Hello community,
here is the log from the commit of package docker-bench-security for openSUSE:Factory checked in at 2017-05-06 18:30:58
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/docker-bench-security (Old)
and /work/SRC/openSUSE:Factory/.docker-bench-security.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "docker-bench-security"
Sat May 6 18:30:58 2017 rev:11 rq:493013 version:1.3.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/docker-bench-security/docker-bench-security.changes 2017-03-02 19:29:29.414251428 +0100
+++ /work/SRC/openSUSE:Factory/.docker-bench-security.new/docker-bench-security.changes 2017-05-06 18:31:05.259068048 +0200
@@ -1,0 +2,14 @@
+Fri May 5 13:33:06 UTC 2017 - astieger@suse.com
+
+- update to 1.3.2:
+ * improve get_docker_configuration_file_args()
+ * add [NOTE] for informational checks with no actual tests
+ * fix various tests when using daemon.json
+ * use stat instead of ls -ld output
+- includes changes from 1.3.1:
+ * Add daemon.json support
+ * Correct multiple tests
+ * Update default alpine Dockerfile
+ * Use grep if auditctl isn't present
+
+-------------------------------------------------------------------
Old:
----
docker-bench-security-1.3.0.tar.gz
New:
----
docker-bench-security-1.3.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ docker-bench-security.spec ++++++
--- /var/tmp/diff_new_pack.gBgrQh/_old 2017-05-06 18:31:05.926973803 +0200
+++ /var/tmp/diff_new_pack.gBgrQh/_new 2017-05-06 18:31:05.930973238 +0200
@@ -17,7 +17,7 @@
Name: docker-bench-security
-Version: 1.3.0
+Version: 1.3.2
Release: 0
Summary: Docker Bench for Security
License: Apache-2.0
++++++ docker-bench-security-1.3.0.tar.gz -> docker-bench-security-1.3.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/CONTRIBUTING.md new/docker-bench-security-1.3.2/CONTRIBUTING.md
--- old/docker-bench-security-1.3.0/CONTRIBUTING.md 2017-01-24 15:57:04.000000000 +0100
+++ new/docker-bench-security-1.3.2/CONTRIBUTING.md 2017-03-23 15:29:48.000000000 +0100
@@ -3,20 +3,22 @@
Want to hack on Docker Bench? Awesome! Here are instructions to get you
started.
-The Docker Bench for Security is a part of the [Docker](https://www.docker.com) project, and follows
-the same rules and principles. If you're already familiar with the way
-Docker does things, you'll feel right at home.
+The Docker Bench for Security is a part of the [Docker](https://www.docker.com)
+project, and follows the same rules and principles. If you're already familiar
+with the way Docker does things, you'll feel right at home.
Otherwise, go read
[Docker's contributions guidelines](https://github.com/docker/docker/blob/master/CONTRIBUTING.md).
-### Development Environment Setup
+## Development Environment Setup
-The only thing you need to hack on Docker Bench for Security is a POSIX 2004 compliant shell. We try to keep the project compliant for maximum portability
+The only thing you need to hack on Docker Bench for Security is a POSIX 2004
+compliant shell. We try to keep the project compliant for maximum portability.
-#### Start hacking
+### Start hacking
You can build the container that wraps the docker-bench for security:
+
```sh
✗ git clone git@github.com:docker/docker-bench-security.git
✗ cd docker-bench-security
@@ -31,7 +33,9 @@
✗ sh docker-bench-security.sh
```
-The Docker Bench has the main script called `docker-bench-security.sh`. This is the main script that checks for all the dependencies, deals with command line arguments and loads all the tests.
+The Docker Bench has the main script called `docker-bench-security.sh`.
+This is the main script that checks for all the dependencies, deals with
+command line arguments and loads all the tests.
The tests are split in 6 different files:
@@ -46,6 +50,12 @@
└── 6_docker_security_operations.sh
```
-To modify the Docker Bench for Security you should first clone the repository, make your changes, check your code with `shellcheck`, `checkbashisms` or similar tools, and then sign off on your commits. After that feel free to send us a pull-request with the changes.
-
-While this tool is inspired by the [CIS Docker 1.11.0 benchmark](https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docke...), feel free to add new tests. We will try to turn dockerbench.com into a list of good community benchmarks for both security and performance, and we would love community contributions.
+To modify the Docker Bench for Security you should first clone the repository,
+make your changes, check your code with `shellcheck`, `checkbashisms` or similar
+tools, and then sign off on your commits. After that feel free to send us a
+pull request with the changes.
