GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-19 08:42:33 +01:00
Code Issues Projects Releases Packages Wiki Activity
173 commits 3 branches 11 tags 4.9 MiB
Commit graph

52 commits

Author SHA1 Message Date
HuKeping
100b63dac5 Add test for OOM killer disable 
It is the best practise that only disable the OOM killer on containers where
you have also set the  `-m/--memory` option.

If the `-m/--memeory` flag is not set, this can result in the host running
out of memory and require killing the host's system processes to free memory.

Examples:

The following example limits the memory to 100M and disables the OOM
killer for this container:

    $ docker run -ti -m 100M --oom-kill-disable ubuntu:14.04 /bin/bash

The following example, illustrates a dangerous way to use the flag:

    $ docker run -ti --oom-kill-disable ubuntu:14.04 /bin/bash

The container has unlimited memory which can cause the host to run out
memory and require killing system processes to free memory.

Signed-off-by: Hu Keping <hukeping@huawei.com>
 2015-10-23 10:37:10 +08:00
Thomas Sjögren
50dc806232 current version is 1.8.2 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-10-01 21:46:33 +02:00
Csaba Palfi
831a373a61 make process count check even simpler 
Signed-off-by: Csaba Palfi <csaba@palfi.me>
 2015-08-17 17:41:47 +01:00
Csaba Palfi
d7926a0f31 make process count check a bit easier to read 
Signed-off-by: Csaba Palfi <csaba@palfi.me>
 2015-08-17 17:29:42 +01:00
Thomas Sjögren
75a7f955cc prettier Docker exec fail output 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-08-13 22:06:03 +02:00
Thomas Sjögren
5f4bfdb98c 'CapAdd=<nil>' 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-08-13 21:46:21 +02:00
Thomas Sjögren
64bc5323e6 current version is 1.8.0 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-08-13 21:35:55 +02:00
Ivan Angelov
7ada35cd90 Count unique image ids only 
Signed-off-by: Ivan Angelov <iangelov@users.noreply.github.com>
 2015-08-10 17:19:06 +02:00
Thomas Sjögren
45671a70f3 catch server versions 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-07-11 20:36:04 +02:00
Thomas Sjögren
4a289d9a15 Merge pull request #59 from konstruktoid/perm_checks 
Perm checks
 2015-07-10 02:11:10 +02:00
Thomas Sjögren
6fca0428e7 missed one tls* 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-07-10 02:10:26 +02:00
Thomas Sjögren
b3fd225df8 fix incorrect file variables 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-07-10 01:43:11 +02:00
Thomas Sjögren
8b0efa170f split cmdline 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-07-10 01:30:38 +02:00
Thomas Sjögren
3c6b0df012 handle -dev version 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-07-10 00:40:31 +02:00
Thomas Sjögren
19d3d39e50 Merge pull request #48 from jlusiardi/fix_issue_47 
Fix for issue #47.
 2015-07-01 20:16:27 +02:00
Joachim Lusiardi
fae2639313 Addition to fix for issue #47. 
Missed the potentially wrong invocations of pgrep also in section 3
of the tests. Replace "pgrep -lf" there as well.

Signed-off-by: Joachim Lusiardi <joachim@lusiardi.de>
 2015-06-29 22:27:59 +02:00
Joachim Lusiardi
fc8eefb8a6 Fix for issue #47. 
Introduces a new function in helper_lib.sh to query the command line
arguments of the running instances of a binary. This is done to get
rid of the problem of "-lf" versus "-alf" for pgrep.

Signed-off-by: Joachim Lusiardi <joachim@lusiardi.de>
 2015-06-29 22:27:34 +02:00
Thomas Sjögren
553e2d7c30 Merge remote-tracking branch 'origin/master' into shellcheck 
* origin/master:
  actually catch ssh
  update do_version_check

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

Conflicts:
	tests/1_host_configuration.sh
	tests/5_container_runtime.sh
 2015-06-23 21:17:41 +02:00
Thomas Sjögren
2907078fd2 actually catch ssh 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-21 23:11:23 +02:00
Thomas Sjögren
ef8ff4a9f3 update do_version_check 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-21 23:11:02 +02:00
Thomas Sjögren
b5c571df18 shellcheck fixes 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-21 23:03:34 +02:00
Thomas Sjögren
edf0646330 Merge pull request #40 from liron-l/master 
Fix CIS 5.8 - Reverse container port and reduce privileged port to 1024
 2015-06-21 21:45:01 +02:00
Liron Levin
b2093036df Fix CIS 5.8 - Reverse container port and reduce privileged port to 1024 
-- According to CIS, 5.8 apply to priviliged port on the host not on the
container:
`processes are not allowed to use them for various security reasons.
Docker allows a
container port to be mapped to a privileged port.`
-- Also privileged port should be less than 1024 inclusive

