docker-bench-security/tests/4_container_images.sh

42 lines
1.3 KiB
Bash

#!/bin/sh
logit "\n"
info "4 - Container Images and Build Files"
# 4.1
check_4_1="4.1 - Create a user for the container"
# If container_users is empty, there are no running containers
if test "$containers" = ""; then
info "$check_4_1"
info " * No containers running"
else
# List all the running containers, ouput their ID and USER
cont_inspect=`printf $containers | xargs docker inspect --format '{{ .Id }}:User={{.Config.User}}' 2>/dev/null`
# We have some containers running, set failure flag to 0. Check for Users.
fail=0
# Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$'
'
for c in $cont_inspect; do
user=`printf "$c" | cut -d ":" -f 2`
container_id=`printf "$c" | cut -d ":" -f 1`
if test $user = "User=" || test $user = "User=[]" ||test $user = "User=<no value>"; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_4_1"
warn " * Running as root: $container_id"
fail=1
else
warn " * Running as root: $container_id"
fi
fi
done
# We went through all the containers and found none running as root
if [ $fail -eq 0 ]; then
pass "$check_4_1"
fi
fi
# Make the loop separator go back to space
set +f; unset IFS