+
+While this tool was inspired by the [CIS Docker 1.11.0 benchmark](https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docke...),
+feel free to add new tests. We will try to turn [dockerbench.com](https://dockerbench.com)
+into a list of good community benchmarks for both security and performance,
+and we would love community contributions.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/Dockerfile new/docker-bench-security-1.3.2/Dockerfile
--- old/docker-bench-security-1.3.0/Dockerfile 2017-01-24 15:57:04.000000000 +0100
+++ new/docker-bench-security-1.3.2/Dockerfile 2017-03-23 15:29:48.000000000 +0100
@@ -4,29 +4,21 @@
org.label-schema.url="https://dockerbench.com" \
org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
-ENV VERSION 1.12.6
-ENV SHA256 cadc6025c841e034506703a06cf54204e51d0cadfae4bae62628ac648d82efdd
+RUN \
+ apk upgrade --no-cache && \
+ apk add --no-cache \
+ docker \
+ dumb-init && \
+ rm -rf /usr/bin/docker-* /usr/bin/dockerd && \
+ mkdir /usr/local/bin/tests
-WORKDIR /usr/bin
+COPY ./*.sh /usr/local/bin/
-RUN apk update && \
- apk upgrade && \
- apk --update add coreutils wget ca-certificates && \
- wget https://get.docker.com/builds/Linux/x86_64/docker-$VERSION.tgz && \
- wget https://get.docker.com/builds/Linux/x86_64/docker-$VERSION.tgz.sha256 && \
- sha256sum -c docker-$VERSION.tgz.sha256 && \
- echo "$SHA256 docker-$VERSION.tgz" | sha256sum -c - && \
- tar -xzvf docker-$VERSION.tgz -C /tmp && \
- mv /tmp/docker/docker . && \
- chmod u+x docker* && \
- rm -rf /tmp/docker* && \
- apk del wget ca-certificates && \
- rm -rf /var/cache/apk/* docker-$VERSION.tgz docker-$VERSION.tgz.sha256
+COPY ./tests/*.sh /usr/local/bin/tests/
-RUN mkdir /docker-bench-security
+WORKDIR /usr/local/bin
-COPY . /docker-bench-security
+HEALTHCHECK CMD exit 0
-WORKDIR /docker-bench-security
+ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ]
-ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/README.md new/docker-bench-security-1.3.2/README.md
--- old/docker-bench-security-1.3.0/README.md 2017-01-24 15:57:04.000000000 +0100
+++ new/docker-bench-security-1.3.2/README.md 2017-03-23 15:29:48.000000000 +0100
@@ -18,7 +18,7 @@
this container is being run with a *lot* of privilege -- sharing the host's
filesystem, pid and network namespaces, due to portions of the benchmark
applying to the running host. Don't forget to adjust the shared volumes
-according to your operating system, it may not for example use systemd.
+according to your operating system, for example it might not use systemd.
The easiest way to run your hosts against the Docker Bench for Security is by
running our pre-built container:
@@ -35,8 +35,9 @@
Docker bench requires Docker 1.10.0 or later in order to run.
-Also note that the default image and `Dockerfile` uses `FROM: alpine` which
-doesn't contain `auditctl`, this will generate errors in section 1.8 to 1.15.
+Note that when distributions doesn't contain `auditctl`, the audit tests will
+check `/etc/audit/audit.rules` to see if a rule is present instead.
+
Distribution specific Dockerfiles that fixes this issue are available in the
[distros directory](https://github.com/docker/docker-bench-security/tree/master/distros).
Binary files old/docker-bench-security-1.3.0/benchmark_log.png and new/docker-bench-security-1.3.2/benchmark_log.png differ
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/distros/Dockerfile.alpine new/docker-bench-security-1.3.2/distros/Dockerfile.alpine
--- old/docker-bench-security-1.3.0/distros/Dockerfile.alpine 2017-01-24 15:57:04.000000000 +0100
+++ new/docker-bench-security-1.3.2/distros/Dockerfile.alpine 2017-03-23 15:29:48.000000000 +0100
@@ -4,29 +4,19 @@
org.label-schema.url="https://dockerbench.com" \
org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
-ENV VERSION 1.12.6
-ENV SHA256 cadc6025c841e034506703a06cf54204e51d0cadfae4bae62628ac648d82efdd
+RUN \
+ apk upgrade --no-cache && \
+ apk add --no-cache \
+ docker \
+ dumb-init && \
+ rm -rf /usr/bin/docker-* /usr/bin/dockerd && \
+ mkdir /usr/local/bin/tests
-WORKDIR /usr/bin
+COPY ./*.sh /usr/local/bin/
-RUN apk update && \
- apk upgrade && \
- apk --update add coreutils wget ca-certificates && \
- wget https://get.docker.com/builds/Linux/x86_64/docker-$VERSION.tgz && \
- wget https://get.docker.com/builds/Linux/x86_64/docker-$VERSION.tgz.sha256 && \
- sha256sum -c docker-$VERSION.tgz.sha256 && \
- echo "$SHA256 docker-$VERSION.tgz" | sha256sum -c - && \
- tar -xzvf docker-$VERSION.tgz -C /tmp && \
- mv /tmp/docker/docker . && \
- chmod u+x docker* && \
- rm -rf /tmp/docker* && \
- apk del wget ca-certificates && \
- rm -rf /var/cache/apk/* docker-$VERSION.tgz docker-$VERSION.tgz.sha256
+COPY ./tests/*.sh /usr/local/bin/tests/
-RUN mkdir /docker-bench-security
+WORKDIR /usr/local/bin
-COPY . /docker-bench-security
+ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ]
-WORKDIR /docker-bench-security
-
-ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/distros/README.md new/docker-bench-security-1.3.2/distros/README.md
--- old/docker-bench-security-1.3.0/distros/README.md 2017-01-24 15:57:04.000000000 +0100
+++ new/docker-bench-security-1.3.2/distros/README.md 2017-03-23 15:29:48.000000000 +0100
@@ -3,16 +3,19 @@
## Requirements
### Dockerfile name
-The format should be `Dockerfile.{distribution name}`.
