commit docker-bench-security for openSUSE:Factory

Hello community, here is the log from the commit of package docker-bench-security for openSUSE:Factory checked in at 2017-05-06 18:30:58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/docker-bench-security (Old) and /work/SRC/openSUSE:Factory/.docker-bench-security.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "docker-bench-security" Sat May 6 18:30:58 2017 rev:11 rq:493013 version:1.3.2 Changes: -------- --- /work/SRC/openSUSE:Factory/docker-bench-security/docker-bench-security.changes 2017-03-02 19:29:29.414251428 +0100 +++ /work/SRC/openSUSE:Factory/.docker-bench-security.new/docker-bench-security.changes 2017-05-06 18:31:05.259068048 +0200 @@ -1,0 +2,14 @@ +Fri May 5 13:33:06 UTC 2017 - astieger@suse.com + +- update to 1.3.2: + * improve get_docker_configuration_file_args() + * add [NOTE] for informational checks with no actual tests + * fix various tests when using daemon.json + * use stat instead of ls -ld output +- includes changes from 1.3.1: + * Add daemon.json support + * Correct multiple tests + * Update default alpine Dockerfile + * Use grep if auditctl isn't present + +------------------------------------------------------------------- Old: ---- docker-bench-security-1.3.0.tar.gz New: ---- docker-bench-security-1.3.2.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ docker-bench-security.spec ++++++ --- /var/tmp/diff_new_pack.gBgrQh/_old 2017-05-06 18:31:05.926973803 +0200 +++ /var/tmp/diff_new_pack.gBgrQh/_new 2017-05-06 18:31:05.930973238 +0200 @@ -17,7 +17,7 @@ Name: docker-bench-security -Version: 1.3.0 +Version: 1.3.2 Release: 0 Summary: Docker Bench for Security License: Apache-2.0 ++++++ docker-bench-security-1.3.0.tar.gz -> docker-bench-security-1.3.2.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/CONTRIBUTING.md new/docker-bench-security-1.3.2/CONTRIBUTING.md --- old/docker-bench-security-1.3.0/CONTRIBUTING.md 2017-01-24 15:57:04.000000000 +0100 +++ new/docker-bench-security-1.3.2/CONTRIBUTING.md 2017-03-23 15:29:48.000000000 +0100 @@ -3,20 +3,22 @@ Want to hack on Docker Bench? Awesome! Here are instructions to get you started. -The Docker Bench for Security is a part of the [Docker](https://www.docker.com) project, and follows -the same rules and principles. If you're already familiar with the way -Docker does things, you'll feel right at home. +The Docker Bench for Security is a part of the [Docker](https://www.docker.com) +project, and follows the same rules and principles. If you're already familiar +with the way Docker does things, you'll feel right at home. Otherwise, go read [Docker's contributions guidelines](https://github.com/docker/docker/blob/master/CONTRIBUTING.md). -### Development Environment Setup +## Development Environment Setup -The only thing you need to hack on Docker Bench for Security is a POSIX 2004 compliant shell. We try to keep the project compliant for maximum portability +The only thing you need to hack on Docker Bench for Security is a POSIX 2004 +compliant shell. We try to keep the project compliant for maximum portability. -#### Start hacking +### Start hacking You can build the container that wraps the docker-bench for security: + ```sh ✗ git clone git@github.com:docker/docker-bench-security.git ✗ cd docker-bench-security @@ -31,7 +33,9 @@ ✗ sh docker-bench-security.sh ``` -The Docker Bench has the main script called `docker-bench-security.sh`. This is the main script that checks for all the dependencies, deals with command line arguments and loads all the tests. +The Docker Bench has the main script called `docker-bench-security.sh`. +This is the main script that checks for all the dependencies, deals with +command line arguments and loads all the tests. The tests are split in 6 different files: @@ -46,6 +50,12 @@ └── 6_docker_security_operations.sh ``` -To modify the Docker Bench for Security you should first clone the repository, make your changes, check your code with `shellcheck`, `checkbashisms` or similar tools, and then sign off on your commits. After that feel free to send us a pull-request with the changes. - -While this tool is inspired by the [CIS Docker 1.11.0 benchmark](https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docke...), feel free to add new tests. We will try to turn dockerbench.com into a list of good community benchmarks for both security and performance, and we would love community contributions. +To modify the Docker Bench for Security you should first clone the repository, +make your changes, check your code with `shellcheck`, `checkbashisms` or similar +tools, and then sign off on your commits. After that feel free to send us a +pull request with the changes. + +While this tool was inspired by the [CIS Docker 1.11.0 benchmark](https://benchmarks.cisecurity.org/downloads/show-single/index.cfm?file=docke...), +feel free to add new tests. We will try to turn [dockerbench.com](https://dockerbench.com) +into a list of good community benchmarks for both security and performance, +and we would love community contributions. