure swarm services are binded to a specific host interface"
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
ss -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1 if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
if [ $? -eq 1 ]; then ss -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1
pass "$check_7_3" if [ $? -eq 1 ]; then
pass "$check_7_3"
logjson "7.3" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_7_3"
logjson "7.3" "WARN"
currentScore=$((currentScore - 1))
fi
else
pass "$check_7_3 (Swarm mode not enabled)"
logjson "7.3" "PASS" logjson "7.3" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else
warn "$check_7_3"
logjson "7.3" "WARN"
currentScore=$((currentScore - 1))
fi fi
else }
pass "$check_7_3 (Swarm mode not enabled)"
logjson "7.3" "PASS"
currentScore=$((currentScore + 1))
fi
# 7.4 # 7.4
check_7_4="7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network" check_7_4(){
totalChecks=$((totalChecks + 1)) check_7_4="7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network"
if docker network ls --filter driver=overlay --quiet | \ totalChecks=$((totalChecks + 1))
xargs docker network inspect --format '{{.Name}} {{ .Options }}' 2>/dev/null | \ if docker network ls --filter driver=overlay --quiet | \
grep -v 'encrypted:' 2>/dev/null 1>&2; then xargs docker network inspect --format '{{.Name}} {{ .Options }}' 2>/dev/null | \
warn "$check_7_4" grep -v 'encrypted:' 2>/dev/null 1>&2; then
currentScore=$((currentScore - 1)) warn "$check_7_4"
for encnet in $(docker network ls --filter driver=overlay --quiet); do currentScore=$((currentScore - 1))
if docker network inspect --format '{{.Name}} {{ .Options }}' "$encnet" | \ for encnet in $(docker network ls --filter driver=overlay --quiet); do
grep -v 'encrypted:' 2>/dev/null 1>&2; then if docker network inspect --format '{{.Name}} {{ .Options }}' "$encnet" | \
warn " * Unencrypted overlay network: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")" grep -v 'encrypted:' 2>/dev/null 1>&2; then
logjson "7.4" "WARN: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")" warn " * Unencrypted overlay network: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
fi logjson "7.4" "WARN: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
done fi
else done
pass "$check_7_4" else
logjson "7.4" "PASS" pass "$check_7_4"
currentScore=$((currentScore + 1)) logjson "7.4" "PASS"
fi currentScore=$((currentScore + 1))
fi
}
# 7.5 # 7.5
check_7_5="7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster" check_7_5() {
totalChecks=$((totalChecks + 1)) check_7_5="7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
pass "$check_7_5" if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then
pass "$check_7_5"
logjson "7.5" "PASS"
currentScore=$((currentScore + 1))
else
info "$check_7_5"
logjson "7.5" "INFO"
currentScore=$((currentScore + 0))
fi
else
pass "$check_7_5 (Swarm mode not enabled)"
logjson "7.5" "PASS" logjson "7.5" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else
info "$check_7_5"
logjson "7.5" "INFO"
currentScore=$((currentScore + 0))
fi fi
else }
pass "$check_7_5 (Swarm mode not enabled)"
logjson "7.5" "PASS"
currentScore=$((currentScore + 1))
fi
# 7.6 # 7.6
check_7_6="7.6 - Ensure swarm manager is run in auto-lock mode" check_7_6() {
totalChecks=$((totalChecks + 1)) check_7_6="7.6 - Ensure swarm manager is run in auto-lock mode"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
warn "$check_7_6" if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then
logjson "7.6" "WARN" warn "$check_7_6"
currentScore=$((currentScore - 1)) logjson "7.6" "WARN"
currentScore=$((currentScore - 1))
else
pass "$check_7_6"
logjson "7.6" "PASS"
currentScore=$((currentScore + 1))
fi
else else
pass "$check_7_6" pass "$check_7_6 (Swarm mode not enabled)"
logjson "7.6" "PASS" logjson "7.6" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
fi fi
else }
pass "$check_7_6 (Swarm mode not enabled)"
logjson "7.6" "PASS"
currentScore=$((currentScore + 1))
fi
# 7.7 # 7.7
check_7_7="7.7 - Ensure swarm manager auto-lock key is rotated periodically" check_7_7() {
totalChecks=$((totalChecks + 1)) check_7_7="7.7 - Ensure swarm manager auto-lock key is rotated periodically"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
note "$check_7_7" if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
logjson "7.7" "NOTE" note "$check_7_7"
currentScore=$((currentScore + 0)) logjson "7.7" "NOTE"
else currentScore=$((currentScore + 0))
pass "$check_7_7 (Swarm mode not enabled)" else
logjson "7.7" "PASS" pass "$check_7_7 (Swarm mode not enabled)"
currentScore=$((currentScore + 1)) logjson "7.7" "PASS"
fi currentScore=$((currentScore + 1))
fi
}
# 7.8 # 7.8
check_7_8="7.8 - Ensure node certificates are rotated as appropriate" check_7_8() {
totalChecks=$((totalChecks + 1)) check_7_8="7.8 - Ensure node certificates are rotated as appropriate"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
pass "$check_7_8" if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then
pass "$check_7_8"
logjson "7.8" "PASS"
currentScore=$((currentScore + 1))
else
info "$check_7_8"
logjson "7.8" "INFO"
currentScore=$((currentScore + 0))
fi
else
pass "$check_7_8 (Swarm mode not enabled)"
logjson "7.8" "PASS" logjson "7.8" "PASS"
currentScore=$((currentScore + 1)) currentScore=$((currentScore + 1))
else
info "$check_7_8"
logjson "7.8" "INFO"
currentScore=$((currentScore + 0))
fi fi
else }
pass "$check_7_8 (Swarm mode not enabled)"
logjson "7.8" "PASS"
currentScore=$((currentScore + 1))
fi
# 7.9 # 7.9
check_7_9="7.9 - Ensure CA certificates are rotated as appropriate" check_7_9() {
totalChecks=$((totalChecks + 1)) check_7_9="7.9 - Ensure CA certificates are rotated as appropriate"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
info "$check_7_9" if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
logjson "7.9" "INFO" info "$check_7_9"
currentScore=$((currentScore + 0)) logjson "7.9" "INFO"
else currentScore=$((currentScore + 0))
pass "$check_7_9 (Swarm mode not enabled)" else
logjson "7.9" "PASS" pass "$check_7_9 (Swarm mode not enabled)"
currentScore=$((currentScore + 1)) logjson "7.9" "PASS"
fi currentScore=$((currentScore + 1))
fi
}
# 7.10 # 7.10
check_7_10="7.10 - Ensure management plane traffic has been separated from data plane traffic" check_7_10() {
totalChecks=$((totalChecks + 1)) check_7_10="7.10 - Ensure management plane traffic has been separated from data plane traffic"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then totalChecks=$((totalChecks + 1))
info "$check_7_10" if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
logjson "7.10" "INFO" info "$check_7_10"
currentScore=$((currentScore + 0)) logjson "7.10" "INFO"
else currentScore=$((currentScore + 0))
pass "$check_7_10 (Swarm mode not enabled)" else
logjson "7.10" "PASS" pass "$check_7_10 (Swarm mode not enabled)"
currentScore=$((currentScore + 1)) logjson "7.10" "PASS"
fi currentScore=$((currentScore + 1))
fi
}