+
+The format should be `Dockerfile.{distribution name}`.
### Keep your images up-to-date
+
Use the distribution package manager to keep your image up-to-date.
-### REPOSITORY
-Add a `REPOSITORY` comment with the URL to your GitHub repository where the Dockerfile is present.
-`# REPOSITORY <GitHub repository>`
+### Labels
-### MAINTAINER
-Add the `MAINTAINER` instruction and your contact details, GitHub aliases are acceptable.
+Use the following labels in your Dockerfile:
-For an example Dockerfile, please refer to `Dockerfile.alpine`.
+```
+LABEL org.label-schema.name="docker-bench-security" \
+ org.label-schema.url="<YOUR GIT REPOSITORY HTTPS ADDRESS>" \
+ org.label-schema.vcs-url="/dev/null 2>&1
-if [ $? -ne 0 ]; then
+if ! docker ps -q >/dev/null 2>&1; then
printf "Error connecting to docker daemon (does docker ps work?)\n"
exit 1
fi
@@ -57,7 +56,7 @@
fi
yell "# ------------------------------------------------------------------------------
-# Docker Bench for Security v1.3.0
+# Docker Bench for Security v1.3.2
#
# Docker, Inc. (c) 2015-
#
@@ -81,8 +80,10 @@
# If there is a container with label docker_bench_security, memorize it:
benchcont="nil"
for c in $containers; do
- labels=$(docker inspect --format '{{ .Config.Labels }}' "$c")
- contains "$labels" "docker_bench_security" && benchcont="$c"
+ if docker inspect --format '{{ .Config.Labels }}' "$c" | \
+ grep -e 'docker.bench.security' >/dev/null 2>&1; then
+ benchcont="$c"
+ fi
done
# List all running containers except docker-bench (use names to improve readability in logs)
containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/helper_lib.sh new/docker-bench-security-1.3.2/helper_lib.sh
--- old/docker-bench-security-1.3.0/helper_lib.sh 2017-01-24 15:57:04.000000000 +0100
+++ new/docker-bench-security-1.3.2/helper_lib.sh 2017-03-23 15:29:48.000000000 +0100
@@ -25,18 +25,6 @@
fi
}
-# Compares two strings and returns 0 if the second is a substring of the first
-contains() {
- string="$1"
- substring="$2"
- if [ "${string#*$substring}" != "$string" ]
- then
- return 0 # $substring is in $string
- else
- return 1 # $substring is not in $string
- fi
-}
-
# Extracts commandline args from the newest running processes named like the first parameter
get_command_line_args() {
PROC="$1"
@@ -89,7 +77,23 @@
# Does not account for option default or implicit options.
get_docker_effective_command_line_args() {
OPTION="$1"
- get_docker_cumulative_command_line_args $OPTION | tail -n1
+ get_docker_cumulative_command_line_args "$OPTION" | tail -n1
+}
+
+get_docker_configuration_file_args() {
+ OPTION="$1"
+ FILE="$(get_docker_effective_command_line_args '--config-file' | \
+ sed 's/.*=//g')"
+
+ if [ -f "$FILE" ]; then
+ CONFIG_FILE="$FILE"
+ elif [ -f '/etc/docker/daemon.json' ]; then
+ CONFIG_FILE='/etc/docker/daemon.json'
+ else
+ CONFIG_FILE='/dev/null'
+ fi
+
+ grep "$OPTION" "$CONFIG_FILE" | sed 's/.*: //g' | tr -d \",
}
get_systemd_service_file(){
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/output_lib.sh new/docker-bench-security-1.3.2/output_lib.sh
--- old/docker-bench-security-1.3.0/output_lib.sh 2017-01-24 15:57:04.000000000 +0100
+++ new/docker-bench-security-1.3.2/output_lib.sh 2017-03-23 15:29:48.000000000 +0100
@@ -21,6 +21,10 @@
printf "%b\n" "${bldred}[WARN]${txtrst} $1" | tee -a "$logger"
}
+note () {
+ printf "%b\n" "${bldylw}[NOTE]${txtrst} $1" | tee -a "$logger"
+}
+
yell () {
printf "%b\n" "${bldylw}$1${txtrst}\n"
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/tests/1_host_configuration.sh new/docker-bench-security-1.3.2/tests/1_host_configuration.sh
--- old/docker-bench-security-1.3.0/tests/1_host_configuration.sh 2017-01-24 15:57:04.000000000 +0100
+++ new/docker-bench-security-1.3.2/tests/1_host_configuration.sh 2017-03-23 15:29:48.000000000 +0100
@@ -2,11 +2,11 @@
logit ""
info "1 - Host Configuration"
+auditrules="/etc/audit/audit.rules"
# 1.1
check_1_1="1.1 - Create a separate partition for containers"
-grep /var/lib/docker /etc/fstab >/dev/null 2>&1
-if [ $? -eq 0 ]; then
+if grep /var/lib/docker /etc/fstab >/dev/null 2>&1; then
pass "$check_1_1"
else
warn "$check_1_1"
@@ -14,14 +14,14 @@
# 1.2
check_1_2="1.2 - Harden the container host"
-info "$check_1_2"
+note "$check_1_2"
# 1.3
check_1_3="1.3 - Keep Docker up to date"
docker_version=$(docker version | grep -i -A1 '^server' | grep -i 'version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,')
-docker_current_version="1.13.0"
-docker_current_date="2017-01-18"
+docker_current_version="17.03.0"
+docker_current_date="2017-03-01"
do_version_check "$docker_current_version" "$docker_version"
if [ $? -eq 11 ]; then
info "$check_1_3"
@@ -43,33 +43,33 @@
# 1.5
check_1_5="1.5 - Audit docker daemon - /usr/bin/docker"
-file="/usr/bin/docker"
-command -v auditctl >/dev/null 2>&1
-if [ $? -eq 0 ]; then
- auditctl -l | grep "$file" >/dev/null 2>&1
- if [ $? -eq 0 ]; then
+file="/usr/bin/docker "
+if command -v auditctl >/dev/null 2>&1; then
+ if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_5"
else
warn "$check_1_5"
fi
+elif grep "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
+ pass "$check_1_5"
else
- warn "1.5 - Failed to inspect: auditctl command not found."