Signed-off-by: liron-l <levinlir@gmail.com>
Signed-off-by: Liron Levin <liron@twistlock.com>
 2015-06-21 07:25:24 +03:00
Thomas Sjögren
1e0ef4cf97 crt dir and permissions 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-18 00:32:20 +02:00
Thomas Sjögren
0c61ddb6dd from ls to stat 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-17 23:52:53 +02:00
Thomas Sjögren
3059cef2c3 444 is read-only 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-17 23:52:23 +02:00
Thomas Sjögren
70b8d33cef replace ls with stat when checking owner and perms 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-17 23:25:01 +02:00
Thomas Sjögren
20db7d8a4d catch all -H, not only tcp:// 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-15 23:04:02 +02:00
Thomas Sjögren
eca8471c71 Merge branch 'master' of github.com:konstruktoid/docker-bench-security into issue_25 
* 'master' of github.com:konstruktoid/docker-bench-security:
  Fix test 5.14 to not always pass when multiple ports are published.
  change to docker repository
  make readme codeblocks prettier
  Add first version of CONTRIBUTING.md
  Issue #24, remove -U, -u
  use official alpine image as the base
  Make the main script an executable for if I want to run it on my host

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>

Conflicts:
	README.md
 2015-06-15 22:01:48 +02:00
Zvi "Viz" Effron
3616f15cba Fix test 5.14 to not always pass when multiple ports are published. 
Signed-off-by: Zvi "Viz" Effron <zeffron@riotgames.com>
 2015-06-15 11:26:13 -07:00
Diogo Mónica
67711b52d3 Merge pull request #27 from konstruktoid/issue_24 
Issue #24, remove -U, -u
 2015-06-10 18:29:29 -07:00
Thomas Sjögren
2d25ddbcaf Issue #24, remove -U, -u 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-11 02:35:54 +02:00
Thomas Sjögren
56a7cb8779 Issue #25, dont warn if file is missing 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-11 02:17:14 +02:00
Jessica Frazelle
0231a7f5de Make the main script an executable for if I want to run it on my host 
Fix image sprawl to work

Fix port range

Signed-off-by: Jessica Frazelle <princess@docker.com>
 2015-06-09 00:10:44 -07:00
Thomas Sjögren
b6a4bd7504 dont echo the grep result 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-01 22:51:47 +02:00
Thomas Sjögren
2e92ed5a01 exec_check had extra space 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-01 22:46:58 +02:00
Thomas Sjögren
787f4325b2 update 5.7 exec_check to new style 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-01 22:44:37 +02:00
Thomas Sjögren
e29a886254 warn if only -lt half of the images are in use 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-01 22:37:28 +02:00
Thomas Sjögren
8ff1dc25ee docker_version variable 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-01 22:36:55 +02:00
Thomas Sjögren
9cccfa6902 get the correct number of images 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-06-01 22:20:03 +02:00
Werner Buck
f4aab9c8c5 Double quote to prevent globbing and word splitting. 
Do not use legacy backticks.
Proper use of printf
Do not use wc -l with grep, instead use grep -c
Use pgrep

Signed-off-by: Werner Buck <wernerbuck@gmail.com>
 2015-05-31 12:26:37 +02:00
Thomas Sjögren
643beee453 fail=1 when Docker exec fails 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-05-30 13:03:01 +02:00
Thomas Sjögren
d964e084fc no need for cat when grepping 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-05-30 13:02:37 +02:00
Thomas Sjögren
d02a7f8c0e Add Docker do_version_check 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-05-30 13:02:08 +02:00
Thomas Sjögren
7082102612 add ps variable and limit output to root 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
 2015-05-30 13:01:19 +02:00
Diogo Monica
4194b1e65c Adding double quotes to 2015-05-25 20:31:46 -07:00
Diogo Monica
03ac3f5bd3 Make ifs style be consistent 2015-05-14 20:26:32 -07:00
Diogo Monica
8d06000296 Fixed running containers calculation 2015-05-13 19:43:12 -07:00
Diogo Monica
1c795f146e Added filtering to ignore security-benchmark container 2015-05-13 19:22:39 -07:00
Diogo Monica
1ebf49c35a Fixed the script to ignore containers with label security-benchmark 2015-05-13 17:08:12 -07:00