#!/bin/sh check_3() { logit "\n" id_3="3" desc_3="Docker daemon configuration files" check_3="$id_3 - $desc_3" info "$check_3" startsectionjson "$id_3" "$desc_3" } # 3.1 check_3_1() { id_3_1="3.1" desc_3_1="Ensure that docker.service file ownership is set to root:root" check_3_1="$id_3_1 - $desc_3_1" starttestjson "$id_3_1" "$desc_3_1" totalChecks=$((totalChecks + 1)) file="$(get_systemd_service_file docker.service)" if [ -f "$file" ]; then if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_1" resulttestjson "PASS" currentScore=$((currentScore + 1)) else warn "$check_3_1" warn " * Wrong ownership for $file" resulttestjson "WARN" "Wrong ownership for $file" currentScore=$((currentScore - 1)) fi else info "$check_3_1" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) fi } # 3.2 check_3_2() { id_3_2="3.2" desc_3_2="Ensure that docker.service file permissions are appropriately set" check_3_2="$id_3_2 - $desc_3_2" starttestjson "$id_3_2" "$desc_3_2" totalChecks=$((totalChecks + 1)) file="$(get_systemd_service_file docker.service)" if [ -f "$file" ]; then if [ "$(stat -c %a $file)" -eq 644 ] || [ "$(stat -c %a $file)" -eq 600 ]; then pass "$check_3_2" resulttestjson "PASS" currentScore=$((currentScore + 1)) else warn "$check_3_2" warn " * Wrong permissions for $file" resulttestjson "WARN" "Wrong permissions for $file" currentScore=$((currentScore - 1)) fi else info "$check_3_2" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) fi } # 3.3 check_3_3() { id_3_3="3.3" desc_3_3="Ensure that docker.socket file ownership is set to root:root" check_3_3="$id_3_3 - $desc_3_3" starttestjson "$id_3_3" "$desc_3_3" totalChecks=$((totalChecks + 1)) file="$(get_systemd_service_file docker.socket)" if [ -f "$file" ]; then if [ "$(stat -c %u%g $file)" -eq 00 ]; then pass "$check_3_3" resulttestjson "PASS" currentScore=$((currentScore + 1)) else warn "$check_3_3" warn " * Wrong ownership for $file" resulttestjson "WARN" "Wrong ownership for $file" currentScore=$((currentScore - 1)) fi else info "$check_3_3" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) fi } # 3.4 check_3_4() { id_3_4="3.4" desc_3_4="Ensure that docker.socket file permissions are set to 644 or more restrictive" check_3_4="$id_3_4 - $desc_3_4" starttestjson "$id_3_4" "$desc_3_4" totalChecks=$((totalChecks + 1)) file="$(get_systemd_service_file docker.socket)" if [ -f "$file" ]; then if [ "$(stat -c %a $file)" -eq 644 ] || [ "$(stat -c %a $file)" -eq 600 ]; then pass "$check_3_4" resulttestjson "PASS" currentScore=$((currentScore + 1)) else warn "$check_3_4" warn " * Wrong permissions for $file" resulttestjson "WARN" "Wrong permissions for $file" currentScore=$((currentScore - 1)) fi else info "$check_3_4" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) fi } # 3.5 check_3_5() { id_3_5="3.5" desc_3_5="Ensure that /etc/docker directory ownership is set to root:root" check_3_5="$id_3_5 - $desc_3_5" starttestjson "$id_3_5" "$desc_3_5" totalChecks=$((totalChecks + 1)) directory="/etc/docker" if [ -d "$directory" ]; then if [ "$(stat -c %u%g $directory)" -eq 00 ]; then pass "$check_3_5" resulttestjson "PASS" currentScore=$((currentScore + 1)) else warn "$check_3_5" warn " * Wrong ownership for $directory" resulttestjson "WARN" "Wrong ownership for $directory" currentScore=$((currentScore - 1)) fi else info "$check_3_5" info " * Directory not found" resulttestjson "INFO" "Directory not found" currentScore=$((currentScore + 0)) fi } # 3.6 check_3_6() { id_3_6="3.6" desc_3_6="Ensure that /etc/docker directory permissions are set to 755 or more restrictive" check_3_6="$id_3_6 - $desc_3_6" starttestjson "$id_3_6" "$desc_3_6" totalChecks=$((totalChecks + 1)) directory="/etc/docker" if [ -d "$directory" ]; then if [ "$(stat -c %a $directory)" -eq 755 ] || [ "$(stat -c %a $directory)" -eq 700 ]; then pass "$check_3_6" resulttestjson "PASS" currentScore=$((currentScore + 1)) else warn "$check_3_6" warn " * Wrong permissions for $directory" resulttestjson "WARN" "Wrong permissions for $directory" currentScore=$((currentScore - 1)) fi else info "$check_3_6" info " * Directory not found" resulttestjson "INFO" "Directory