+ warn "$check_1_5"
fi
# 1.6
check_1_6="1.6 - Audit Docker files and directories - /var/lib/docker"
directory="/var/lib/docker"
if [ -d "$directory" ]; then
- command -v auditctl >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- auditctl -l | grep $directory >/dev/null 2>&1
- if [ $? -eq 0 ]; then
+ if command -v auditctl >/dev/null 2>&1; then
+ if auditctl -l | grep $directory >/dev/null 2>&1; then
pass "$check_1_6"
else
warn "$check_1_6"
fi
+ elif grep "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
+ pass "$check_1_6"
else
- warn "1.6 - Failed to inspect: auditctl command not found."
+ warn "$check_1_6"
fi
else
info "$check_1_6"
@@ -80,16 +80,16 @@
check_1_7="1.7 - Audit Docker files and directories - /etc/docker"
directory="/etc/docker"
if [ -d "$directory" ]; then
- command -v auditctl >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- auditctl -l | grep $directory >/dev/null 2>&1
- if [ $? -eq 0 ]; then
+ if command -v auditctl >/dev/null 2>&1; then
+ if auditctl -l | grep $directory >/dev/null 2>&1; then
pass "$check_1_7"
else
warn "$check_1_7"
fi
+ elif grep "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
+ pass "$check_1_7"
else
- warn "1.7 - Failed to inspect: auditctl command not found."
+ warn "$check_1_7"
fi
else
info "$check_1_7"
@@ -100,16 +100,16 @@
check_1_8="1.8 - Audit Docker files and directories - docker.service"
file="$(get_systemd_service_file docker.service)"
if [ -f "$file" ]; then
- command -v auditctl >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- auditctl -l | grep "$file" >/dev/null 2>&1
- if [ $? -eq 0 ]; then
+ if command -v auditctl >/dev/null 2>&1; then
+ if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_8"
else
warn "$check_1_8"
fi
+ elif grep "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
+ pass "$check_1_8"
else
- warn "1.8 - Failed to inspect: auditctl command not found."
+ warn "$check_1_8"
fi
else
info "$check_1_8"
@@ -120,16 +120,16 @@
check_1_9="1.9 - Audit Docker files and directories - docker.socket"
file="$(get_systemd_service_file docker.socket)"
if [ -e "$file" ]; then
- command -v auditctl >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- auditctl -l | grep "$file" >/dev/null 2>&1
- if [ $? -eq 0 ]; then
+ if command -v auditctl >/dev/null 2>&1; then
+ if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass "$check_1_9"
else
warn "$check_1_9"
fi
+ elif grep "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
+ pass "$check_1_9"
else
- warn "1.9 - Failed to inspect: auditctl command not found."
+ warn "$check_1_9"
fi
else
info "$check_1_9"
@@ -140,16 +140,16 @@
check_1_10="1.10 - Audit Docker files and directories - /etc/default/docker"
file="/etc/default/docker"
if [ -f "$file" ]; then
- command -v auditctl >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- auditctl -l | grep $file >/dev/null 2>&1
- if [ $? -eq 0 ]; then
+ if command -v auditctl >/dev/null 2>&1; then
+ if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_10"
else
warn "$check_1_10"
fi
+ elif grep "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
+ pass "$check_1_10"
else
- warn "1.10 - Failed to inspect: auditctl command not found."
+ warn "$check_1_10"
fi
else
info "$check_1_10"
@@ -160,16 +160,16 @@
check_1_11="1.11 - Audit Docker files and directories - /etc/docker/daemon.json"
file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
- command -v auditctl >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- auditctl -l | grep $file >/dev/null 2>&1
- if [ $? -eq 0 ]; then
+ if command -v auditctl >/dev/null 2>&1; then
+ if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_11"
else
warn "$check_1_11"
fi
+ elif grep "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
+ pass "$check_1_11"
else
- warn "1.11 - Failed to inspect: auditctl command not found."
