mirror of
https://github.com/docker/docker-bench-security.git
synced 2025-01-19 00:32:34 +01:00
ec7d8ce690
Add a test object for each test performed by the script. Each object has an id N.M, a desc property describing the test, and the result. Some tests include additional information about the test e.g. "No TLS Certificate Found". That can be found in an optional details property of the test object. Also, some tests might also return a list of containers, images, users, etc. This is included in an optional items property of the test object. Instead of having all test results as top-level objects, break the test results into sections. Each section has an id + description e.g. "1" and "Host Configuration". The tests for that section are an array below that object. All of the additional json output is implemented by adding new functions startsectionjson(), endsectionjson(), starttestjson(), and resulttestjson() that take the id/desc/etc as arguments and print the proper json properties. It also required adding an "end" test to each script that calls endsectionjson(). Signed-off-by: Mark Stemm <mark.stemm@gmail.com>
244 lines
6.8 KiB
Bash
244 lines
6.8 KiB
Bash
#!/bin/sh
|
|
|
|
check_7() {
|
|
logit "\n"
|
|
id_7="7"
|
|
desc_7="Docker Swarm Configuration"
|
|
check_7="$id_7 - $desc_7"
|
|
info "$check_7"
|
|
startsectionjson "$id_7" "$desc_7"
|
|
}
|
|
|
|
# 7.1
|
|
check_7_1() {
|
|
id_7_1="7.1"
|
|
desc_7_1="Ensure swarm mode is not Enabled, if not needed"
|
|
check_7_1="$id_7_1 - $desc_7_1"
|
|
starttestjson "$id_7_1" "$desc_7_1"
|
|
|
|
totalChecks=$((totalChecks + 1))
|
|
if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
|
|
pass "$check_7_1"
|
|
resulttestjson "PASS"
|
|
currentScore=$((currentScore + 1))
|
|
else
|
|
warn "$check_7_1"
|
|
resulttestjson "WARN"
|
|
currentScore=$((currentScore - 1))
|
|
fi
|
|
}
|
|
|
|
# 7.2
|
|
check_7_2() {
|
|
id_7_2="7.2"
|
|
desc_7_2="Ensure the minimum number of manager nodes have been created in a swarm"
|
|
check_7_2="$id_7_2 - $desc_7_2"
|
|
starttestjson "$id_7_2" "$desc_7_2"
|
|
|
|
totalChecks=$((totalChecks + 1))
|
|
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
|
|
managernodes=$(docker node ls | grep -c "Leader")
|
|
if [ "$managernodes" -le 1 ]; then
|
|
pass "$check_7_2"
|
|
resulttestjson "PASS"
|
|
currentScore=$((currentScore + 1))
|
|
else
|
|
warn "$check_7_2"
|
|
resulttestjson "WARN"
|
|
currentScore=$((currentScore - 1))
|
|
fi
|
|
else
|
|
pass "$check_7_2 (Swarm mode not enabled)"
|
|
resulttestjson "PASS"
|
|
currentScore=$((currentScore + 1))
|
|
fi
|
|
}
|
|
|
|
# 7.3
|
|
check_7_3() {
|
|
id_7_3="7.3"
|
|
desc_7_3="Ensure swarm services are binded to a specific host interface"
|
|
check_7_3="$id_7_3 - $desc_7_3"
|
|
starttestjson "$id_7_3" "$desc_7_3"
|
|
|
|
totalChecks=$((totalChecks + 1))
|
|
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
|
|
ss -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1
|
|
if [ $? -eq 1 ]; then
|
|
pass "$check_7_3"
|
|
resulttestjson "PASS"
|
|
currentScore=$((currentScore + 1))
|
|
else
|
|
warn "$check_7_3"
|
|
resulttestjson "WARN"
|
|
currentScore=$((currentScore - 1))
|
|
fi
|
|
else
|
|
pass "$check_7_3 (Swarm mode not enabled)"
|
|
resulttestjson "PASS"
|
|
currentScore=$((currentScore + 1))
|
|
fi
|
|
}
|
|
|
|
# 7.4
|
|
check_7_4(){
|
|
id_7_4="7.4"
|
|
desc_7_4="Ensure data exchanged between containers are encrypted on different nodes on the overlay network"
|
|
check_7_4="$id_7_4 - $desc_7_4"
|
|
starttestjson "$id_7_4" "$desc_7_4"
|
|
|
|
totalChecks=$((totalChecks + 1))
|
|
if docker network ls --filter driver=overlay --quiet | \
|
|
xargs docker network inspect --format '{{.Name}} {{ .Options }}' 2>/dev/null | \
|
|
grep -v 'encrypted:' 2>/dev/null 1>&2; then
|
|
warn "$check_7_4"
|
|
currentScore=$((currentScore - 1))
|
|
for encnet in $(docker network ls --filter driver=overlay --quiet); do
|
|
if docker network inspect --format '{{.Name}} {{ .Options }}' "$encnet" | \
|
|