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/Dockerfile new/docker-bench-security-1.3.2/Dockerfile --- old/docker-bench-security-1.3.0/Dockerfile 2017-01-24 15:57:04.000000000 +0100 +++ new/docker-bench-security-1.3.2/Dockerfile 2017-03-23 15:29:48.000000000 +0100 @@ -4,29 +4,21 @@ org.label-schema.url="https://dockerbench.com" \ org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git" -ENV VERSION 1.12.6 -ENV SHA256 cadc6025c841e034506703a06cf54204e51d0cadfae4bae62628ac648d82efdd +RUN \ + apk upgrade --no-cache && \ + apk add --no-cache \ + docker \ + dumb-init && \ + rm -rf /usr/bin/docker-* /usr/bin/dockerd && \ + mkdir /usr/local/bin/tests -WORKDIR /usr/bin +COPY ./*.sh /usr/local/bin/ -RUN apk update && \ - apk upgrade && \ - apk --update add coreutils wget ca-certificates && \ - wget https://get.docker.com/builds/Linux/x86_64/docker-$VERSION.tgz && \ - wget https://get.docker.com/builds/Linux/x86_64/docker-$VERSION.tgz.sha256 && \ - sha256sum -c docker-$VERSION.tgz.sha256 && \ - echo "$SHA256 docker-$VERSION.tgz" | sha256sum -c - && \ - tar -xzvf docker-$VERSION.tgz -C /tmp && \ - mv /tmp/docker/docker . && \ - chmod u+x docker* && \ - rm -rf /tmp/docker* && \ - apk del wget ca-certificates && \ - rm -rf /var/cache/apk/* docker-$VERSION.tgz docker-$VERSION.tgz.sha256 +COPY ./tests/*.sh /usr/local/bin/tests/ -RUN mkdir /docker-bench-security +WORKDIR /usr/local/bin -COPY . /docker-bench-security +HEALTHCHECK CMD exit 0 -WORKDIR /docker-bench-security +ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ] -ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/README.md new/docker-bench-security-1.3.2/README.md --- old/docker-bench-security-1.3.0/README.md 2017-01-24 15:57:04.000000000 +0100 +++ new/docker-bench-security-1.3.2/README.md 2017-03-23 15:29:48.000000000 +0100 @@ -18,7 +18,7 @@ this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host. Don't forget to adjust the shared volumes -according to your operating system, it may not for example use systemd. +according to your operating system, for example it might not use systemd. The easiest way to run your hosts against the Docker Bench for Security is by running our pre-built container: @@ -35,8 +35,9 @@ Docker bench requires Docker 1.10.0 or later in order to run. -Also note that the default image and `Dockerfile` uses `FROM: alpine` which -doesn't contain `auditctl`, this will generate errors in section 1.8 to 1.15. +Note that when distributions doesn't contain `auditctl`, the audit tests will +check `/etc/audit/audit.rules` to see if a rule is present instead. + Distribution specific Dockerfiles that fixes this issue are available in the [distros directory](https://github.com/docker/docker-bench-security/tree/master/distros). Binary files old/docker-bench-security-1.3.0/benchmark_log.png and new/docker-bench-security-1.3.2/benchmark_log.png differ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/distros/Dockerfile.alpine new/docker-bench-security-1.3.2/distros/Dockerfile.alpine --- old/docker-bench-security-1.3.0/distros/Dockerfile.alpine 2017-01-24 15:57:04.000000000 +0100 +++ new/docker-bench-security-1.3.2/distros/Dockerfile.alpine 2017-03-23 15:29:48.000000000 +0100 @@ -4,29 +4,19 @@ org.label-schema.url="https://dockerbench.com" \ org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git" -ENV VERSION 1.12.6 -ENV SHA256 cadc6025c841e034506703a06cf54204e51d0cadfae4bae62628ac648d82efdd +RUN \ + apk upgrade --no-cache && \ + apk add --no-cache \ + docker \ + dumb-init && \ + rm -rf /usr/bin/docker-* /usr/bin/dockerd && \ + mkdir /usr/local/bin/tests -WORKDIR /usr/bin +COPY ./*.sh /usr/local/bin/ -RUN apk update && \ - apk upgrade && \ - apk --update add coreutils wget ca-certificates && \ - wget https://get.docker.com/builds/Linux/x86_64/docker-$VERSION.tgz && \ - wget https://get.docker.com/builds/Linux/x86_64/docker-$VERSION.tgz.sha256 && \ - sha256sum -c docker-$VERSION.tgz.sha256 && \ - echo "$SHA256 docker-$VERSION.tgz" | sha256sum -c - && \ - tar -xzvf docker-$VERSION.tgz -C /tmp && \ - mv /tmp/docker/docker . && \ - chmod u+x docker* && \ - rm -rf /tmp/docker* && \ - apk del wget ca-certificates && \ - rm -rf /var/cache/apk/* docker-$VERSION.tgz docker-$VERSION.tgz.sha256 +COPY ./tests/*.sh /usr/local/bin/tests/ -RUN mkdir /docker-bench-security +WORKDIR /usr/local/bin -COPY . /docker-bench-security +ENTRYPOINT [ "/usr/bin/dumb-init", "docker-bench-security.sh" ] -WORKDIR /docker-bench-security - -ENTRYPOINT ["/bin/sh", "docker-bench-security.sh"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/distros/README.md new/docker-bench-security-1.3.2/distros/README.md --- old/docker-bench-security-1.3.0/distros/README.md 2017-01-24 15:57:04.000000000 +0100 +++ new/docker-bench-security-1.3.2/distros/README.md 2017-03-23 15:29:48.000000000 +0100 @@ -3,16 +3,19 @@ ## Requirements ### Dockerfile name -The format should be `Dockerfile.