+ warn "$check_1_11"
fi
else
info "$check_1_11"
@@ -180,16 +180,16 @@
check_1_12="1.12 - Audit Docker files and directories - /usr/bin/docker-containerd"
file="/usr/bin/docker-containerd"
if [ -f "$file" ]; then
- command -v auditctl >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- auditctl -l | grep $file >/dev/null 2>&1
- if [ $? -eq 0 ]; then
+ if command -v auditctl >/dev/null 2>&1; then
+ if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_12"
else
warn "$check_1_12"
fi
+ elif grep "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
+ pass "$check_1_12"
else
- warn "1.12 - Failed to inspect: auditctl command not found."
+ warn "$check_1_12"
fi
else
info "$check_1_12"
@@ -200,16 +200,16 @@
check_1_13="1.13 - Audit Docker files and directories - /usr/bin/docker-runc"
file="/usr/bin/docker-runc"
if [ -f "$file" ]; then
- command -v auditctl >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- auditctl -l | grep $file >/dev/null 2>&1
- if [ $? -eq 0 ]; then
+ if command -v auditctl >/dev/null 2>&1; then
+ if auditctl -l | grep $file >/dev/null 2>&1; then
pass "$check_1_13"
else
warn "$check_1_13"
fi
+ elif grep "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
+ pass "$check_1_13"
else
- warn "1.13 - Failed to inspect: auditctl command not found."
+ warn "$check_1_13"
fi
else
info "$check_1_13"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/tests/2_docker_daemon_configuration.sh new/docker-bench-security-1.3.2/tests/2_docker_daemon_configuration.sh
--- old/docker-bench-security-1.3.0/tests/2_docker_daemon_configuration.sh 2017-01-24 15:57:04.000000000 +0100
+++ new/docker-bench-security-1.3.2/tests/2_docker_daemon_configuration.sh 2017-03-23 15:29:48.000000000 +0100
@@ -5,8 +5,9 @@
# 2.1
check_2_1="2.1 - Restrict network traffic between containers"
-get_docker_effective_command_line_args '--icc' | grep "false" >/dev/null 2>&1
-if [ $? -eq 0 ]; then
+if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then
+ pass "$check_2_1"
+elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then
pass "$check_2_1"
else
warn "$check_2_1"
@@ -14,10 +15,16 @@
# 2.2
check_2_2="2.2 - Set the logging level"
-get_docker_effective_command_line_args '-l' >/dev/null 2>&1
-if [ $? -eq 0 ]; then
- get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1
- if [ $? -eq 0 ]; then
+if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then
+ if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then
+ pass "$check_2_2"
+ elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then
+ pass "$check_2_2"
+ else
+ warn "$check_2_2"
+ fi
+elif get_docker_effective_command_line_args '-l'; then
+ if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then
pass "$check_2_2"
else
warn "$check_2_2"
@@ -28,8 +35,9 @@
# 2.3
check_2_3="2.3 - Allow Docker to make changes to iptables"
-get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1
-if [ $? -eq 0 ]; then
+if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then
+ warn "$check_2_3"
+elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then
warn "$check_2_3"
else
pass "$check_2_3"
@@ -37,17 +45,21 @@
# 2.4
check_2_4="2.4 - Do not use insecure registries"
-get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1
-if [ $? -eq 0 ]; then
+if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then
warn "$check_2_4"
+elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
+ if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then
+ pass "$check_2_4"
+ else
+ warn "$check_2_4"
+ fi
else
pass "$check_2_4"
fi
# 2.5
check_2_5="2.5 - Do not use the aufs storage driver"
-docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1
-if [ $? -eq 0 ]; then
+if docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1; then
warn "$check_2_5"
else
pass "$check_2_5"
@@ -55,12 +67,24 @@
# 2.6
check_2_6="2.6 - Configure TLS authentication for Docker daemon"
-get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1
-if [ $? -eq 0 ]; then
- get_docker_cumulative_command_line_args '--tlskey' | grep 'tlskey=' >/dev/null 2>&1
- if [ $? -eq 0 ]; then
- get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify' >/dev/null 2>&1
- if [ $? -eq 0 ]; then
+if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then
+ if [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \
+ [ $(get_docker_configuration_file_args '"tlsverify' | grep 'true') ] ; then
+ if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then
+ if get_docker_configuration_file_args 'tlsverify' | grep 'true' >/dev/null 2>&1; then
+ pass "$check_2_6"
+ else
+ warn "$check_2_6"
+ warn " * Docker daemon currently listening on TCP with TLS, but no verification"
+ fi
+ fi
+ else
+ warn "$check_2_6"
+ warn " * Docker daemon currently listening on TCP without TLS"
+ fi
+elif get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1; then
