GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-18 16:22:33 +01:00
Code Issues Projects Releases Packages Wiki Activity

add score and totalChecks to 3_

Browse source 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
This commit is contained in:
Thomas Sjögren 2017-10-23 15:39:52 +02:00
parent ec4060ea2f
commit f9be3996f4
1 changed files with 80 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

80
tests/3_docker_daemon_configuration_files.sh
View file

@ -5,114 +5,139 @@ info "3 - Docker daemon configuration files"
# 3.1
check_3_1="3.1 - Ensure that docker.service file ownership is set to root:root"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.service)"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_1"
logjson "3.1" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_1"
warn " * Wrong ownership for $file"
logjson "3.1" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_1"
info " * File not found"
logjson "3.1" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.2
check_3_2="3.2 - Ensure that docker.service file permissions are set to 644 or more restrictive"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.service)"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_2"
logjson "3.2" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_2"
warn " * Wrong permissions for $file"
logjson "3.2" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_2"
info " * File not found"
logjson "3.2" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.3
check_3_3="3.3 - Ensure that docker.socket file ownership is set to root:root"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.socket)"
if [ -f "$file" ]; then
if [ "$(stat -c %u%g $file)" -eq 00 ]; then
pass "$check_3_3"
logjson "3.3" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_3"
warn " * Wrong ownership for $file"
logjson "3.3" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_3"
info " * File not found"
logjson "3.3" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.4
check_3_4="3.4 - Ensure that docker.socket file permissions are set to 644 or more restrictive"
totalChecks=$((totalChecks + 1))
file="$(get_systemd_service_file docker.socket)"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_4"
logjson "3.4" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_4"
warn " * Wrong permissions for $file"
logjson "3.4" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_4"
info " * File not found"
logjson "3.4" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.5
check_3_5="3.5 - Ensure that /etc/docker directory ownership is set to root:root"
totalChecks=$((totalChecks + 1))
directory="/etc/docker"
if [ -d "$directory" ]; then
if [ "$(stat -c %u%g $directory)" -eq 00 ]; then
pass "$check_3_5"
logjson "3.5" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_5"
warn " * Wrong ownership for $directory"
logjson "3.5" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_5"
info " * Directory not found"
logjson "3.5" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.6
check_3_6="3.6 - Ensure that /etc/docker directory permissions are set to 755 or more restrictive"
totalChecks=$((totalChecks + 1))
directory="/etc/docker"
if [ -d "$directory" ]; then
if [ "$(stat -c %a $directory)" -eq 755 -o "$(stat -c %a $directory)" -eq 700 ]; then
pass "$check_3_6"
logjson "3.6" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_6"
warn " * Wrong permissions for $directory"
logjson "3.6" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_6"
info " * Directory not found"
logjson "3.6" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.7
check_3_7="3.7 - Ensure that registry certificate file ownership is set to root:root"
totalChecks=$((totalChecks + 1))
directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then
fail=0
@ -126,18 +151,22 @@ if [ -d "$directory" ]; then
warn "$check_3_7"
warn " * Wrong ownership for $directory"
logjson "3.7" "WARN"
currentScore=$((currentScore - 1))
else
pass "$check_3_7"
logjson "3.7" "PASS"
currentScore=$((currentScore + 1))
fi
else
info "$check_3_7"
info " * Directory not found"
logjson "3.7" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.8
check_3_8="3.8 - Ensure that registry certificate file permissions are set to 444 or more restrictive"
totalChecks=$((totalChecks + 1))
directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then
fail=0
@ -151,18 +180,22 @@ if [ -d "$directory" ]; then
warn "$check_3_8"
warn " * Wrong permissions for $directory"
logjson "3.8" "WARN"
currentScore=$((currentScore - 1))
else
pass "$check_3_8"
logjson "3.8" "PASS"
currentScore=$((currentScore + 1))
fi
else
info "$check_3_8"
info " * Directory not found"
logjson "3.8" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.9
check_3_9="3.9 - Ensure that TLS CA certificate file ownership is set to root:root"
totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then
tlscacert=$(get_docker_configuration_file_args 'tlscacert')
else
@ -172,19 +205,23 @@ if [ -f "$tlscacert" ]; then
if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
pass "$check_3_9"
logjson "3.9" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_9"
warn " * Wrong ownership for $tlscacert"
logjson "3.9" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_9"
info " * No TLS CA certificate found"
logjson "3.9" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.10
check_3_10="3.10 - Ensure that TLS CA certificate file permissions are set to 444 or more restrictive"
totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then
tlscacert=$(get_docker_configuration_file_args 'tlscacert')
else
@ -194,19 +231,23 @@ if [ -f "$tlscacert" ]; then
if [ "$(stat -c %a $tlscacert)" -eq 444 -o "$(stat -c %a $tlscacert)" -eq 400 ]; then
pass "$check_3_10"
logjson "3.10" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_10"
