Repository: docker/docker-bench-security
Branch: master
Commit: ff26d67f25be
Files: 25
Total size: 187.7 KB
Directory structure:
gitextract__ccq7ioz/
├── .dockerignore
├── .github/
│ └── workflows/
│ ├── issues.yml
│ └── slsa.yml
├── .gitignore
├── CONTRIBUTING.md
├── CONTRIBUTORS.md
├── Dockerfile
├── LICENSE.md
├── MAINTAINERS
├── README.md
├── Vagrantfile
├── docker-bench-security.sh
├── docker-compose.yml
├── functions/
│ ├── functions_lib.sh
│ ├── helper_lib.sh
│ └── output_lib.sh
└── tests/
├── 1_host_configuration.sh
├── 2_docker_daemon_configuration.sh
├── 3_docker_daemon_configuration_files.sh
├── 4_container_images.sh
├── 5_container_runtime.sh
├── 6_docker_security_operations.sh
├── 7_docker_swarm_configuration.sh
├── 8_docker_enterprise_configuration.sh
└── 99_community_checks.sh
================================================
FILE CONTENTS
================================================
================================================
FILE: .dockerignore
================================================
*
!docker-bench-security.sh
!functions/
!tests/
!log/
log/*
================================================
FILE: .github/workflows/issues.yml
================================================
name: Issue assignment
on:
issues:
types: [opened]
permissions:
contents: read
jobs:
auto-assign:
permissions:
issues: write
runs-on: ubuntu-latest
steps:
- name: 'auto-assign issue'
uses: pozil/auto-assign-issue@74b9f64cc1a08f99358061073e243a4c3d7dd5c4 # v1.11.0
with:
assignees: konstruktoid
================================================
FILE: .github/workflows/slsa.yml
================================================
---
name: SLSA
on:
push:
release:
permissions:
contents: write
types: [published, released]
permissions:
contents: read
jobs:
build:
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV
shell: bash
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Build artifacts
run: |
find *.sh functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256
- name: Generate hashes
shell: bash
id: hash
run: |
echo "hashes=$(sha256sum ${{ env.REPOSITORY_NAME }}.sha256 | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Upload ${{ env.REPOSITORY_NAME }}.sha256
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: ${{ env.REPOSITORY_NAME }}.sha256
path: ${{ env.REPOSITORY_NAME }}.sha256
if-no-files-found: error
retention-days: 5
provenance:
needs: [build]
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: ${{ startsWith(github.ref, 'refs/tags/') }}
release:
permissions:
actions: read
id-token: write
contents: write
needs: [build, provenance]
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
steps:
- run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV
shell: bash
- name: Download ${{ env.REPOSITORY_NAME }}.sha256
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ env.REPOSITORY_NAME }}.sha256
- name: Upload asset
uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
with:
files: |
${{ env.REPOSITORY_NAME }}.sha256
================================================
FILE: .gitignore
================================================
log/*
*.swp*
.vagrant/
================================================
FILE: CONTRIBUTING.md
================================================
# Contributing to Docker Bench for Security
Want to hack on Docker Bench? Awesome! Here are instructions to get you
started.
The Docker Bench for Security is a part of the [Docker](https://www.docker.com)
project, and follows the same rules and principles. If you're already familiar
with the way Docker does things, you'll feel right at home.
Otherwise, go read
[Contribute to the Moby Project](https://github.com/moby/moby/blob/master/CONTRIBUTING.md).
## Development Environment Setup
### Start hacking
You can build the container that wraps the docker-bench for security:
```sh
git clone git@github.com:docker/docker-bench-security.git
cd docker-bench-security
docker build -t docker-bench-security .
```
Or you can simply run the shell script locally:
```sh
git clone git@github.com:docker/docker-bench-security.git
cd docker-bench-security
sudo sh docker-bench-security.sh
```
The Docker Bench has the main script called `docker-bench-security.sh`.
This is the main script that checks for all the dependencies, deals with
command line arguments and loads all the tests.
