GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-19 00:32:34 +01:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #283 from konstruktoid/functionsupdate

Browse source 
Functionsupdate
This commit is contained in:
Thomas Sjögren 2018-01-16 13:53:44 +01:00 committed by GitHub
commit ed73b3728f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 1824 additions and 1277 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
README.md
View file

@ -43,7 +43,24 @@ Distribution specific Dockerfiles that fixes this issue are available in the
The [distribution specific Dockerfiles](https://github.com/docker/docker-bench-security/tree/master/distros)
may also help if the distribution you're using haven't yet shipped Docker
version 1.10.0 or later.
version 1.13.0 or later.
### Docker Bench for Security options
```sh
-h optional Print this help message
-l FILE optional Log output in FILE
-c CHECK optional Run specific check
```
By default the Docker Bench for Security script will run all available tests and
produce logs in the current directory named `docker-bench-security.sh.log.json`
and `docker-bench-security.sh.log`.
The CIS based checks are named `check_<section>_<number>`, e.g. `check_2_6`
and community contributed checks are named `check_c_<number>`.
A complete list of checks are present in [functions_lib.sh](functions_lib.sh).
`sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -c check_2_2`
## Building Docker Bench for Security

21
docker-bench-security.sh
View file

@ -9,8 +9,9 @@
# ------------------------------------------------------------------------------
# Load dependencies
. ./output_lib.sh
. ./functions_lib.sh
. ./helper_lib.sh
. ./output_lib.sh
# Setup the paths
this_path=$(abspath "$0") ## Path of this file including filenamel
@ -35,18 +36,20 @@ usage () {
usage: ${myname} [options]
-h optional Print this help message
-l PATH optional Log output in PATH
-l FILE optional Log output in FILE
-c CHECK optional Run specific check
EOF
}
# Get the flags
# If you add an option here, please
# remember to update usage() above.
while getopts hl: args
while getopts hl:c: args
do
case $args in
h) usage; exit 0 ;;
l) logger="$OPTARG" ;;
c) check="$OPTARG" ;;
*) usage; exit 1 ;;
esac
done
@ -95,11 +98,23 @@ main () {
# List all running containers except docker-bench (use names to improve readability in logs)
containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont")
if [ -z "$containers" ]; then
running_containers=0
else
running_containers=1
fi
for test in tests/*.sh
do
. ./"$test"
done
if [ -z "$check" ]; then
cis
else
"$check"
fi
printf "\n"
info "Checks: $totalChecks"
info "Score: $currentScore"

161
functions_lib.sh Normal file
View file

@ -0,0 +1,161 @@
#!/bin/sh
host_configuration() {
check_1
check_1_1
check_1_2
check_1_3
check_1_4
check_1_5
check_1_6
check_1_7
check_1_8
check_1_9
check_1_10
check_1_11
check_1_12
check_1_13
}
docker_daemon_configuration() {
check_2
check_2_1
check_2_2
check_2_3
check_2_4
check_2_5
check_2_6
check_2_7
check_2_8
check_2_9
check_2_10
check_2_11
check_2_12
check_2_13
check_2_14
check_2_15
check_2_16
check_2_17
check_2_18
}
docker_daemon_files() {
check_3
check_3_1
check_3_2
check_3_3
check_3_4
check_3_5
check_3_6
check_3_7
check_3_8
check_3_9
check_3_10
check_3_11
check_3_12
check_3_13
check_3_14
check_3_15
check_3_16
check_3_17
check_3_18
check_3_19
check_3_20
}
container_images() {
check_4
check_4_1
check_4_2
check_4_3
check_4_4
check_4_5
check_4_6
check_4_7
check_4_8
check_4_9
check_4_10
check_4_11
}
container_runtime() {
check_5
check_running_containers
check_5_1
check_5_2
check_5_3
check_5_4
check_5_5
check_5_6
check_5_7
check_5_8
check_5_9
check_5_10
check_5_11
check_5_12
check_5_13
check_5_14
check_5_15
check_5_16
check_5_17
check_5_18
check_5_19
check_5_20
check_5_21
check_5_22
check_5_23
check_5_24
check_5_25
check_5_26
check_5_27
check_5_28
check_5_29
check_5_30
check_5_31
}
docker_security_operations() {
check_6
check_6_1
check_6_2
}
docker_swarm_configuration() {
check_7
check_7_1
check_7_2
check_7_3
check_7_5
check_7_6
check_7_7
check_7_8
check_7_9
check_7_10
}
community_checks() {
# check_c_1
true;
}
# CIS
cis() {
host_configuration
docker_daemon_configuration
docker_daemon_files
container_images
container_runtime
docker_security_operations
docker_swarm_configuration
}
# Community contributed
community() {
community_checks
}
# All
all() {
cis
community
}