+ if get_docker_cumulative_command_line_args '--tlskey' | grep 'tlskey=' >/dev/null 2>&1; then
+ if get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify' >/dev/null 2>&1; then
pass "$check_2_6"
else
warn "$check_2_6"
@@ -78,8 +102,9 @@
# 2.7
check_2_7="2.7 - Set default ulimit as appropriate"
-get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1
-if [ $? -eq 0 ]; then
+if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then
+ pass "$check_2_7"
+elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
pass "$check_2_7"
else
info "$check_2_7"
@@ -88,8 +113,9 @@
# 2.8
check_2_8="2.8 - Enable user namespace support"
-get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1
-if [ $? -eq 0 ]; then
+if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then
+ pass "$check_2_8"
+elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
pass "$check_2_8"
else
warn "$check_2_8"
@@ -97,8 +123,10 @@
# 2.9
check_2_9="2.9 - Confirm default cgroup usage"
-get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1
-if [ $? -eq 0 ]; then
+if get_docker_configuration_file_args 'cgroup-parent' | grep -v '""'; then
+ warn "$check_2_9"
+ info " * Confirm cgroup usage"
+elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
warn "$check_2_9"
info " * Confirm cgroup usage"
else
@@ -107,8 +135,9 @@
# 2.10
check_2_10="2.10 - Do not change base device size until needed"
-get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1
-if [ $? -eq 0 ]; then
+if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then
+ warn "$check_2_10"
+elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
warn "$check_2_10"
else
pass "$check_2_10"
@@ -116,8 +145,9 @@
# 2.11
check_2_11="2.11 - Use authorization plugin"
-get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1
-if [ $? -eq 0 ]; then
+if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then
+ pass "$check_2_11"
+elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
pass "$check_2_11"
else
warn "$check_2_11"
@@ -125,17 +155,17 @@
# 2.12
check_2_12="2.12 - Configure centralized and remote logging"
-get_docker_effective_command_line_args '--log-driver' | grep "log-driver" >/dev/null 2>&1
-if [ $? -eq 0 ]; then
- pass "$check_2_12"
-else
+if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then
warn "$check_2_12"
+else
+ pass "$check_2_12"
fi
# 2.13
check_2_13="2.13 - Disable operations on legacy registry (v1)"
-get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1
-if [ $? -eq 0 ]; then
+if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then
+ pass "$check_2_13"
+elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then
pass "$check_2_13"
else
warn "$check_2_13"
@@ -146,7 +176,7 @@
if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then
pass "$check_2_14"
else
- if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
+ if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
pass "$check_2_14 (Incompatible with swarm mode)"
else
warn "$check_2_14"
@@ -155,8 +185,7 @@
# 2.15
check_2_15="2.15 - Do not enable swarm mode, if not needed"
-docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1
-if [ $? -eq 1 ]; then
+if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
pass "$check_2_15"
else
warn "$check_2_15"
@@ -164,7 +193,7 @@
# 2.16
check_2_16="2.16 - Control the number of manager nodes in a swarm"
-if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
+if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
managernodes=$(docker node ls | grep -c "Leader")
if [ "$managernodes" -le 1 ]; then
pass "$check_2_16"
@@ -177,17 +206,22 @@
# 2.17
check_2_17="2.17 - Bind swarm services to a specific host interface"
-netstat -lt | grep -e '\[::]:2377' -e '*:2377' -e '0.0.0.0:2377' >/dev/null 2>&1
-if [ $? -eq 1 ]; then
- pass "$check_2_17"
+if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
+ netstat -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1
+ if [ $? -eq 1 ]; then
+ pass "$check_2_17"
+ else
+ warn "$check_2_17"
+ fi
else
- warn "$check_2_17"
+ pass "$check_2_17 (Swarm mode not enabled)"
fi
# 2.18
check_2_18="2.18 - Disable Userland Proxy"
-get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1
-if [ $? -eq 0 ]; then
+if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then
+ pass "$check_2_18"
+elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
pass "$check_2_18"
else
warn "$check_2_18"
@@ -219,7 +253,7 @@
# 2.21
check_2_21="2.21 - Avoid experimental features in production"
-if docker info 2>/dev/null | grep -e "^Live Restore Enabled:\s*false\s*$" >/dev/null 2>&1; then
+if docker info 2>/dev/null | grep -e "Experimental:\s*false*" 2>/dev/null 1>&2; then
pass "$check_2_21"
else
warn "$check_2_21"
@@ -251,4 +285,4 @@
# 2.24
check_2_24="2.24 - Rotate swarm manager auto-lock key periodically"
-info "$check_2_24"
+note "$check_2_24"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/tests/3_docker_daemon_configuration_files.sh new/docker-bench-security-1.3.2/tests/3_docker_daemon_configuration_files.sh
