#!/bin/sh # ------------------------------------------------------------------------------ # CIS Docker 1.6 Benchmark v1.0.0 checker # # Docker, Inc. (c) 2015 # # Provides automated tests for the CIS Docker 1.6 Benchmark: # https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf # # ------------------------------------------------------------------------------ # Load dependencies . ./output_lib.sh . ./helper_lib.sh # Setup the paths this_path=$(abspath $0) ## Path of this file including filenamel dir_name=`dirname ${this_path}` ## Dir where this file is myname=`basename ${this_path}` ## file name of this script. logger="${myname}.log" # Check for required program(s) req_progs='docker netstat grep awk' for p in $req_progs; do command -v $p >/dev/null 2>&1 || { printf "$p command not found.\n"; exit 1; } done # Ensure we can connect to docker daemon `docker ps -q >/dev/null 2>&1` if [ $? -ne 0 ]; then printf "Error connecting to docker daemon (does docker ps work?)\n" exit 1 fi usage () { printf " usage: $myname [options] -h optional Print this help message\n" exit 1 } yell "# ------------------------------------------------------------------------------ # CIS Docker 1.6 Benchmark v1.0.0 checker # # Docker, Inc. (c) 2015 # # Provides automated tests for the CIS Docker 1.6 Benchmark: # https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.6_Benchmark_v1.0.0.pdf # ------------------------------------------------------------------------------" logit "Initializing `date`\n" # Warn if not root ID=`id -u` if [ "x$ID" != "x0" ]; then warn "Some tests might require root to run" sleep 3 fi # Get the flags while getopts :hlfi: args do case $args in h) usage ;; l) logger="$OPTARG" ;; *) usage ;; esac done # Load all the tests from tests/ and run them main () { # List all running containers containers=`docker ps -q` # If there is a container named docker-security-benchmark, memorize it: benchcont="nil" for c in $containers; do labels=`docker inspect --format '{{ .Config.Labels }}' $c` contains "$labels" "security-benchmark" && benchcont="$c" done # List all running containers except docker-security-benchmark containers=`docker ps -q | grep -v $benchcont` for test in tests/*.sh do . ./$test done } main "$@"