3
helper_lib.sh
View file

@ -3,6 +3,9 @@
# Returns the absolute path of a given string
abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; esac; }
# Audit rules default path
auditrules="/etc/audit/audit.rules"
# Compares versions of software of the format X.Y.Z
do_version_check() {
[ "$1" = "$2" ] && return 10

29
tests/1_host_configuration.sh
View file

@ -1,10 +1,12 @@
#!/bin/sh
check_1() {
logit ""
info "1 - Host Configuration"
auditrules="/etc/audit/audit.rules"
}
# 1.1
check_1_1() {
check_1_1="1.1 - Ensure a separate partition for containers has been created"
totalChecks=$((totalChecks + 1))
@ -21,15 +23,19 @@ else
logjson "1.1" "WARN"
currentScore=$((currentScore - 1))
fi
}
# 1.2
check_1_2() {
check_1_2="1.2 - Ensure the container host has been Hardened"
totalChecks=$((totalChecks + 1))
note "$check_1_2"
logjson "1.2" "INFO"
currentScore=$((currentScore - 0))
}
# 1.3
check_1_3() {
check_1_3="1.3 - Ensure Docker is up to date"
totalChecks=$((totalChecks + 1))
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
@ -49,8 +55,10 @@ else
logjson "1.3" "PASS"
currentScore=$((currentScore - 0))
fi
}
# 1.4
check_1_4() {
check_1_4="1.4 - Ensure only trusted users are allowed to control Docker daemon"
totalChecks=$((totalChecks + 1))
docker_users=$(getent group docker)
@ -60,8 +68,10 @@ for u in $docker_users; do
logjson "1.4" "$u"
done
currentScore=$((currentScore - 0))
}
# 1.5
check_1_5() {
check_1_5="1.5 - Ensure auditing is configured for the Docker daemon"
totalChecks=$((totalChecks + 1))
file="/usr/bin/docker "
@ -84,8 +94,10 @@ else
logjson "1.5" "WARN"
currentScore=$((currentScore - 1))
fi
}
# 1.6
check_1_6() {
check_1_6="1.6 - Ensure auditing is configured for Docker files and directories - /var/lib/docker"
totalChecks=$((totalChecks + 1))
directory="/var/lib/docker"
@ -115,8 +127,10 @@ else
logjson "1.6" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 1.7
check_1_7() {
check_1_7="1.7 - Ensure auditing is configured for Docker files and directories - /etc/docker"
totalChecks=$((totalChecks + 1))
directory="/etc/docker"
@ -146,8 +160,10 @@ else
logjson "1.7" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 1.8
check_1_8() {
check_1_8="1.8 - Ensure auditing is configured for Docker files and directories - docker.service"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.service)"
@ -177,8 +193,10 @@ else
logjson "1.8" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 1.9
check_1_9() {
check_1_9="1.9 - Ensure auditing is configured for Docker files and directories - docker.socket"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.socket)"
@ -208,8 +226,10 @@ else
logjson "1.9" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 1.10
check_1_10() {
check_1_10="1.10 - Ensure auditing is configured for Docker files and directories - /etc/default/docker"
totalChecks=$((totalChecks + 1))
file="/etc/default/docker"
@ -239,8 +259,10 @@ else
logjson "1.10" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 1.11
check_1_11() {
check_1_11="1.11 - Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json"
totalChecks=$((totalChecks + 1))
file="/etc/docker/daemon.json"
@ -270,8 +292,10 @@ else
logjson "1.11" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 1.12
check_1_12() {
check_1_12="1.12 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd"
totalChecks=$((totalChecks + 1))
file="/usr/bin/docker-containerd"
@ -301,8 +325,10 @@ else
logjson "1.12" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 1.13
check_1_13() {
check_1_13="1.13 - Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc"
totalChecks=$((totalChecks + 1))
file="/usr/bin/docker-runc"
@ -332,3 +358,4 @@ else
logjson "1.13" "INFO"
currentScore=$((currentScore + 0))
fi
}

