GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-31 22:32:34 +01:00
Code Issues Projects Releases Packages Wiki Activity
docker-bench-security/test/1_host_configuration.bats

129 lines
3.4 KiB
Bash
Raw Blame History

#!/usr/bin/env bats
load "test_helper/bats-support/load"
load "test_helper/bats-assert/load"
load "$BATS_TEST_DIRNAME/../helper_lib.sh"
# 1.1
@test "1.1 - Create a separate partition for containers" {
run grep /var/lib/docker /etc/fstab
assert_success
}
# 1.2
@test "1.2 - Use an updated Linux Kernel" {
kernel_version=$(uname -r | cut -d "-" -f 1)
run do_version_check 3.10 "$kernel_version"
assert [ $status -eq 9 -o $status -eq 10 ]
}
# 1.4
@test "1.4 - Remove all non-essential services from the host - Network" {
# Check for listening network services.
listening_services=$(netstat -na | grep -v tcp6 | grep -v unix | grep -c LISTEN)
if [ "$listening_services" -eq 0 ]; then
fail "Failed to get listening services for check: $BATS_TEST_NAME"
else
if [ "$listening_services" -gt 5 ]; then
fail "Host listening on: $listening_services ports"
fi
fi
}
# 1.5
@test "1.5 - Keep Docker up to date" {
docker_version=$(docker version | grep -i -A1 '^server' | grep -i 'version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,')
docker_current_version="1.11.1"
docker_current_date="2016-04-27"
run do_version_check "$docker_current_version" "$docker_version"
if [ $status -eq 11 ]; then
fail "Using $docker_version, when $docker_current_version is current as of $docker_current_date. Your operating system vendor may provide support and security maintenance for docker."
fi
assert [ $status -eq 9 -o $status -eq 10 ]
}
# 1.6
@test "1.6 - Only allow trusted users to control Docker daemon" {
declare -a trusted_users=("vagrant" "docker" "ubuntu")
users_string=$(awk -F':' '/^docker/{print $4}' /etc/group)
docker_users=(${users_string//,/ })
for u in ${docker_users[@]}; do
local found=1
for tu in ${trusted_users[@]}; do
if [ "$u" = "$tu" ]; then
found=0
fi
done
if [ $found -eq 1 ]; then
fail "User $u is not a trusted user!"
fi
done
}
# 1.7
@test "1.7 - Audit docker daemon - /usr/bin/docker" {
file="/usr/bin/docker"
run command -v auditctl
assert_success
run auditctl -l | grep "$file"
assert_success
}
test_audit_directory() {
local directory="$1"
assert [ -d "$directory" ]
run command -v auditctl >/dev/null
assert_success
run auditctl -l | grep $directory
assert_success
}
test_audit_file() {
file="$1"
assert [ -f "$file" ]
run command -v auditctl
assert_success
run auditctl -l | grep "$file"
assert_success
}
# 1.8
@test "1.8 - Audit Docker files and directories - /var/lib/docker" {
test_audit_directory "/var/lib/docker"
}
# 1.9
@test "1.9 - Audit Docker files and directories - /etc/docker" {
test_audit_directory "/etc/docker"
}
# 1.10
@test "1.10 - Audit Docker files and directories - docker.service" {
test_audit_file "$(get_systemd_service_file docker.service)"
}
# 1.11
@test "1.11 - Audit Docker files and directories - docker.socket" {
test_audit_file "$(get_systemd_service_file docker.socket)"
}
# 1.12
@test "1.12 - Audit Docker files and directories - /etc/default/docker" {
test_audit_file "/etc/default/docker"
}
# 1.13
@test "1.13 - Audit Docker files and directories - /etc/docker/daemon.json" {
test_audit_file "/etc/docker/daemon.json"
}
# 1.14
@test "1.14 - Audit Docker files and directories - /usr/bin/docker-containerd" {
test_audit_file "/usr/bin/docker-containerd"
}
# 1.15
@test "1.15 - Audit Docker files and directories - /usr/bin/docker-runc" {
test_audit_file "/usr/bin/docker-runc"
}
Reference in a new issue View git blame Copy permalink