mirror of
https://github.com/docker/docker-bench-security.git
synced 2025-01-19 00:32:34 +01:00
43 lines
1.3 KiB
Bash
43 lines
1.3 KiB
Bash
#!/bin/sh
|
|
|
|
logit "\n"
|
|
info "4 - Container Images and Build Files"
|
|
|
|
# 4.1
|
|
check_4_1="4.1 - Create a user for the container"
|
|
|
|
containers=`docker ps -q`
|
|
# If container_users is empty, there are no running containers
|
|
if test "$containers" = ""; then
|
|
info "$check_4_1"
|
|
info " * No containers running"
|
|
else
|
|
# List all the running containers, ouput their ID and USER
|
|
containers=`docker ps -q | xargs docker inspect --format '{{ .Id }}:User={{.Config.User}}' 2>/dev/null`
|
|
# We have some containers running, set failure flag to 0. Check for Users.
|
|
fail=0
|
|
# Make the loop separator be a new-line in POSIX compliant fashion
|
|
set -f; IFS=$'
|
|
'
|
|
for c in $containers; do
|
|
user=`printf "$c" | cut -d ":" -f 2`
|
|
container_id=`printf "$c" | cut -d ":" -f 1`
|
|
|
|
if test $user = "User=" || test $user = "User=<no value>"; then
|
|
# If it's the first container, fail the test
|
|
if [ $fail -eq 0 ]; then
|
|
warn "$check_4_1"
|
|
warn " * Running as root: $container_id"
|
|
fail=1
|
|
else
|
|
warn " * Running as root: $container_id"
|
|
fi
|
|
fi
|
|
done
|
|
# We went through all the containers and found none running as root
|
|
if [ $fail -eq 0 ]; then
|
|
pass "$check_4_1"
|
|
fi
|
|
fi
|
|
# Make the loop separator go back to space
|
|
set +f; unset IFS
|