39
tests/2_docker_daemon_configuration.sh
View file

@ -1,9 +1,12 @@
#!/bin/sh
check_2() {
logit "\n"
info "2 - Docker daemon configuration"
}
# 2.1
check_2_1() {
check_2_1="2.1 - Ensure network traffic is restricted between containers on the default bridge"
totalChecks=$((totalChecks + 1))
if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then
@ -19,8 +22,10 @@ else
logjson "2.1" "WARN"
currentScore=$((currentScore - 1))
fi
}
# 2.2
check_2_2() {
check_2_2="2.2 - Ensure the logging level is set to 'info'"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then
@ -52,8 +57,10 @@ else
logjson "2.2" "PASS"
currentScore=$((currentScore + 1))
fi
}
# 2.3
check_2_3() {
check_2_3="2.3 - Ensure Docker is allowed to make changes to iptables"
totalChecks=$((totalChecks + 1))
if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then
@ -69,8 +76,10 @@ else
logjson "2.3" "PASS"
currentScore=$((currentScore + 1))
fi
}
# 2.4
check_2_4() {
check_2_4="2.4 - Ensure insecure registries are not used"
totalChecks=$((totalChecks + 1))
if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then
@ -92,8 +101,10 @@ else
logjson "2.4" "PASS"
currentScore=$((currentScore + 1))
fi
}
# 2.5
check_2_5() {
check_2_5="2.5 - Ensure aufs storage driver is not used"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1; then
@ -105,8 +116,10 @@ else
logjson "2.5" "PASS"
currentScore=$((currentScore + 1))
fi
}
# 2.6
check_2_6() {
check_2_6="2.6 - Ensure TLS authentication for Docker daemon is configured"
totalChecks=$((totalChecks + 1))
if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then
@ -154,9 +167,10 @@ else
logjson "2.6" "INFO"
currentScore=$((currentScore +0))
fi
}
# 2.7
check_2_7() {
check_2_7="2.7 - Ensure the default ulimit is configured appropriately"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then
@ -173,8 +187,10 @@ else
logjson "2.7" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 2.8
check_2_8() {
check_2_8="2.8 - Enable user namespace support"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then
@ -190,8 +206,10 @@ else
logjson "2.8" "WARN"
currentScore=$((currentScore - 1))
fi
}
# 2.9
check_2_9() {
check_2_9="2.9 - Ensure the default cgroup usage has been confirmed"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'cgroup-parent' | grep -v '""'; then
@ -209,8 +227,10 @@ else
logjson "2.9" "PASS"
currentScore=$((currentScore + 1))
fi
}
# 2.10
check_2_10() {
check_2_10="2.10 - Ensure base device size is not changed until needed"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then
@ -226,8 +246,10 @@ else
logjson "2.10" "PASS"
currentScore=$((currentScore + 1))
fi
}
# 2.11
check_2_11() {
check_2_11="2.11 - Ensure that authorization for Docker client commands is enabled"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then
@ -243,8 +265,10 @@ else
logjson "2.11" "WARN"
currentScore=$((currentScore - 1))
fi
}
# 2.12
check_2_12() {
check_2_12="2.12 - Ensure centralized and remote logging is configured"
totalChecks=$((totalChecks + 1))
if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then
@ -256,8 +280,10 @@ else
logjson "2.12" "PASS"
currentScore=$((currentScore + 1))
fi
}
# 2.13
check_2_13() {
check_2_13="2.13 - Ensure operations on legacy registry (v1) are Disabled"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then
@ -273,8 +299,10 @@ else
logjson "2.13" "WARN"
currentScore=$((currentScore - 1))
fi
}
# 2.14
check_2_14() {
check_2_14="2.14 - Ensure live restore is Enabled"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then
@ -296,8 +324,10 @@ else
currentScore=$((currentScore - 1))
fi
fi
}
# 2.15
check_2_15() {
check_2_15="2.15 - Ensure Userland Proxy is Disabled"
totalChecks=$((totalChecks + 1))
if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then
@ -313,8 +343,10 @@ else
logjson "2.15" "WARN"
currentScore=$((currentScore - 1))
fi
}
# 2.16
check_2_16() {
check_2_16="2.16 - Ensure daemon-wide custom seccomp profile is applied, if needed"
totalChecks=$((totalChecks + 1))
if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then
@ -326,8 +358,10 @@ else
logjson "2.16" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 2.17
check_2_17() {
check_2_17="2.17 - Ensure experimental features are avoided in production"
totalChecks=$((totalChecks + 1))
if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then
@ -339,8 +373,10 @@ else
logjson "2.17" "WARN"
currentScore=$((currentScore - 1))
fi
}
# 2.18
check_2_18() {
check_2_18="2.18 - Ensure containers are restricted from acquiring new privileges"
totalChecks=$((totalChecks + 1))
if get_docker_effective_command_line_args '--no-new-privileges' >/dev/null 2>&1; then
@ -356,3 +392,4 @@ else
logjson "2.18" "WARN"
currentScore=$((currentScore - 1))
fi
}

