GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-31 14:22:33 +01:00
Code Issues Projects Releases Packages Wiki Activity
docker-bench-security/bats_tests/2_docker_daemon_configuration.bats
Alexei Ledenev 25adacbe5c converted tests for section 5 and 6
2016-05-17 14:08:31 +03:00

102 lines
2.7 KiB
Bash
Raw Blame History

#!/usr/bin/env bats
load "test_helper/bats-support/load"
load "test_helper/bats-assert/load"
load "$BATS_TEST_DIRNAME/../helper_lib.sh"
# 2.1
@test "2.1 - Restrict network traffic between containers" {
result=$(get_docker_effective_command_line_args '--icc')
run grep "false" <<< "$result"
assert_success
}
# 2.2
@test "2.2 - Set the logging level" {
result=$(get_docker_effective_command_line_args '-l')
run grep 'debug' <<< "$result"
assert_failure
}
# 2.3
@test "2.3 - Allow Docker to make changes to iptables" {
result=$(get_docker_effective_command_line_args '--iptables')
run grep "false" <<< "$result"
assert_failure
}
# 2.4
@test "2.4 - Do not use insecure registries" {
result=$(get_docker_effective_command_line_args '--insecure-registry')
run grep "insecure-registry" <<< "$result"
assert_failure
}
# 2.5
@test "2.5 - Do not use the aufs storage driver" {
result=$(docker info 2>/dev/null)
run grep -e "^Storage Driver:\s*aufs\s*$" <<< "$result"
assert_failure
}
# 2.6
@test "2.6 - Configure TLS authentication for Docker daemon" {
result=$(get_docker_cumulative_command_line_args '-H')
run grep -vE '(unix|fd)://' <<< "$result"
if [ $status -eq 0 ]; then
result=$(get_command_line_args docker)
run $(grep "tlsverify" <<< "$result" | grep "tlskey")
assert_success
fi
}
# 2.7
@test "2.7 - Set default ulimit as appropriate" {
result=$(get_docker_effective_command_line_args '--default-ulimit')
run grep "default-ulimit" <<< "$result"
assert_success
}
# 2.8
@test "2.8 - Enable user namespace support" {
result=$(get_docker_effective_command_line_args '--userns-remap')
run grep "userns-remap" <<< "$result"
assert_success
}
# 2.9
@test "2.9 - Confirm default cgroup usage" {
result=$(get_docker_effective_command_line_args '--cgroup-parent')
run grep "cgroup-parent" <<< "$result"
if [ $status -eq 0 ]; then
assert_output_contains "docker"
fi
}
# 2.10
@test "2.10 - Do not change base device size until needed" {
result=$(get_docker_effective_command_line_args '--storage-opt')
run grep "dm.basesize" <<< "$result"
assert_failure
}
# 2.11
@test "2.11 - Use authorization plugin" {
result=$(get_docker_effective_command_line_args '--authorization-plugin')
run grep "authorization-plugin" <<< "$result"
assert_success
}
# 2.12
@test "2.12 - Configure centralized and remote logging" {
result=$(get_docker_effective_command_line_args '--log-driver')
run grep "log-driver" <<< "$result"
assert_success
}
# 2.13
@test "2.13 - Disable operations on legacy registry (v1)" {
result=$(get_docker_effective_command_line_args '--disable-legacy-registry')
run grep "disable-legacy-registry" <<< "$result"
assert_success
}
Reference in a new issue View git blame Copy permalink