The tests are split into the following files:
```sh
tests/
├── 1_host_configuration.sh
├── 2_docker_daemon_configuration.sh
├── 3_docker_daemon_configuration_files.sh
├── 4_container_images.sh
├── 5_container_runtime.sh
├── 6_docker_security_operations.sh
├── 7_docker_swarm_configuration.sh
├── 8_docker_enterprise_configuration.sh
└── 99_community_checks.sh
```
To modify the Docker Bench for Security you should first clone the repository,
make your changes, check your code with `shellcheck`, or similar tools, and
then sign off on your commits. After that feel free to send us a pull request
with the changes.
While this tool was inspired by the [CIS Docker 1.11.0 benchmark](https://www.cisecurity.org/benchmark/docker/)
and its successors, feel free to add new tests.
================================================
FILE: CONTRIBUTORS.md
================================================
The following people, listed in alphabetical order, have contributed to docker-bench-security:
* alberto <alberto@tutum.co>
* Andreas Stieger <astieger@suse.com>
* Anthony Roger <aroger@softwaymedical.fr>
* Aurélien Gasser <aurelien.gasser@gmail.com>
* binary <binary@webdev.fritz.box>
* Boris Gorbylev <ekho@ekho.name>
* Cheng-Li Jerry Ma <chengli.ma@gmail.com>
* Csaba Palfi <csaba@palfi.me>
* Daniele Marcocci <daniele.marcocci@par-tec.it>
* Dhawal Patel <dhawal.patel@nordstrom.com>
* Diogo Monica <diogo@docker.com>
* Diogo Mónica <diogo.monica@gmail.com>
* Ernst de Haan <ernst@ernstdehaan.com>
* HuKeping <hukeping@huawei.com>
* Ivan Angelov <iangelov@users.noreply.github.com>
* J0WI <J0WI@users.noreply.github.com>
* jammasterj89 <jammasterj89@gmail.com>
* Jessica Frazelle <princess@docker.com>
* Joachim Lusiardi <jlusiardi@users.noreply.github.com>
* Joachim Lusiardi <joachim@lusiardi.de>
* Joachim Lusiardi <shing19m@dev1.lusiardi.de>
* Joe Williams <joe.williams@github.com>
* Julien Garcia Gonzalez <julien@giantswarm.io>
* Jürgen Hermann <jh@web.de>
* kakakakakku <y.yoshida22@gmail.com>
* Karol Babioch <kbabioch@suse.de>
* Kevin Lim <kevin.lim@sap.com>
* kevinll <imhael@gmail.com>
* Liron Levin <liron@twistlock.com>
* liron-l <levinlir@gmail.com>
* LorensK <LorensK@users.noreply.github.com>
* lusitania <lusitania@users.noreply.github.com>
* Maik Ellerbrock <opensource@frapsoft.com>
* Mark Stemm <mark.stemm@gmail.com>
* Matt Fellows <matt.fellows@onegeek.com.au>
* Michael Crosby <crosbymichael@gmail.com>
* Michael Stahn <michael.stahn.42@gmail.com>
* Mike Ritter <mike.ritter@target.com>
* Mr. Secure <ben.github@mrsecure.org>
* MrSecure <MrSecure@users.noreply.github.com>
* Nigel Brown <nigel@windsock.io>
* Paul Czarkowski <username.taken@gmail.com>
* Paul Morgan <jumanjiman@gmail.com>
* Pete Sellars <psellars@gmail.com>
* Peter <lusitania@users.noreply.github.com>
* Ravi Kumar Vadapalli <vadapalli.ravikumar@gmail.com>
* Scott McCarty <scott.mccarty@gmail.com>
* Sebastiaan van Stijn <github@gone.nl>
* telepresencebot2 <telepresencebot2@users.noreply.github.com>
* Thomas Sjögren <konstruktoid@users.noreply.github.com>
* Tom Partington <tom.partington@cevo.com.au>
* Werner Buck <wernerbuck@gmail.com>
* will Farrell <willfarrell@users.noreply.github.com>
* Zvi "Viz" Effron <zeffron@riotgames.com>
This list was generated Tue Nov 5 09:45:35 UTC 2019.