42
tests/3_docker_daemon_configuration_files.sh
View file

@ -1,9 +1,12 @@
#!/bin/sh
check_3() {
logit "\n"
info "3 - Docker daemon configuration files"
}
# 3.1
check_3_1() {
check_3_1="3.1 - Ensure that docker.service file ownership is set to root:root"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.service)"
@ -24,8 +27,10 @@ else
logjson "3.1" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.2
check_3_2() {
check_3_2="3.2 - Ensure that docker.service file permissions are set to 644 or more restrictive"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.service)"
@ -46,8 +51,10 @@ else
logjson "3.2" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.3
check_3_3() {
check_3_3="3.3 - Ensure that docker.socket file ownership is set to root:root"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.socket)"
@ -68,8 +75,10 @@ else
logjson "3.3" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.4
check_3_4() {
check_3_4="3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.socket)"
@ -90,8 +99,10 @@ else
logjson "3.4" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.5
check_3_5() {
check_3_5="3.5 - Ensure that /etc/docker directory ownership is set to root:root"
totalChecks=$((totalChecks + 1))
directory="/etc/docker"
@ -112,8 +123,10 @@ else
logjson "3.5" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.6
check_3_6() {
check_3_6="3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive"
totalChecks=$((totalChecks + 1))
directory="/etc/docker"
@ -134,8 +147,10 @@ else
logjson "3.6" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.7
check_3_7() {
check_3_7="3.7 - Ensure that registry certificate file ownership is set to root:root"
totalChecks=$((totalChecks + 1))
directory="/etc/docker/certs.d/"
@ -163,8 +178,10 @@ else
logjson "3.7" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.8
check_3_8() {
check_3_8="3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive"
totalChecks=$((totalChecks + 1))
directory="/etc/docker/certs.d/"
@ -192,8 +209,10 @@ else
logjson "3.8" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.9
check_3_9() {
check_3_9="3.9 - Ensure that TLS CA certificate file ownership is set to root:root"
totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then
@ -218,8 +237,10 @@ else
logjson "3.9" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.10
check_3_10() {
check_3_10="3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive"
totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then
@ -244,8 +265,10 @@ else
logjson "3.10" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.11
check_3_11() {
check_3_11="3.11 - Ensure that Docker server certificate file ownership is set to root:root"
totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then
@ -270,8 +293,10 @@ else
logjson "3.11" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.12
check_3_12() {
check_3_12="3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive"
totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then
@ -296,8 +321,10 @@ else
logjson "3.12" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.13
check_3_13() {
check_3_13="3.13 - Ensure that Docker server certificate key file ownership is set to root:root"
totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then
@ -322,8 +349,10 @@ else
logjson "3.13" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.14
check_3_14() {
check_3_14="3.14 - Ensure that Docker server certificate key file permissions are set to 400"
totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then
@ -348,8 +377,10 @@ else
logjson "3.14" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.15
check_3_15() {
check_3_15="3.15 - Ensure that Docker socket file ownership is set to root:docker"
totalChecks=$((totalChecks + 1))
file="/var/run/docker.sock"
@ -370,8 +401,10 @@ else
logjson "3.15" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.16
check_3_16() {
check_3_16="3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive"
totalChecks=$((totalChecks + 1))
file="/var/run/docker.sock"
@ -392,8 +425,10 @@ else
logjson "3.16" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.17
check_3_17() {
check_3_17="3.17 - Ensure that daemon.json file ownership is set to root:root"
totalChecks=$((totalChecks + 1))
file="/etc/docker/daemon.json"
@ -414,8 +449,10 @@ else
logjson "3.17" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.18
check_3_18() {
check_3_18="3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive"
totalChecks=$((totalChecks + 1))
file="/etc/docker/daemon.json"
@ -436,8 +473,10 @@ else
logjson "3.18" "INFO"
currentScore=$((currentScore - 0))
fi
}
# 3.19
check_3_19() {
check_3_19="3.19 - Ensure that /etc/default/docker file ownership is set to root:root"
totalChecks=$((totalChecks + 1))
file="/etc/default/docker"
@ -458,8 +497,10 @@ else
logjson "3.19" "INFO"
currentScore=$((currentScore + 0))
fi
}
# 3.20
check_3_20() {
check_3_20="3.20 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive"
totalChecks=$((totalChecks + 1))
file="/etc/default/docker"
@ -480,3 +521,4 @@ else
logjson "3.20" "INFO"
currentScore=$((currentScore + 0))
fi
}