--- old/docker-bench-security-1.3.0/tests/3_docker_daemon_configuration_files.sh 2017-01-24 15:57:04.000000000 +0100
+++ new/docker-bench-security-1.3.2/tests/3_docker_daemon_configuration_files.sh 2017-03-23 15:29:48.000000000 +0100
@@ -82,9 +82,7 @@
check_3_6="3.6 - Verify that /etc/docker directory permissions are set to 755 or more restrictive"
directory="/etc/docker"
if [ -d "$directory" ]; then
- if [ "$(stat -c %a $directory)" -eq 755 ]; then
- pass "$check_3_6"
- elif [ "$(stat -c %a $directory)" -eq 700 ]; then
+ if [ "$(stat -c %a $directory)" -eq 755 -o "$(stat -c %a $directory)" -eq 700 ]; then
pass "$check_3_6"
else
warn "$check_3_6"
@@ -100,10 +98,9 @@
directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then
fail=0
- owners=$(ls -lL $directory | grep ".crt" | awk '{print $3, $4}')
+ owners=$(find "$directory" -type f -name '*.crt')
for p in $owners; do
- printf "%s" "$p" | grep "root" >/dev/null 2>&1
- if [ $? -ne 0 ]; then
+ if [ "$(stat -c %u $p)" -ne 0 ]; then
fail=1
fi
done
@@ -123,9 +120,9 @@
directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then
fail=0
- perms=$(ls -lL $directory | grep ".crt" | awk '{print $1}')
+ perms=$(find "$directory" -type f -name '*.crt')
for p in $perms; do
- if [ "$p" != "-r--r--r--." -a "$p" = "-r--------." ]; then
+ if [ "$(stat -c %a $p)" -ne 444 -a "$(stat -c %a $p)" -ne 400 ]; then
fail=1
fi
done
@@ -142,7 +139,11 @@
# 3.9
check_3_9="3.9 - Verify that TLS CA certificate file ownership is set to root:root"
-tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then
+ tlscacert=$(get_docker_configuration_file_args 'tlscacert')
+else
+ tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+fi
if [ -f "$tlscacert" ]; then
if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
pass "$check_3_9"
@@ -157,10 +158,13 @@
# 3.10
check_3_10="3.10 - Verify that TLS CA certificate file permissions are set to 444 or more restrictive"
-tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then
+ tlscacert=$(get_docker_configuration_file_args 'tlscacert')
+else
+ tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+fi
if [ -f "$tlscacert" ]; then
- perms=$(ls -ld "$tlscacert" | awk '{print $1}')
- if [ "$perms" = "-r--r--r--" ]; then
+ if [ "$(stat -c %a $tlscacert)" -eq 444 -o "$(stat -c %a $tlscacert)" -eq 400 ]; then
pass "$check_3_10"
else
warn "$check_3_10"
@@ -173,7 +177,11 @@
# 3.11
check_3_11="3.11 - Verify that Docker server certificate file ownership is set to root:root"
-tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then
+ tlscert=$(get_docker_configuration_file_args 'tlscert')
+else
+ tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+fi
if [ -f "$tlscert" ]; then
if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
pass "$check_3_11"
@@ -188,10 +196,13 @@
# 3.12
check_3_12="3.12 - Verify that Docker server certificate file permissions are set to 444 or more restrictive"
-tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then
+ tlscert=$(get_docker_configuration_file_args 'tlscert')
+else
+ tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+fi
if [ -f "$tlscert" ]; then
- perms=$(ls -ld "$tlscert" | awk '{print $1}')
- if [ "$perms" = "-r--r--r--" ]; then
+ if [ "$(stat -c %a $tlscert)" -eq 444 -o "$(stat -c %a $tlscert)" -eq 400 ]; then
pass "$check_3_12"
else
warn "$check_3_12"
@@ -204,7 +215,11 @@
# 3.13
check_3_13="3.13 - Verify that Docker server key file ownership is set to root:root"
-tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then
+ tlskey=$(get_docker_configuration_file_args 'tlskey')
+else
+ tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+fi
if [ -f "$tlskey" ]; then
if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
pass "$check_3_13"
@@ -219,10 +234,13 @@
# 3.14
check_3_14="3.14 - Verify that Docker server key file permissions are set to 400 or more restrictive"
-tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then
+ tlskey=$(get_docker_configuration_file_args 'tlskey')
+else
+ tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
+fi
if [ -f "$tlskey" ]; then
- perms=$(ls -ld "$tlskey" | awk '{print $1}')
- if [ "$perms" = "-r--------" ]; then
+ if [ "$(stat -c %a $tlskey)" -eq 444 -o "$(stat -c %a $tlskey)" -eq 400 ]; then
pass "$check_3_14"
else
warn "$check_3_14"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/tests/4_container_images.sh new/docker-bench-security-1.3.2/tests/4_container_images.sh
--- old/docker-bench-security-1.3.0/tests/4_container_images.sh 2017-01-24 15:57:04.000000000 +0100
+++ new/docker-bench-security-1.3.2/tests/4_container_images.sh 2017-03-23 15:29:48.000000000 +0100
@@ -42,15 +42,15 @@
# 4.2
check_4_2="4.2 - Use trusted base images for containers"
-info "$check_4_2"
+note "$check_4_2"