grep -v 'encrypted:' 2>/dev/null 1>&2; then
|
|
warn " * Unencrypted overlay network: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
|
|
resulttestjson "WARN" "Unencrypted overlay network: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
|
|
fi
|
|
done
|
|
else
|
|
pass "$check_7_4"
|
|
resulttestjson "PASS"
|
|
currentScore=$((currentScore + 1))
|
|
fi
|
|
}
|
|
|
|
# 7.5
|
|
check_7_5() {
|
|
id_7_5="7.5"
|
|
desc_7_5="Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster"
|
|
check_7_5="$id_7_5 - $desc_7_5"
|
|
starttestjson "$id_7_5" "$desc_7_5"
|
|
|
|
totalChecks=$((totalChecks + 1))
|
|
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
|
if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then
|
|
pass "$check_7_5"
|
|
resulttestjson "PASS"
|
|
currentScore=$((currentScore + 1))
|
|
else
|
|
info "$check_7_5"
|
|
resulttestjson "INFO"
|
|
currentScore=$((currentScore + 0))
|
|
fi
|
|
else
|
|
pass "$check_7_5 (Swarm mode not enabled)"
|
|
resulttestjson "PASS"
|
|
currentScore=$((currentScore + 1))
|
|
fi
|
|
}
|
|
|
|
# 7.6
|
|
check_7_6() {
|
|
id_7_6="7.6"
|
|
desc_7_6="Ensure swarm manager is run in auto-lock mode"
|
|
check_7_6="$id_7_6 - $desc_7_6"
|
|
starttestjson "$id_7_6" "$desc_7_6"
|
|
|
|
totalChecks=$((totalChecks + 1))
|
|
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
|
if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then
|
|
warn "$check_7_6"
|
|
resulttestjson "WARN"
|
|
currentScore=$((currentScore - 1))
|
|
else
|
|
pass "$check_7_6"
|
|
resulttestjson "PASS"
|
|
currentScore=$((currentScore + 1))
|
|
fi
|
|
else
|
|
pass "$check_7_6 (Swarm mode not enabled)"
|
|
resulttestjson "PASS"
|
|
currentScore=$((currentScore + 1))
|
|
fi
|
|
}
|
|
|
|
# 7.7
|
|
check_7_7() {
|
|
id_7_7="7.7"
|
|
desc_7_7="Ensure swarm manager auto-lock key is rotated periodically"
|
|
check_7_7="$id_7_7 - $desc_7_7"
|
|
starttestjson "$id_7_7" "$desc_7_7"
|
|
|
|
totalChecks=$((totalChecks + 1))
|
|
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
|
note "$check_7_7"
|
|
resulttestjson "NOTE"
|
|
currentScore=$((currentScore + 0))
|
|
else
|
|
pass "$check_7_7 (Swarm mode not enabled)"
|
|
resulttestjson "PASS"
|
|
currentScore=$((currentScore + 1))
|
|
fi
|
|
}
|
|
|
|
# 7.8
|
|
check_7_8() {
|
|
id_7_8="7.8"
|
|
desc_7_8="Ensure node certificates are rotated as appropriate"
|
|
check_7_8="$id_7_8 - $desc_7_8"
|
|
starttestjson "$id_7_8" "$desc_7_8"
|
|
|
|
totalChecks=$((totalChecks + 1))
|
|
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
|
if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then
|
|
pass "$check_7_8"
|
|
resulttestjson "PASS"
|
|
currentScore=$((currentScore + 1))
|
|
else
|
|
info "$check_7_8"
|
|
resulttestjson "INFO"
|
|
currentScore=$((currentScore + 0))
|
|
fi
|
|
else
|
|
pass "$check_7_8 (Swarm mode not enabled)"
|
|
resulttestjson "PASS"
|
|
currentScore=$((currentScore + 1))
|
|
fi
|
|
}
|
|
|
|
# 7.9
|
|
check_7_9() {
|
|
id_7_9="7.9"
|
|
desc_7_9="Ensure CA certificates are rotated as appropriate"
|
|
check_7_9="$id_7_9 - $desc_7_9"
|
|
starttestjson "$id_7_9" "$desc_7_9"
|
|
|
|
totalChecks=$((totalChecks + 1))
|
|
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
|
info "$check_7_9"
|
|
resulttestjson "INFO"
|
|
currentScore=$((currentScore + 0))
|
|
else
|
|
pass "$check_7_9 (Swarm mode not enabled)"
|
|
resulttestjson "PASS"
|
|
currentScore=$((currentScore + 1))
|
|
fi
|
|
}
|
|
|
|
# 7.10
|
|
check_7_10() {
|
|
id_7_10="7.10"
|
|
desc_7_10="Ensure management plane traffic has been separated from data plane traffic"
|
|
check_7_10="$id_7_10 - $desc_7_10"
|
|
starttestjson "$id_7_10" "$desc_7_10"
|
|
|
|
totalChecks=$((totalChecks + 1))
|
|
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
|
|
info "$check_7_10"
|
|
resulttestjson "INFO"
|
|
currentScore=$((currentScore + 0))
|
|
else
|
|
pass "$check_7_10 (Swarm mode not enabled)"
|
|
resulttestjson "PASS"
|
|
currentScore=$((currentScore + 1))
|
|
fi
|
|
}
|
|
|
|
check_7_end() {
|
|
endsectionjson
|
|
}
|