28
tests/4_container_images.sh
View file

@ -1,9 +1,14 @@
#!/bin/sh
images=$(docker images -q)
check_4() {
logit "\n"
info "4 - Container Images and Build File"
}
# 4.1
check_4_1() {
check_4_1="4.1 - Ensure a user for the container has been created"
totalChecks=$((totalChecks + 1))
@ -46,31 +51,37 @@ else
fi
# Make the loop separator go back to space
set +f; unset IFS
images=$(docker images -q)
}
# 4.2
check_4_2() {
check_4_2="4.2 - Ensure that containers use trusted base images"
totalChecks=$((totalChecks + 1))
note "$check_4_2"
logjson "4.2" "NOTE"
currentScore=$((currentScore + 0))
}
# 4.3
check_4_3() {
check_4_3="4.3 - Ensure unnecessary packages are not installed in the container"
totalChecks=$((totalChecks + 1))
note "$check_4_3"
logjson "4.3" "NOTE"
currentScore=$((currentScore + 0))
}
# 4.4
check_4_4() {
check_4_4="4.4 - Ensure images are scanned and rebuilt to include security patches"
totalChecks=$((totalChecks + 1))
note "$check_4_4"
logjson "4.4" "NOTE"
currentScore=$((currentScore + 0))
}
# 4.5
check_4_5() {
check_4_5="4.5 - Ensure Content trust for Docker is Enabled"
totalChecks=$((totalChecks + 1))
if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
@ -82,8 +93,10 @@ else
logjson "4.5" "WARN"
currentScore=$((currentScore - 1))
fi
}
# 4.6
check_4_6() {
check_4_6="4.6 - Ensure HEALTHCHECK instructions have been added to the container image"
totalChecks=$((totalChecks + 1))
fail=0
@ -108,8 +121,10 @@ if [ $fail -eq 0 ]; then
else
currentScore=$((currentScore - 1))
fi
}
# 4.7
check_4_7() {
check_4_7="4.7 - Ensure update instructions are not use alone in the Dockerfile"
totalChecks=$((totalChecks + 1))
fail=0
@ -133,15 +148,19 @@ if [ $fail -eq 0 ]; then
else
currentScore=$((currentScore + 0))
fi
}
# 4.8
check_4_8() {
check_4_8="4.8 - Ensure setuid and setgid permissions are removed in the images"
totalChecks=$((totalChecks + 1))
note "$check_4_8"
logjson "4.8" "NOTE"
currentScore=$((currentScore + 0))
}
# 4.9
check_4_9() {
check_4_9="4.9 - Ensure COPY is used instead of ADD in Dockerfile"
totalChecks=$((totalChecks + 1))
fail=0
@ -166,17 +185,22 @@ if [ $fail -eq 0 ]; then
logjson "4.9" "PASS"
currentScore=$((currentScore + 1))
fi
}
# 4.10
check_4_10() {
check_4_10="4.10 - Ensure secrets are not stored in Dockerfiles"
totalChecks=$((totalChecks + 1))
note "$check_4_10"
logjson "4.10" "NOTE"
currentScore=$((currentScore + 0))
}
# 4.11
check_4_11() {
check_4_11="4.11 - Ensure verified packages are only Installed"
totalChecks=$((totalChecks + 1))
note "$check_4_11"
logjson "4.11" "NOTE"
currentScore=$((currentScore + 0))
}