warn " * Wrong permissions for $tlscacert"
logjson "3.10" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_10"
info " * No TLS CA certificate found"
logjson "3.10" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.11
check_3_11="3.11 - Ensure that Docker server certificate file ownership is set to root:root"
totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then
tlscert=$(get_docker_configuration_file_args 'tlscert')
else
@ -216,19 +257,23 @@ if [ -f "$tlscert" ]; then
if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
pass "$check_3_11"
logjson "3.11" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_11"
warn " * Wrong ownership for $tlscert"
logjson "3.11" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_11"
info " * No TLS Server certificate found"
logjson "3.11" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.12
check_3_12="3.12 - Ensure that Docker server certificate file permissions are set to 444 or more restrictive"
totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then
tlscert=$(get_docker_configuration_file_args 'tlscert')
else
@ -238,19 +283,23 @@ if [ -f "$tlscert" ]; then
if [ "$(stat -c %a $tlscert)" -eq 444 -o "$(stat -c %a $tlscert)" -eq 400 ]; then
pass "$check_3_12"
logjson "3.12" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_12"
warn " * Wrong permissions for $tlscert"
logjson "3.12" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_12"
info " * No TLS Server certificate found"
logjson "3.12" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.13
check_3_13="3.13 - Ensure that Docker server certificate key file ownership is set to root:root"
totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then
tlskey=$(get_docker_configuration_file_args 'tlskey')
else
@ -260,19 +309,23 @@ if [ -f "$tlskey" ]; then
if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
pass "$check_3_13"
logjson "3.13" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_13"
warn " * Wrong ownership for $tlskey"
logjson "3.13" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_13"
info " * No TLS Key found"
logjson "3.13" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.14
check_3_14="3.14 - Ensure that Docker server certificate key file permissions are set to 400"
totalChecks=$((totalChecks + 1))
if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then
tlskey=$(get_docker_configuration_file_args 'tlskey')
else
@ -282,121 +335,148 @@ if [ -f "$tlskey" ]; then
if [ "$(stat -c %a $tlskey)" -eq 400 ]; then
pass "$check_3_14"
logjson "3.14" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_14"
warn " * Wrong permissions for $tlskey"
logjson "3.14" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_14"
info " * No TLS Key found"
logjson "3.14" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.15
check_3_15="3.15 - Ensure that Docker socket file ownership is set to root:docker"
totalChecks=$((totalChecks + 1))
file="/var/run/docker.sock"
if [ -S "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then
pass "$check_3_15"
logjson "3.15" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_15"
warn " * Wrong ownership for $file"
logjson "3.15" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_15"
info " * File not found"
logjson "3.15" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.16
check_3_16="3.16 - Ensure that Docker socket file permissions are set to 660 or more restrictive"
totalChecks=$((totalChecks + 1))
file="/var/run/docker.sock"
if [ -S "$file" ]; then
if [ "$(stat -c %a $file)" -eq 660 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_16"
logjson "3.16" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_16"
warn " * Wrong permissions for $file"
logjson "3.16" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_16"
info " * File not found"
logjson "3.16" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.17
check_3_17="3.17 - Ensure that daemon.json file ownership is set to root:root"
totalChecks=$((totalChecks + 1))
file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass "$check_3_17"
logjson "3.17" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_17"
warn " * Wrong ownership for $file"
logjson "3.17" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_17"
info " * File not found"
logjson "3.17" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.18
check_3_18="3.18 - Ensure that daemon.json file permissions are set to 644 or more restrictive"
totalChecks=$((totalChecks + 1))
file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_18"
logjson "3.18" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_18"
warn " * Wrong permissions for $file"
logjson "3.18" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_18"
info " * File not found"
logjson "3.18" "INFO"
currentScore=$((currentScore - 0))
fi
# 3.19
check_3_19="3.19 - Ensure that /etc/default/docker file ownership is set to root:root"
totalChecks=$((totalChecks + 1))
file="/etc/default/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass "$check_3_19"
logjson "3.19" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_19"
warn " * Wrong ownership for $file"
logjson "3.19" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_19"
info " * File not found"
logjson "3.19" "INFO"
currentScore=$((currentScore + 0))
fi
# 3.20
check_3_20="3.20 - Ensure that /etc/default/docker file permissions are set to 644 or more restrictive"
totalChecks=$((totalChecks + 1))
file="/etc/default/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -eq 644 -o "$(stat -c %a $file)" -eq 600 ]; then
pass "$check_3_20"
logjson "3.20" "PASS"
currentScore=$((currentScore + 1))
else
warn "$check_3_20"
warn " * Wrong permissions for $file"
logjson "3.20" "WARN"
currentScore=$((currentScore - 1))
fi
else
info "$check_3_20"
info " * File not found"
logjson "3.20" "INFO"
currentScore=$((currentScore + 0))
fi