{distribution name}`. + +The format should be `Dockerfile.{distribution name}`. ### Keep your images up-to-date + Use the distribution package manager to keep your image up-to-date. -### REPOSITORY -Add a `REPOSITORY` comment with the URL to your GitHub repository where the Dockerfile is present. -`# REPOSITORY <GitHub repository>` +### Labels -### MAINTAINER -Add the `MAINTAINER` instruction and your contact details, GitHub aliases are acceptable. +Use the following labels in your Dockerfile: -For an example Dockerfile, please refer to `Dockerfile.alpine`. +``` +LABEL org.label-schema.name="docker-bench-security" \ + org.label-schema.url="<YOUR GIT REPOSITORY HTTPS ADDRESS>" \ + org.label-schema.vcs-url="/dev/null 2>&1 -if [ $? -ne 0 ]; then +if ! docker ps -q >/dev/null 2>&1; then printf "Error connecting to docker daemon (does docker ps work?)\n" exit 1 fi @@ -57,7 +56,7 @@ fi yell "# ------------------------------------------------------------------------------ -# Docker Bench for Security v1.3.0 +# Docker Bench for Security v1.3.2 # # Docker, Inc. (c) 2015- # @@ -81,8 +80,10 @@ # If there is a container with label docker_bench_security, memorize it: benchcont="nil" for c in $containers; do - labels=$(docker inspect --format '{{ .Config.Labels }}' "$c") - contains "$labels" "docker_bench_security" && benchcont="$c" + if docker inspect --format '{{ .Config.Labels }}' "$c" | \ + grep -e 'docker.bench.security' >/dev/null 2>&1; then + benchcont="$c" + fi done # List all running containers except docker-bench (use names to improve readability in logs) containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/helper_lib.sh new/docker-bench-security-1.3.2/helper_lib.sh --- old/docker-bench-security-1.3.0/helper_lib.sh 2017-01-24 15:57:04.000000000 +0100 +++ new/docker-bench-security-1.3.2/helper_lib.sh 2017-03-23 15:29:48.000000000 +0100 @@ -25,18 +25,6 @@ fi } -# Compares two strings and returns 0 if the second is a substring of the first -contains() { - string="$1" - substring="$2" - if [ "${string#*$substring}" != "$string" ] - then - return 0 # $substring is in $string - else - return 1 # $substring is not in $string - fi -} - # Extracts commandline args from the newest running processes named like the first parameter get_command_line_args() { PROC="$1" @@ -89,7 +77,23 @@ # Does not account for option default or implicit options. get_docker_effective_command_line_args() { OPTION="$1" - get_docker_cumulative_command_line_args $OPTION | tail -n1 + get_docker_cumulative_command_line_args "$OPTION" | tail -n1 +} + +get_docker_configuration_file_args() { + OPTION="$1" + FILE="$(get_docker_effective_command_line_args '--config-file' | \ + sed 's/.*=//g')" + + if [ -f "$FILE" ]; then + CONFIG_FILE="$FILE" + elif [ -f '/etc/docker/daemon.json' ]; then + CONFIG_FILE='/etc/docker/daemon.json' + else + CONFIG_FILE='/dev/null' + fi + + grep "$OPTION" "$CONFIG_FILE" | sed 's/.*: //g' | tr -d \", } get_systemd_service_file(){ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/output_lib.sh new/docker-bench-security-1.3.2/output_lib.sh --- old/docker-bench-security-1.3.0/output_lib.sh 2017-01-24 15:57:04.000000000 +0100 +++ new/docker-bench-security-1.3.2/output_lib.sh 2017-03-23 15:29:48.000000000 +0100 @@ -21,6 +21,10 @@ printf "%b\n" "${bldred}[WARN]${txtrst} $1" | tee -a "$logger" } +note () { + printf "%b\n" "${bldylw}[NOTE]${txtrst} $1" | tee -a "$logger" +} + yell () { printf "%b\n" "${bldylw}$1${txtrst}\n" } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/tests/1_host_configuration.sh new/docker-bench-security-1.3.2/tests/1_host_configuration.sh --- old/docker-bench-security-1.3.0/tests/1_host_configuration.sh 2017-01-24 15:57:04.000000000 +0100 +++ new/docker-bench-security-1.3.2/tests/1_host_configuration.sh 2017-03-23 15:29:48.000000000 +0100 @@ -2,11 +2,11 @@ logit "" info "1 - Host Configuration" +auditrules="/etc/audit/audit.rules" # 1.1 check_1_1="1.1 - Create a separate partition for containers" -grep /var/lib/docker /etc/fstab >/dev/null 2>&1 -if [ $? -eq 0 ]; then +if grep /var/lib/docker /etc/fstab >/dev/null 2>&1; then pass "$check_1_1" else warn "$check_1_1" @@ -14,14 +14,14 @@ # 1.2 check_1_2="1.2 - Harden the container host" -info "$check_1_2" +note "$check_1_2" # 1.3 check_1_3="1.3 - Keep Docker up to date" docker_version=$(docker version | grep -i -A1 '^server' | grep -i 'version:' \ | awk '{print $NF; exit}' | tr -d '[:alpha:]-,') -docker_current_version="1.13.0" -docker_current_date="2017-01-18" +docker_current_version="17.03.0" +docker_current_date="2017-03-01" do_version_check "$docker_current_version" "$docker_version" if [ $? -eq 11 ]; then info "$check_1_3" @@ -43,33 +43,33 @@ # 1.5 check_1_5="1.5 - Audit docker daemon - /usr/bin/docker" -file="/usr/bin/docker" -command -v auditctl >/dev/null 2>&1 -if [ $? -eq 0 ]; then - auditctl -l | grep "$file" >/dev/null 2>&1 - if [ $? -eq 0 ]; then +file="/usr/bin/docker " +if command -v auditctl >/dev/null 2>&1; then + if auditctl -l | grep "$file" >/dev/null 2>&1; then pass "$check_1_5" else warn "$check_1_5" fi +elif grep "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then + pass "$check_1_5" else - warn "1.5 - Failed to inspect: auditctl command not found." + warn "$check_1_5" fi # 1.6 check_1_6="1.6 - Audit Docker files and directories - /var/lib/docker" directory="/var/lib/docker" if [ -d "$directory" ]; then - command -v auditctl >/dev/null 2>&1 - if [ $? -eq 0 ]; then - auditctl -l | grep $directory >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if command -v auditctl >/dev/null 2>&1; then + if auditctl -l | grep $directory >/dev/null 2>&1; then pass "$check_1_6" else warn "$check_1_6" fi + elif grep "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then + pass "$check_1_6" else - warn "1.6 - Failed to inspect: auditctl command not found." + warn "$check_1_6" fi else info "$check_1_6" @@ -80,16 +80,16 @@ check_1_7="1.7 - Audit Docker files and directories - /etc/docker" directory="/etc/docker" if [ -d "$directory" ]; then - command -v auditctl >/dev/null 2>&1 - if [ $? -eq 0 ]; then - auditctl -l | grep $directory >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if command -v auditctl >/dev/null 2>&1; then + if auditctl -l | grep $directory >/dev/null 2>&1; then pass "$check_1_7" else warn "$check_1_7" fi + elif grep "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then + pass "$check_1_7" else - warn "1.7 - Failed to inspect: auditctl command not found." + warn "$check_1_7" fi else info "$check_1_7" @@ -100,16 +100,16 @@ check_1_8="1.8 - Audit Docker files and directories - docker.service" file="$(get_systemd_service_file docker.service)" if [ -f "$file" ]; then - command -v auditctl >/dev/null 2>&1 - if [ $? -eq 0 ]; then - auditctl -l | grep "$file" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if command -v auditctl >/dev/null 2>&1; then + if auditctl -l | grep "$file" >/dev/null 2>&1; then pass "$check_1_8" else warn "$check_1_8" fi + elif grep "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then + pass "$check_1_8" else - warn "1.8 - Failed to inspect: auditctl command not found." + warn "$check_1_8" fi else info "$check_1_8" @@ -120,16 +120,16 @@ check_1_9="1.9 - Audit Docker files and directories - docker.socket" file="$(get_systemd_service_file docker.socket)" if [ -e "$file" ]; then - command -v auditctl >/dev/null 2>&1 - if [ $? -eq 0 ]; then - auditctl -l | grep "$file" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if command -v auditctl >/dev/null 2>&1; then + if auditctl -l | grep "$file" >/dev/null 2>&1; then pass "$check_1_9" else warn "$check_1_9" fi + elif grep "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then + pass "$check_1_9" else - warn "1.9 - Failed to inspect: auditctl command not found." + warn "$check_1_9" fi else info "$check_1_9" @@ -140,16 +140,16 @@ check_1_10="1.10 - Audit Docker files and directories - /etc/default/docker" file="/etc/default/docker" if [ -f "$file" ]; then - command -v auditctl >/dev/null 2>&1 - if [ $? -eq 0 ]; then - auditctl -l | grep $file >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if command -v auditctl >/dev/null 2>&1; then + if auditctl -l | grep $file >/dev/null 2>&1; then pass "$check_1_10" else warn "$check_1_10" fi + elif grep "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then + pass "$check_1_10" else - warn "1.10 - Failed to inspect: auditctl command not found." + warn "$check_1_10" fi else info "$check_1_10" @@ -160,16 +160,16 @@ check_1_11="1.11 - Audit Docker files and directories - /etc/docker/daemon.json" file="/etc/docker/daemon.json" if [ -f "$file" ]; then - command -v auditctl >/dev/null 2>&1 - if [ $? -eq 0 ]; then - auditctl -l | grep $file >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if command -v auditctl >/dev/null 2>&1; then + if auditctl -l | grep $file >/dev/null 2>&1; then pass "$check_1_11" else warn "$check_1_11" fi + elif grep "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then + pass "$check_1_11" else - warn "1.11 - Failed to inspect: auditctl command not found." + warn "$check_1_11" fi else info "$check_1_11" @@ -180,16 +180,16 @@ check_1_12="1.12 - Audit Docker files and directories - /usr/bin/docker-containerd" file="/usr/bin/docker-containerd" if [ -f "$file" ]; then - command -v auditctl >/dev/null 2>&1 - if [ $? -eq 0 ]; then - auditctl -l | grep $file >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if command -v auditctl >/dev/null 2>&1; then + if auditctl -l | grep $file >/dev/null 2>&1; then pass "$check_1_12" else warn "$check_1_12" fi + elif grep "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then + pass "$check_1_12" else - warn "1.12 - Failed to inspect: auditctl command not found." + warn "$check_1_12" fi else info "$check_1_12" @@ -200,16 +200,16 @@ check_1_13="1.13 - Audit Docker files and directories - /usr/bin/docker-runc" file="/usr/bin/docker-runc" if [ -f "$file" ]; then - command -v auditctl >/dev/null 2>&1 - if [ $? -eq 0 ]; then - auditctl -l | grep $file >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if command -v auditctl >/dev/null 2>&1; then + if auditctl -l | grep $file >/dev/null 2>&1; then pass "$check_1_13" else warn "$check_1_13" fi + elif grep "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then + pass "$check_1_13" else - warn "1.13 - Failed to inspect: auditctl command not found." + warn "$check_1_13" fi else info "$check_1_13" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/tests/2_docker_daemon_configuration.sh new/docker-bench-security-1.3.2/tests/2_docker_daemon_configuration.sh --- old/docker-bench-security-1.3.0/tests/2_docker_daemon_configuration.sh 2017-01-24 15:57:04.000000000 +0100 +++ new/docker-bench-security-1.3.2/tests/2_docker_daemon_configuration.sh 2017-03-23 15:29:48.000000000 +0100 @@ -5,8 +5,9 @@ # 2.1 check_2_1="2.1 - Restrict network traffic between containers" -get_docker_effective_command_line_args '--icc' | grep "false" >/dev/null 2>&1 -if [ $? -eq 0 ]; then +if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then + pass "$check_2_1" +elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then pass "$check_2_1" else warn "$check_2_1" @@ -14,10 +15,16 @@ # 2.2 check_2_2="2.2 - Set the logging level" -get_docker_effective_command_line_args '-l' >/dev/null 2>&1 -if [ $? -eq 0 ]; then - get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1 - if [ $? -eq 0 ]; then +if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then + if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then + pass "$check_2_2" + elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then + pass "$check_2_2" + else + warn "$check_2_2" + fi +elif get_docker_effective_command_line_args '-l'; then + if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then pass "$check_2_2" else warn "$check_2_2" @@ -28,8 +35,9 @@ # 2.3 check_2_3="2.3 - Allow Docker to make changes to iptables" -get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1 -if [ $? -eq 0 ]; then +if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then + warn "$check_2_3" +elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then warn "$check_2_3" else pass "$check_2_3" @@ -37,17 +45,21 @@ # 2.4 check_2_4="2.4 - Do not use insecure registries" -get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1 -if [ $? -eq 0 ]; then +if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then warn "$check_2_4" +elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then + if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then + pass "$check_2_4" + else + warn "$check_2_4" + fi else pass "$check_2_4" fi # 2.5 check_2_5="2.5 - Do not use the aufs storage driver" -docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1 -if [ $? -eq 0 ]; then +if docker info 2>/dev/null | grep -e "^Storage Driver:\s*aufs\s*$" >/dev/null 2>&1; then warn "$check_2_5" else pass "$check_2_5" @@ -55,12 +67,24 @@ # 2.6 check_2_6="2.6 - Configure TLS authentication for Docker daemon" -get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1 -if [ $? -eq 0 ]; then - get_docker_cumulative_command_line_args '--tlskey' | grep 'tlskey=' >/dev/null 2>&1 - if [ $? -eq 0 ]; then - get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify' >/dev/null 2>&1 - if [ $? -eq 0 ]; then +if grep -i 'tcp://' "$CONFIG_FILE" 2>/dev/null 1>&2; then + if [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \ + [ $(get_docker_configuration_file_args '"tlsverify' | grep 'true') ] ; then + if get_docker_configuration_file_args 'tlskey' | grep -v '""' >/dev/null 2>&1; then + if get_docker_configuration_file_args 'tlsverify' | grep 'true' >/dev/null 2>&1; then + pass "$check_2_6" + else + warn "$check_2_6" + warn " * Docker daemon currently listening on TCP with TLS, but no verification" + fi + fi + else + warn "$check_2_6" + warn " * Docker daemon currently listening on TCP without TLS" + fi +elif get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://' >/dev/null 2>&1; then + if get_docker_cumulative_command_line_args '--tlskey' | grep 'tlskey=' >/dev/null 2>&1; then + if get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify' >/dev/null 2>&1; then pass "$check_2_6" else warn "$check_2_6" @@ -78,8 +102,9 @@ # 2.7 check_2_7="2.7 - Set default ulimit as appropriate" -get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1 -if [ $? -eq 0 ]; then +if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then + pass "$check_2_7" +elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then pass "$check_2_7" else info "$check_2_7" @@ -88,8 +113,9 @@ # 2.8 check_2_8="2.8 - Enable user namespace support" -get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1 -if [ $? -eq 0 ]; then +if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then + pass "$check_2_8" +elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then pass "$check_2_8" else warn "$check_2_8" @@ -97,8 +123,10 @@ # 2.9 check_2_9="2.9 - Confirm default cgroup usage" -get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1 -if [ $? -eq 0 ]; then +if get_docker_configuration_file_args 'cgroup-parent' | grep -v '""'; then + warn "$check_2_9" + info " * Confirm cgroup usage" +elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then warn "$check_2_9" info " * Confirm cgroup usage" else @@ -107,8 +135,9 @@ # 2.10 check_2_10="2.10 - Do not change base device size until needed" -get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1 -if [ $? -eq 0 ]; then +if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then + warn "$check_2_10" +elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then warn "$check_2_10" else pass "$check_2_10" @@ -116,8 +145,9 @@ # 2.11 check_2_11="2.11 - Use authorization plugin" -get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1 -if [ $? -eq 0 ]; then +if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then + pass "$check_2_11" +elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then pass "$check_2_11" else warn "$check_2_11" @@ -125,17 +155,17 @@ # 2.12 check_2_12="2.12 - Configure centralized and remote logging" -get_docker_effective_command_line_args '--log-driver' | grep "log-driver" >/dev/null 2>&1 -if [ $? -eq 0 ]; then - pass "$check_2_12" -else +if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then warn "$check_2_12" +else + pass "$check_2_12" fi # 2.13 check_2_13="2.13 - Disable operations on legacy registry (v1)" -get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1 -if [ $? -eq 0 ]; then +if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then + pass "$check_2_13" +elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then pass "$check_2_13" else warn "$check_2_13" @@ -146,7 +176,7 @@ if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then pass "$check_2_14" else - if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then + if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then pass "$check_2_14 (Incompatible with swarm mode)" else warn "$check_2_14" @@ -155,8 +185,7 @@ # 2.15 check_2_15="2.15 - Do not enable swarm mode, if not needed" -docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1 -if [ $? -eq 1 ]; then +if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then pass "$check_2_15" else warn "$check_2_15" @@ -164,7 +193,7 @@ # 2.16 check_2_16="2.16 - Control the number of manager nodes in a swarm" -if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then +if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then managernodes=$(docker node ls | grep -c "Leader") if [ "$managernodes" -le 1 ]; then pass "$check_2_16" @@ -177,17 +206,22 @@ # 2.17 check_2_17="2.17 - Bind swarm services to a specific host interface" -netstat -lt | grep -e '\[::]:2377' -e '*:2377' -e '0.0.0.0:2377' >/dev/null 2>&1 -if [ $? -eq 1 ]; then - pass "$check_2_17" +if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then + netstat -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1 + if [ $? -eq 1 ]; then + pass "$check_2_17" + else + warn "$check_2_17" + fi else - warn "$check_2_17" + pass "$check_2_17 (Swarm mode not enabled)" fi # 2.18 check_2_18="2.18 - Disable Userland Proxy" -get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1 -if [ $? -eq 0 ]; then +if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then + pass "$check_2_18" +elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then pass "$check_2_18" else warn "$check_2_18" @@ -219,7 +253,7 @@ # 2.21 check_2_21="2.21 - Avoid experimental features in production" -if docker info 2>/dev/null | grep -e "^Live Restore Enabled:\s*false\s*$" >/dev/null 2>&1; then +if docker info 2>/dev/null | grep -e "Experimental:\s*false*" 2>/dev/null 1>&2; then pass "$check_2_21" else warn "$check_2_21" @@ -251,4 +285,4 @@ # 2.24 check_2_24="2.24 - Rotate swarm manager auto-lock key periodically" -info "$check_2_24" +note "$check_2_24" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/tests/3_docker_daemon_configuration_files.sh new/docker-bench-security-1.3.2/tests/3_docker_daemon_configuration_files.sh --- old/docker-bench-security-1.3.0/tests/3_docker_daemon_configuration_files.sh 2017-01-24 