195
tests/5_container_runtime.sh
View file

@ -1,16 +1,29 @@
#!/bin/sh
check_5() {
logit "\n"
info "5 - Container Runtime"
}
check_running_containers() {
# If containers is empty, there are no running containers
if [ -z "$containers" ]; then
info " * No containers running, skipping Section 5"
running_containers=0
else
running_containers=1
# Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$'
'
fi
}
# 5.1
check_5_1() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_1="5.1 - Ensure AppArmor Profile is Enabled"
totalChecks=$((totalChecks + 1))
@ -39,8 +52,14 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.2
check_5_2() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_2="5.2 - Ensure SELinux security options are set, if applicable"
totalChecks=$((totalChecks + 1))
@ -69,8 +88,14 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.3
check_5_3() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_3="5.3 - Ensure Linux Kernel Capabilities are restricted within containers"
totalChecks=$((totalChecks + 1))
@ -102,8 +127,14 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.4
check_5_4() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_4="5.4 - Ensure privileged containers are not used"
totalChecks=$((totalChecks + 1))
@ -132,8 +163,14 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.5
check_5_5() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_5="5.5 - Ensure sensitive host system directories are not mounted on containers"
totalChecks=$((totalChecks + 1))
@ -182,8 +219,14 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.6
check_5_6() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_6="5.6 - Ensure ssh is not run within containers"
totalChecks=$((totalChecks + 1))
@ -226,8 +269,14 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.7
check_5_7() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_7="5.7 - Ensure privileged ports are not mapped within containers"
totalChecks=$((totalChecks + 1))
@ -260,15 +309,27 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.8
check_5_8() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_8="5.8 - Ensure only needed ports are open on the container"
totalChecks=$((totalChecks + 1))
note "$check_5_8"
logjson "5.8" "NOTE"
currentScore=$((currentScore + 0))
}
# 5.9
check_5_9() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_9="5.9 - Ensure the host's network namespace is not shared"
totalChecks=$((totalChecks + 1))
@ -297,8 +358,14 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.10
check_5_10() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_10="5.10 - Ensure memory usage for container is limited"
totalChecks=$((totalChecks + 1))
@ -331,8 +398,14 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.11
check_5_11() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_11="5.11 - Ensure CPU priority is set appropriately on the container"
totalChecks=$((totalChecks + 1))
@ -365,8 +438,14 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.12
check_5_12() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_12="5.12 - Ensure the container's root filesystem is mounted as read only"
totalChecks=$((totalChecks + 1))
@ -395,8 +474,14 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.13
check_5_13() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_13="5.13 - Ensure incoming container traffic is binded to a specific host interface"
totalChecks=$((totalChecks + 1))
@ -425,8 +510,14 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.14
check_5_14() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_14="5.14 - Ensure 'on-failure' container restart policy is set to '5'"
totalChecks=$((totalChecks + 1))
@ -455,8 +546,14 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.15
check_5_15() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_15="5.15 - Ensure the host's process namespace is not shared"
totalChecks=$((totalChecks + 1))