not found" currentScore=$((currentScore + 0)) fi } # 3.7 check_3_7() { id_3_7="3.7" desc_3_7="Ensure that registry certificate file ownership is set to root:root" check_3_7="$id_3_7 - $desc_3_7" starttestjson "$id_3_7" "$desc_3_7" totalChecks=$((totalChecks + 1)) directory="/etc/docker/certs.d/" if [ -d "$directory" ]; then fail=0 owners=$(find "$directory" -type f -name '*.crt') for p in $owners; do if [ "$(stat -c %u $p)" -ne 0 ]; then fail=1 fi done if [ $fail -eq 1 ]; then warn "$check_3_7" warn " * Wrong ownership for $directory" resulttestjson "WARN" "Wrong ownership for $directory" currentScore=$((currentScore - 1)) else pass "$check_3_7" resulttestjson "PASS" currentScore=$((currentScore + 1)) fi else info "$check_3_7" info " * Directory not found" resulttestjson "INFO" "Directory not found" currentScore=$((currentScore + 0)) fi } # 3.8 check_3_8() { id_3_8="3.8" desc_3_8="Ensure that registry certificate file permissions are set to 444 or more restrictive" check_3_8="$id_3_8 - $desc_3_8" starttestjson "$id_3_8" "$desc_3_8" totalChecks=$((totalChecks + 1)) directory="/etc/docker/certs.d/" if [ -d "$directory" ]; then fail=0 perms=$(find "$directory" -type f -name '*.crt') for p in $perms; do if [ "$(stat -c %a $p)" -ne 444 ] && [ "$(stat -c %a $p)" -ne 400 ]; then fail=1 fi done if [ $fail -eq 1 ]; then warn "$check_3_8" warn " * Wrong permissions for $directory" resulttestjson "WARN" "Wrong permissions for $directory" currentScore=$((currentScore - 1)) else pass "$check_3_8" resulttestjson "PASS" currentScore=$((currentScore + 1)) fi else info "$check_3_8" info " * Directory not found" resulttestjson "INFO" "Directory not found" currentScore=$((currentScore + 0)) fi } # 3.9 check_3_9() { id_3_9="3.9" desc_3_9="Ensure that TLS CA certificate file ownership is set to root:root" check_3_9="$id_3_9 - $desc_3_9" starttestjson "$id_3_9" "$desc_3_9" totalChecks=$((totalChecks + 1)) if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then tlscacert=$(get_docker_configuration_file_args 'tlscacert') else tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi if [ -f "$tlscacert" ]; then if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then pass "$check_3_9" resulttestjson "PASS" currentScore=$((currentScore + 1)) else warn "$check_3_9" warn " * Wrong ownership for $tlscacert" resulttestjson "WARN" "Wrong ownership for $tlscacert" currentScore=$((currentScore - 1)) fi else info "$check_3_9" info " * No TLS CA certificate found" resulttestjson "INFO" "No TLS CA certificate found" currentScore=$((currentScore + 0)) fi } # 3.10 check_3_10() { id_3_10="3.10" desc_3_10="Ensure that TLS CA certificate file permissions are set to 444 or more restrictive" check_3_10="$id_3_10 - $desc_3_10" starttestjson "$id_3_10" "$desc_3_10" totalChecks=$((totalChecks + 1)) if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then tlscacert=$(get_docker_configuration_file_args 'tlscacert') else tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi if [ -f "$tlscacert" ]; then if [ "$(stat -c %a $tlscacert)" -eq 444 ] || [ "$(stat -c %a $tlscacert)" -eq 400 ]; then pass "$check_3_10" resulttestjson "PASS" currentScore=$((currentScore + 1)) else warn "$check_3_10" warn " * Wrong permissions for $tlscacert" resulttestjson "WARN" "Wrong permissions for $tlscacert" currentScore=$((currentScore - 1)) fi else info "$check_3_10" info " * No TLS CA certificate found" resulttestjson "INFO" "No TLS CA certificate found" currentScore=$((currentScore + 0)) fi } # 3.11 check_3_11() { id_3_11="3.11" desc_3_11="Ensure that Docker server certificate file ownership is set to root:root" check_3_11="$id_3_11 - $desc_3_11" starttestjson "$id_3_11" "$desc_3_11" totalChecks=$((totalChecks + 1)) if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then tlscert=$(get_docker_configuration_file_args 'tlscert') else tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi if [ -f "$tlscert" ]; then if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then pass "$check_3_11" resulttestjson "PASS" currentScore=$((currentScore + 1)) else warn "$check_3_11" warn " * Wrong ownership for $tlscert" resulttestjson "WARN" "Wrong ownership for $tlscert" currentScore=$((currentScore - 1)) fi else info "$check_3_11" info " * No TLS Server certificate found" resulttestjson "INFO" "No TLS Server certificate found" currentScore=$((currentScore + 0)) fi } # 3.12 check_3_12() { id_3_12="3.12" desc_3_12="Ensure that Docker server certificate file permissions are set to 444 or more restrictive" check_3_12="$id_3_12 - $desc_3_12" starttestjson "$id_3_12" "$desc_3_12" totalChecks=$((totalChecks + 1)) if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then tlscert=$(get_docker_configuration_file_args 'tlscert') else tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi if [ -f "$tlscert" ]; then if [ "$(stat -c %a $tlscert)" -eq 444 ] || [ "$(stat -c %a $tlscert)" -eq 400 ]; then pass "$check_3_12" resulttestjson "PASS" currentScore=$((currentScore + 1)) else warn "$check_3_12" warn " * Wrong permissions for $tlscert" resulttestjson "WARN" "Wrong permissions for $tlscert" currentScore=$((currentScore - 1)) fi else info "$check_3_12" info " * No TLS Server certificate found" resulttestjson "INFO" "No TLS Server certificate found" currentScore=$((currentScore + 0)) fi } # 3.13 check_3_13() { id_3_13="3.13" desc_3_13="Ensure that Docker server certificate key file ownership is set to root:root" check_3_13="$id_3_13 - $desc_3_13" starttestjson "$id_3_13" "$desc_3_13" totalChecks=$((totalChecks + 1)) if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then tlskey=$(get_docker_configuration_file_args 'tlskey') else tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi if [ -f "$tlskey" ]; then if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then pass "$check_3_13" resulttestjson "PASS" currentScore=$((currentScore + 1)) else warn "$check_3_13" warn " * Wrong ownership for $tlskey" resulttestjson "WARN" "Wrong ownership for $tlskey" currentScore=$((currentScore - 1)) fi else info "$check_3_13" info " * No TLS Key found" resulttestjson "INFO" "No TLS Key found" currentScore=$((currentScore + 0)) fi } # 3.14 check_3_14() { id_3_14="3.14" desc_3_14="Ensure that Docker server certificate key file permissions are set to 400" check_3_14="$id_3_14 - $desc_3_14" starttestjson "$id_3_14" "$desc_3_14" totalChecks=$((totalChecks + 1)) if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then tlskey=$(get_docker_configuration_file_args 'tlskey') else tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) fi if [ -f "$tlskey" ]; then if [ "$(stat -c %a $tlskey)" -eq 400 ]; then pass "$check_3_14" resulttestjson "PASS" currentScore=$((currentScore + 1)) else warn "$check_3_14" warn " * Wrong permissions for $tlskey" resulttestjson "WARN" "Wrong permissions for $tlskey" currentScore=$((currentScore - 1)) fi else info "$check_3_14" info " * No TLS Key found" resulttestjson "INFO" "No TLS Key found" currentScore=$((currentScore + 0)) fi } # 3.15 check_3_15() { id_3_15="3.15" desc_3_15="Ensure that Docker socket file ownership is set to root:docker" check_3_15="$id_3_15 - $desc_3_15" starttestjson "$id_3_15" "$desc_3_15" totalChecks=$((totalChecks + 1)) file="/var/run/docker.sock" if [ -S "$file" ]; then if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then pass "$check_3_15" resulttestjson "PASS" currentScore=$((currentScore + 1)) else warn "$check_3_15" warn " * Wrong ownership for $file" resulttestjson "WARN" "Wrong ownership for $file" currentScore=$((currentScore - 1)) fi else info "$check_3_15" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) fi } # 3.16 check_3_16() { id_3_16="3.16" desc_3_16="Ensure that Docker socket file permissions are set to 660 or more restrictive" check_3_16="$id_3_16 - $desc_3_16" starttestjson "$id_3_16" "$desc_3_16" totalChecks=$((totalChecks + 1)) file="/var/run/docker.sock" if [ -S "$file" ]; then if [ "$(stat -c %a $file)" -eq 660 ] || [ "$(stat -c %a $file)" -eq 600 ]; then pass "$check_3_16" resulttestjson "PASS" currentScore=$((currentScore + 1)) else warn "$check_3_16" warn " * Wrong permissions for $file" resulttestjson "WARN" "Wrong permissions for $file" currentScore=$((currentScore - 1)) fi else info "$check_3_16" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) fi } # 3.17 check_3_17() { id_3_17="3.17" desc_3_17="Ensure that daemon.json file ownership is set to root:root" check_3_17="$id_3_17 - $desc_3_17" starttestjson "$id_3_17" "$desc_3_17" totalChecks=$((totalChecks + 1)) file="/etc/docker/daemon.json" if [ -f "$file" ]; then if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then pass "$check_3_17" resulttestjson "PASS" currentScore=$((currentScore + 1)) else warn "$check_3_17" warn " * Wrong ownership for $file" resulttestjson "WARN" "Wrong ownership for $file" currentScore=$((currentScore - 1)) fi else info "$check_3_17" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) fi } # 3.18 check_3_18() { id_3_18="3.18" desc_3_18="Ensure that daemon.json file permissions are set to 644 or more restrictive" check_3_18="$id_3_18 - $desc_3_18" starttestjson "$id_3_18" "$desc_3_18" totalChecks=$((totalChecks + 1)) file="/etc/docker/daemon.json" if [ -f "$file" ]; then if [ "$(stat -c %a $file)" -eq 644 ] || [ "$(stat -c %a $file)" -eq 640 ] || [ "$(stat -c %a $file)" -eq 600 ]; then pass "$check_3_18" resulttestjson "PASS" currentScore=$((currentScore + 1)) else warn "$check_3_18" warn " * Wrong permissions for $file" resulttestjson "WARN" "Wrong permissions for $file" currentScore=$((currentScore - 1)) fi else info "$check_3_18" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) fi } # 3.19 check_3_19() { id_3_19="3.19" desc_3_19="Ensure that /etc/default/docker file ownership is set to root:root" check_3_19="$id_3_19 - $desc_3_19" starttestjson "$id_3_19" "$desc_3_19" totalChecks=$((totalChecks + 1)) file="/etc/default/docker" if [ -f "$file" ]; then if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then pass "$check_3_19" resulttestjson "PASS" currentScore=$((currentScore + 1)) else warn "$check_3_19" warn " * Wrong ownership for $file" resulttestjson "WARN" "Wrong ownership for $file" currentScore=$((currentScore - 1)) fi else info "$check_3_19" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) fi } # 3.20 check_3_20() { id_3_20="3.20" desc_3_20="Ensure that the /etc/sysconfig/docker file ownership is set to root:root" check_3_20="$id_3_20 - $desc_3_20" starttestjson "$id_3_20" "$desc_3_20" totalChecks=$((totalChecks + 1)) file="/etc/sysconfig/docker" if [ -f "$file" ]; then if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then pass "$check_3_20" resulttestjson "PASS" currentScore=$((currentScore + 1)) else warn "$check_3_20" warn " * Wrong ownership for $file" resulttestjson "WARN" "Wrong ownership for $file" currentScore=$((currentScore - 1)) fi else info "$check_3_20" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) fi } # 3.21 check_3_21() { id_3_21="3.21" desc_3_21="Ensure that /etc/sysconfig/docker file permissions are set to 644 or more restrictive" check_3_21="$id_3_21 - $desc_3_21" starttestjson "$id_3_21" "$desc_3_21" totalChecks=$((totalChecks + 1)) file="/etc/sysconfig/docker" if [ -f "$file" ]; then if [ "$(stat -c %a $file)" -eq 644 ] || [ "$(stat -c %a $file)" -eq 600 ]; then pass "$check_3_21" resulttestjson "PASS" currentScore=$((currentScore + 1)) else warn "$check_3_21" warn " * Wrong permissions for $file" resulttestjson "WARN" "Wrong permissions for $file" currentScore=$((currentScore - 1)) fi else info "$check_3_21" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) fi } # 3.22 check_3_22() { id_3_22="3.22" desc_3_22="Ensure that /etc/default/docker file permissions are set to 644 or more restrictive" check_3_22="$id_3_22 - $desc_3_22" starttestjson "$id_3_22" "$desc_3_22" totalChecks=$((totalChecks + 1)) file="/etc/default/docker" if [ -f "$file" ]; then if [ "$(stat -c %a $file)" -eq 644 ] || [ "$(stat -c %a $file)" -eq 600 ]; then pass "$check_3_22" resulttestjson "PASS" currentScore=$((currentScore + 1)) else warn "$check_3_22" warn " * Wrong permissions for $file" resulttestjson "WARN" "Wrong permissions for $file" currentScore=$((currentScore - 1)) fi else info "$check_3_22" info " * File not found" resulttestjson "INFO" "File not found" currentScore=$((currentScore + 0)) fi } check_3_end() { endsectionjson }