15:57:04.000000000 +0100 +++ new/docker-bench-security-1.3.2/tests/3_docker_daemon_configuration_files.sh 2017-03-23 15:29:48.000000000 +0100 @@ -82,9 +82,7 @@ check_3_6="3.6 - Verify that /etc/docker directory permissions are set to 755 or more restrictive" directory="/etc/docker" if [ -d "$directory" ]; then - if [ "$(stat -c %a $directory)" -eq 755 ]; then - pass "$check_3_6" - elif [ "$(stat -c %a $directory)" -eq 700 ]; then + if [ "$(stat -c %a $directory)" -eq 755 -o "$(stat -c %a $directory)" -eq 700 ]; then pass "$check_3_6" else warn "$check_3_6" @@ -100,10 +98,9 @@ directory="/etc/docker/certs.d/" if [ -d "$directory" ]; then fail=0 - owners=$(ls -lL $directory | grep ".crt" | awk '{print $3, $4}') + owners=$(find "$directory" -type f -name '*.crt') for p in $owners; do - printf "%s" "$p" | grep "root" >/dev/null 2>&1 - if [ $? -ne 0 ]; then + if [ "$(stat -c %u $p)" -ne 0 ]; then fail=1 fi done @@ -123,9 +120,9 @@ directory="/etc/docker/certs.d/" if [ -d "$directory" ]; then fail=0 - perms=$(ls -lL $directory | grep ".crt" | awk '{print $1}') + perms=$(find "$directory" -type f -name '*.crt') for p in $perms; do - if [ "$p" != "-r--r--r--." -a "$p" = "-r--------." ]; then + if [ "$(stat -c %a $p)" -ne 444 -a "$(stat -c %a $p)" -ne 400 ]; then fail=1 fi done @@ -142,7 +139,11 @@ # 3.9 check_3_9="3.9 - Verify that TLS CA certificate file ownership is set to root:root" -tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then + tlscacert=$(get_docker_configuration_file_args 'tlscacert') +else + tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +fi if [ -f "$tlscacert" ]; then if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then pass "$check_3_9" @@ -157,10 +158,13 @@ # 3.10 check_3_10="3.10 - Verify that TLS CA certificate file permissions are set to 444 or more restrictive" -tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +if ! [ -z $(get_docker_configuration_file_args 'tlscacert') ]; then + tlscacert=$(get_docker_configuration_file_args 'tlscacert') +else + tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +fi if [ -f "$tlscacert" ]; then - perms=$(ls -ld "$tlscacert" | awk '{print $1}') - if [ "$perms" = "-r--r--r--" ]; then + if [ "$(stat -c %a $tlscacert)" -eq 444 -o "$(stat -c %a $tlscacert)" -eq 400 ]; then pass "$check_3_10" else warn "$check_3_10" @@ -173,7 +177,11 @@ # 3.11 check_3_11="3.11 - Verify that Docker server certificate file ownership is set to root:root" -tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then + tlscert=$(get_docker_configuration_file_args 'tlscert') +else + tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +fi if [ -f "$tlscert" ]; then if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then pass "$check_3_11" @@ -188,10 +196,13 @@ # 3.12 check_3_12="3.12 - Verify that Docker server certificate file permissions are set to 444 or more restrictive" -tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +if ! [ -z $(get_docker_configuration_file_args 'tlscert') ]; then + tlscert=$(get_docker_configuration_file_args 'tlscert') +else + tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +fi if [ -f "$tlscert" ]; then - perms=$(ls -ld "$tlscert" | awk '{print $1}') - if [ "$perms" = "-r--r--r--" ]; then + if [ "$(stat -c %a $tlscert)" -eq 444 -o "$(stat -c %a $tlscert)" -eq 400 ]; then pass "$check_3_12" else warn "$check_3_12" @@ -204,7 +215,11 @@ # 3.13 check_3_13="3.13 - Verify that Docker server key file ownership is set to root:root" -tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then + tlskey=$(get_docker_configuration_file_args 'tlskey') +else + tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +fi if [ -f "$tlskey" ]; then if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then pass "$check_3_13" @@ -219,10 +234,13 @@ # 3.14 check_3_14="3.14 - Verify that Docker server key file permissions are set to 400 or more restrictive" -tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +if ! [ -z $(get_docker_configuration_file_args 'tlskey') ]; then + tlskey=$(get_docker_configuration_file_args 'tlskey') +else + tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1) +fi if [ -f "$tlskey" ]; then - perms=$(ls -ld "$tlskey" | awk '{print $1}') - if [ "$perms" = "-r--------" ]; then + if [ "$(stat -c %a $tlskey)" -eq 444 -o "$(stat -c %a $tlskey)" -eq 400 ]; then pass "$check_3_14" else warn "$check_3_14" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/tests/4_container_images.sh new/docker-bench-security-1.3.2/tests/4_container_images.sh --- old/docker-bench-security-1.3.0/tests/4_container_images.sh 2017-01-24 15:57:04.000000000 +0100 +++ new/docker-bench-security-1.3.2/tests/4_container_images.sh 2017-03-23 15:29:48.000000000 +0100 @@ -42,15 +42,15 @@ # 4.2 check_4_2="4.2 - Use trusted base images for containers" -info "$check_4_2" +note "$check_4_2" # 