@ -485,8 +582,14 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.16
check_5_16() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_16="5.16 - Ensure the host's IPC namespace is not shared"
totalChecks=$((totalChecks + 1))
@ -515,8 +618,14 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.17
check_5_17() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_17="5.17 - Ensure host devices are not directly exposed to containers"
totalChecks=$((totalChecks + 1))
@ -545,8 +654,14 @@ else
else
currentScore=$((currentScore + 0))
fi
}
# 5.18
check_5_18() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_18="5.18 - Ensure the default ulimit is overwritten at runtime, only if needed"
totalChecks=$((totalChecks + 1))
@ -575,8 +690,14 @@ else
else
currentScore=$((currentScore + 0))
fi
}
# 5.19
check_5_19() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_19="5.19 - Ensure mount propagation mode is not set to shared"
totalChecks=$((totalChecks + 1))
@ -604,8 +725,14 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.20
check_5_20() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_20="5.20 - Ensure the host's UTS namespace is not shared"
totalChecks=$((totalChecks + 1))
@ -634,8 +761,14 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.21
check_5_21() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_21="5.21 - Ensure the default seccomp profile is not Disabled"
totalChecks=$((totalChecks + 1))
@ -663,22 +796,40 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.22
check_5_22() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_22="5.22 - Ensure docker exec commands are not used with privileged option"
totalChecks=$((totalChecks + 1))
note "$check_5_22"
logjson "5.22" "NOTE"
currentScore=$((currentScore + 0))
}
# 5.23
check_5_23() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_23="5.23 - Ensure docker exec commands are not used with user option"
totalChecks=$((totalChecks + 1))
note "$check_5_23"
logjson "5.23" "NOTE"
currentScore=$((currentScore + 0))
}
# 5.24
check_5_24() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_24="5.24 - Ensure cgroup usage is confirmed"
totalChecks=$((totalChecks + 1))
@ -707,8 +858,13 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.25
check_5_25() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_25="5.25 - Ensure the container is restricted from acquiring additional privileges"
totalChecks=$((totalChecks + 1))
@ -735,8 +891,14 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.26
check_5_26() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_26="5.26 - Ensure container health is checked at runtime"
totalChecks=$((totalChecks + 1))
@ -761,15 +923,27 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.27
check_5_27() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_27="5.27 - Ensure docker commands always get the latest version of the image"
totalChecks=$((totalChecks + 1))
info "$check_5_27"
logjson "5.27" "INFO"
currentScore=$((currentScore + 0))
}
# 5.28
check_5_28() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_28="5.28 - Ensure PIDs cgroup limit is used"
totalChecks=$((totalChecks + 1))
@ -798,8 +972,14 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.29
check_5_29() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_29="5.29 - Ensure Docker's default bridge docker0 is not used"
totalChecks=$((totalChecks + 1))
@ -832,8 +1012,14 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.30
check_5_30() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_30="5.30 - Ensure the host's user namespaces is not shared"
totalChecks=$((totalChecks + 1))
@ -860,8 +1046,14 @@ else
else
currentScore=$((currentScore - 1))
fi
}
# 5.31
check_5_31() {
if [ "$running_containers" -ne 1 ]; then
return
fi
check_5_31="5.31 - Ensure the Docker socket is not mounted inside any containers"
totalChecks=$((totalChecks + 1))
@ -888,4 +1080,5 @@ else
else
currentScore=$((currentScore - 1))
fi
fi
}