# 4.3
check_4_3="4.3 - Do not install unnecessary packages in the container"
-info "$check_4_3"
+note "$check_4_3"
# 4.4
check_4_4="4.4 - Scan and rebuild the images to include security patches"
-info "$check_4_4"
+note "$check_4_4"
# 4.5
check_4_5="4.5 - Enable Content trust for Docker"
@@ -64,8 +64,7 @@
check_4_6="4.6 - Add HEALTHCHECK instruction to the container image"
fail=0
for img in $images; do
- docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1
- if [ $? -eq 0 ]; then
+ if docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1; then
if [ $fail -eq 0 ]; then
fail=1
warn "$check_4_6"
@@ -84,8 +83,7 @@
check_4_7="4.7 - Do not use update instructions alone in the Dockerfile"
fail=0
for img in $images; do
- docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1
- if [ $? -eq 0 ]; then
+ if docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1; then
if [ $fail -eq 0 ]; then
fail=1
info "$check_4_7"
@@ -102,7 +100,7 @@
# 4.8
check_4_8="4.8 - Remove setuid and setgid permissions in the images"
-info "$check_4_8"
+note "$check_4_8"
# 4.9
check_4_9="4.9 - Use COPY instead of ADD in Dockerfile"
@@ -126,8 +124,8 @@
# 4.10
check_4_10="4.10 - Do not store secrets in Dockerfiles"
-info "$check_4_10"
+note "$check_4_10"
# 4.11
check_4_11="4.11 - Install verified packages only"
-info "$check_4_11"
+note "$check_4_11"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/tests/5_container_runtime.sh new/docker-bench-security-1.3.2/tests/5_container_runtime.sh
--- old/docker-bench-security-1.3.0/tests/5_container_runtime.sh 2017-01-24 15:57:04.000000000 +0100
+++ new/docker-bench-security-1.3.2/tests/5_container_runtime.sh 2017-03-23 15:29:48.000000000 +0100
@@ -61,7 +61,10 @@
fail=0
for c in $containers; do
- caps=$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' "$c")
+ container_caps=$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' "$c")
+ caps=$(echo "$container_caps" | tr "[:lower:]" "[:upper:]" | \
+ sed 's/CAPADD/CapAdd/' | \
+ sed -r "s/AUDIT_WRITE|CHOWN|DAC_OVERRIDE|FOWNER|FSETID|KILL|MKNOD|NET_BIND_SERVICE|NET_RAW|SETFCAP|SETGID|SETPCAP|SETUID|SYS_CHROOT|\s//g")
if [ "$caps" != 'CapAdd=' -a "$caps" != 'CapAdd=[]' -a "$caps" != 'CapAdd=<no value>' -a "$caps" != 'CapAdd=<nil>' ]; then
# If it's the first container, fail the test
@@ -107,7 +110,8 @@
# List of sensitive directories to test for. Script uses new-lines as a separator.
# Note the lack of identation. It needs it for the substring comparison.
- sensitive_dirs='/boot
+ sensitive_dirs='/
+/boot
/dev
/etc
/lib
@@ -124,7 +128,9 @@
# Go over each directory in sensitive dir and see if they exist in the volumes
for v in $sensitive_dirs; do
sensitive=0
- contains "$volumes" "$v" && sensitive=1
+ if echo "$volumes" | grep -e "{.*\s$v\s.*true\s}" 2>/tmp/null 1>&2; then
+ sensitive=1
+ fi
if [ $sensitive -eq 1 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
@@ -207,7 +213,7 @@
# 5.8
check_5_8="5.8 - Open only needed ports on container"
- info "$check_5_8"
+ note "$check_5_8"
# 5.9
check_5_9="5.9 - Do not share the host's network namespace"
@@ -237,9 +243,7 @@
fail=0
for c in $containers; do
- docker inspect --format '{{ .Config.Memory }}' "$c" 2> /dev/null 1>&2
-
- if [ "$?" -eq 0 ]; then
+ if docker inspect --format '{{ .Config.Memory }}' "$c" 2> /dev/null 1>&2; then
memory=$(docker inspect --format '{{ .Config.Memory }}' "$c")
else
memory=$(docker inspect --format '{{ .HostConfig.Memory }}' "$c")
@@ -266,9 +270,7 @@
fail=0
for c in $containers; do
- docker inspect --format '{{ .Config.CpuShares }}' "$c" 2> /dev/null 1>&2
-
- if [ "$?" -eq 0 ]; then
+ if docker inspect --format '{{ .Config.CpuShares }}' "$c" 2> /dev/null 1>&2; then
shares=$(docker inspect --format '{{ .Config.CpuShares }}' "$c")
else
shares=$(docker inspect --format '{{ .HostConfig.CpuShares }}' "$c")
@@ -456,9 +458,8 @@
fail=0
for c in $containers; do
- mode=$(docker inspect --format 'Propagation={{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}' "$c")
-
- if [ "$mode" = "Propagation=shared" ]; then
+ if docker inspect --format 'Propagation={{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}' "$c" | \
+ grep shared 2>/dev/null 1>&2; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_19"
@@ -520,11 +521,11 @@
# 5.22
check_5_22="5.22 - Do not docker exec commands with privileged option"
- info "$check_5_22"
+ note "$check_5_22"
# 5.23
check_5_23="5.23 - Do not docker exec commands with user option"
- info "$check_5_23"
+ note "$check_5_23"
# 5.24
check_5_24="5.24 - Confirm cgroup usage"
@@ -554,9 +555,7 @@
fail=0
for c in $containers; do
- docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'no-new-privileges' 2>/dev/null 1>&2
-
- if [ $? -ne 0 ]; then
+ if ! docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'no-new-privileges' 2>/dev/null 1>&2; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn "$check_5_25"