4.3 check_4_3="4.3 - Do not install unnecessary packages in the container" -info "$check_4_3" +note "$check_4_3" # 4.4 check_4_4="4.4 - Scan and rebuild the images to include security patches" -info "$check_4_4" +note "$check_4_4" # 4.5 check_4_5="4.5 - Enable Content trust for Docker" @@ -64,8 +64,7 @@ check_4_6="4.6 - Add HEALTHCHECK instruction to the container image" fail=0 for img in $images; do - docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1; then if [ $fail -eq 0 ]; then fail=1 warn "$check_4_6" @@ -84,8 +83,7 @@ check_4_7="4.7 - Do not use update instructions alone in the Dockerfile" fail=0 for img in $images; do - docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1 - if [ $? -eq 0 ]; then + if docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1; then if [ $fail -eq 0 ]; then fail=1 info "$check_4_7" @@ -102,7 +100,7 @@ # 4.8 check_4_8="4.8 - Remove setuid and setgid permissions in the images" -info "$check_4_8" +note "$check_4_8" # 4.9 check_4_9="4.9 - Use COPY instead of ADD in Dockerfile" @@ -126,8 +124,8 @@ # 4.10 check_4_10="4.10 - Do not store secrets in Dockerfiles" -info "$check_4_10" +note "$check_4_10" # 4.11 check_4_11="4.11 - Install verified packages only" -info "$check_4_11" +note "$check_4_11" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/docker-bench-security-1.3.0/tests/5_container_runtime.sh new/docker-bench-security-1.3.2/tests/5_container_runtime.sh --- old/docker-bench-security-1.3.0/tests/5_container_runtime.sh 2017-01-24 15:57:04.000000000 +0100 +++ new/docker-bench-security-1.3.2/tests/5_container_runtime.sh 2017-03-23 15:29:48.000000000 +0100 @@ -61,7 +61,10 @@ fail=0 for c in $containers; do - caps=$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' "$c") + container_caps=$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd}}' "$c") + caps=$(echo "$container_caps" | tr "[:lower:]" "[:upper:]" | \ + sed 's/CAPADD/CapAdd/' | \ + sed -r "s/AUDIT_WRITE|CHOWN|DAC_OVERRIDE|FOWNER|FSETID|KILL|MKNOD|NET_BIND_SERVICE|NET_RAW|SETFCAP|SETGID|SETPCAP|SETUID|SYS_CHROOT|\s//g") if [ "$caps" != 'CapAdd=' -a "$caps" != 'CapAdd=[]' -a "$caps" != 'CapAdd=<no value>' -a "$caps" != 'CapAdd=<nil>' ]; then # If it's the first container, fail the test @@ -107,7 +110,8 @@ # List of sensitive directories to test for. Script uses new-lines as a separator. # Note the lack of identation. It needs it for the substring comparison. - sensitive_dirs='/boot + sensitive_dirs='/ +/boot /dev /etc /lib @@ -124,7 +128,9 @@ # Go over each directory in sensitive dir and see if they exist in the volumes for v in $sensitive_dirs; do sensitive=0 - contains "$volumes" "$v" && sensitive=1 + if echo "$volumes" | grep -e "{.*\s$v\s.*true\s}" 2>/tmp/null 1>&2; then + sensitive=1 + fi if [ $sensitive -eq 1 ]; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then @@ -207,7 +213,7 @@ # 5.8 check_5_8="5.8 - Open only needed ports on container" - info "$check_5_8" + note "$check_5_8" # 5.9 check_5_9="5.9 - Do not share the host's network namespace" @@ -237,9 +243,7 @@ fail=0 for c in $containers; do - docker inspect --format '{{ .Config.Memory }}' "$c" 2> /dev/null 1>&2 - - if [ "$?" -eq 0 ]; then + if docker inspect --format '{{ .Config.Memory }}' "$c" 2> /dev/null 1>&2; then memory=$(docker inspect --format '{{ .Config.Memory }}' "$c") else memory=$(docker inspect --format '{{ .HostConfig.Memory }}' "$c") @@ -266,9 +270,7 @@ fail=0 for c in $containers; do - docker inspect --format '{{ .Config.CpuShares }}' "$c" 2> /dev/null 1>&2 - - if [ "$?" -eq 0 ]; then + if docker inspect --format '{{ .Config.CpuShares }}' "$c" 2> /dev/null 1>&2; then shares=$(docker inspect --format '{{ .Config.CpuShares }}' "$c") else shares=$(docker inspect --format '{{ .HostConfig.CpuShares }}' "$c") @@ -456,9 +458,8 @@ fail=0 for c in $containers; do - mode=$(docker inspect --format 'Propagation={{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}' "$c") - - if [ "$mode" = "Propagation=shared" ]; then + if docker inspect --format 'Propagation={{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}' "$c" | \ + grep shared 2>/dev/null 1>&2; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_19" @@ -520,11 +521,11 @@ # 5.22 check_5_22="5.22 - Do not docker exec commands with privileged option" - info "$check_5_22" + note "$check_5_22" # 5.23 check_5_23="5.23 - Do not docker exec commands with user option" - info "$check_5_23" + note "$check_5_23" # 5.24 check_5_24="5.24 - Confirm cgroup usage" @@ -554,9 +555,7 @@ fail=0 for c in $containers; do - docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'no-new-privileges' 2>/dev/null 1>&2 - - if [ $? -ne 0 ]; then + if ! docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'no-new-privileges' 2>/dev/null 1>&2; then # If it's the first container, fail the test if [ $fail -eq 0 ]; then warn "$check_5_25"