6
tests/6_docker_security_operations.sh
View file

@ -1,9 +1,12 @@
#!/bin/sh
check_6() {
logit "\n"
info "6 - Docker Security Operations"
}
# 6.1
check_6_1() {
check_6_1="6.1 - Avoid image sprawl"
totalChecks=$((totalChecks + 1))
images=$(docker images -q | sort -u | wc -l | awk '{print $1}')
@ -23,8 +26,10 @@ if [ "$active_images" -lt "$((images / 2))" ]; then
logjson "6.1" "INFO: $active_images"
fi
currentScore=$((currentScore + 0))
}
# 6.2
check_6_2() {
check_6_2="6.2 - Avoid container sprawl"
totalChecks=$((totalChecks + 1))
total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}')
@ -40,3 +45,4 @@ else
logjson "6.2" "INFO: $running_containers"
fi
currentScore=$((currentScore + 0))
}

22
tests/7_docker_swarm_configuration.sh
View file

@ -1,9 +1,12 @@
#!/bin/sh
check_7() {
logit "\n"
info "7 - Docker Swarm Configuration"
}
# 7.1
check_7_1() {
check_7_1="7.1 - Ensure swarm mode is not Enabled, if not needed"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
@ -15,8 +18,10 @@ else
logjson "7.1" "WARN"
currentScore=$((currentScore - 1))
fi
}
# 7.2
check_7_2() {
check_7_2="7.2 - Ensure the minimum number of manager nodes have been created in a swarm"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
@ -35,8 +40,10 @@ else
logjson "7.2" "PASS"
currentScore=$((currentScore + 1))
fi
}
# 7.3
check_7_3() {
check_7_3="7.3 - Ensure swarm services are binded to a specific host interface"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
@ -55,8 +62,10 @@ else
logjson "7.3" "PASS"
currentScore=$((currentScore + 1))
fi
}
# 7.4
check_7_4(){
check_7_4="7.4 - Ensure data exchanged between containers are encrypted on different nodes on the overlay network"
totalChecks=$((totalChecks + 1))
if docker network ls --filter driver=overlay --quiet | \
@ -76,8 +85,10 @@ else
logjson "7.4" "PASS"
currentScore=$((currentScore + 1))
fi
}
# 7.5
check_7_5() {
check_7_5="7.5 - Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
@ -95,8 +106,10 @@ else
logjson "7.5" "PASS"
currentScore=$((currentScore + 1))
fi
}
# 7.6
check_7_6() {
check_7_6="7.6 - Ensure swarm manager is run in auto-lock mode"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
@ -114,8 +127,10 @@ else
logjson "7.6" "PASS"
currentScore=$((currentScore + 1))
fi
}
# 7.7
check_7_7() {
check_7_7="7.7 - Ensure swarm manager auto-lock key is rotated periodically"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
@ -127,8 +142,10 @@ else
logjson "7.7" "PASS"
currentScore=$((currentScore + 1))
fi
}
# 7.8
check_7_8() {
check_7_8="7.8 - Ensure node certificates are rotated as appropriate"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
@ -146,8 +163,10 @@ else
logjson "7.8" "PASS"
currentScore=$((currentScore + 1))
fi
}
# 7.9
check_7_9() {
check_7_9="7.9 - Ensure CA certificates are rotated as appropriate"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
@ -159,8 +178,10 @@ else
logjson "7.9" "PASS"
currentScore=$((currentScore + 1))
fi
}
# 7.10
check_7_10() {
check_7_10="7.10 - Ensure management plane traffic has been separated from data plane traffic"
totalChecks=$((totalChecks + 1))
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
@ -172,3 +193,4 @@ else
logjson "7.10" "PASS"
currentScore=$((currentScore + 1))
fi
}