================================================
FILE: Dockerfile
================================================
FROM alpine:3.18@sha256:eece025e432126ce23f223450a0326fbebde39cdf496a85d8c016293fc851978
LABEL \
org.label-schema.name="docker-bench-security" \
org.label-schema.url="https://dockerbench.com" \
org.label-schema.vcs-url="https://github.com/docker/docker-bench-security.git"
RUN apk add --no-cache iproute2 \
docker-cli \
dumb-init \
jq
COPY . /usr/local/bin/
HEALTHCHECK CMD exit 0
WORKDIR /usr/local/bin
ENTRYPOINT [ "/usr/bin/dumb-init", "/bin/sh", "docker-bench-security.sh" ]
CMD [""]
================================================
FILE: LICENSE.md
================================================
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "{}"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2015 Docker, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
================================================
FILE: MAINTAINERS
================================================
# Docker Bench for Security maintainers file
#
# This file describes who runs the docker/docker-bench-security project and how.
# This is a living document - if you see something out of date or missing, speak up!
#
# It is structured to be consumable by both humans and programs.
# To extract its contents programmatically, use any TOML-compliant parser.
#
# This file is compiled into the MAINTAINERS file in docker/opensource.
#
[Org]
[Org."Core maintainers"]
people = [
"diogomonica",
"konstruktoid",
]
[people]
# A reference list of all people associated with the project.
# All other sections should refer to people by their canonical key
# in the people section.
# ADD YOURSELF HERE IN ALPHABETICAL ORDER
[people.diogomonica]
Name = "Dr. Diogo Mónica"
Email = "diogo@docker.com"
GitHub = "diogomonica"
[people.konstruktoid]
Name = "Thomas Sjögren"
Email = "thomas.sjogren@protonmail.com"
GitHub = "konstruktoid"
================================================
FILE: README.md
================================================
# Docker Bench for Security
The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production. The tests are all automated, and are based on the [CIS Docker Benchmark v1.6.0](https://www.cisecurity.org/benchmark/docker/).
We are making this available as an open-source utility so the Docker community can have an easy way to self-assess their hosts and Docker containers against this benchmark.
Release | CIS |
:---:|:---:|
1.6.0|1.6.0|
1.5.0|1.5.0|
1.3.6|1.4.0|
1.3.5|1.2.0|
1.3.3|1.1.0|
1.3.0|1.13.0|
## Running Docker Bench for Security
### Run from your base host
You can simply run this script from your base host by running:
```sh
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
sudo sh docker-bench-security.sh
```
> Note: [`jq`](https://jqlang.github.io/jq/) is an optional but recommended dependency.
### Run with Docker
#### Building Docker image
You have two options if you wish to build and run this container yourself:
1. Use Docker Build:
```sh
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
docker build --no-cache -t docker-bench-security .
```
Followed by an appropriate `docker run` command as stated below.
2. Use Docker Compose:
```sh
git clone https://github.com/docker/docker-bench-security.git
cd docker-bench-security
docker-compose run --rm docker-bench-security
```
_Please note that the `docker/docker-bench-security` image is out-of-date and and a manual build is required. See [#405](https://github.com/docker/docker-bench-security/issues/405) for more information._
Note that this container is being run with a *lot* of privilege -- sharing the host's filesystem, pid and network namespaces, due to portions of the benchmark applying to the running host.
### Using the container
```sh
docker run --rm --net host --pid host --userns host --cap-add audit_control \
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-v /etc:/etc:ro \
-v /usr/bin/containerd:/usr/bin/containerd:ro \
-v /usr/bin/runc:/usr/bin/runc:ro \
-v /usr/lib/systemd:/usr/lib/systemd:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
docker-bench-security
```
Don't forget to adjust the shared volumes according to your operating system.
Some examples are:
1. On Ubuntu the `docker.service` and `docker.secret` files are located in
`/lib/systemd/system` folder by default.
```sh
docker run --rm --net host --pid host --userns host --cap-add audit_control \
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-v /etc:/etc:ro \
-v /lib/systemd/system:/lib/systemd/system:ro \
-v /usr/bin/containerd:/usr/bin/containerd:ro \
-v /usr/bin/runc:/usr/bin/runc:ro \
-v /usr/lib/systemd:/usr/lib/systemd:ro \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
docker-bench-security
```
2. The /etc/hostname file is missing on macOS, so it will need to be created first. Also, `Docker Desktop` on macOS doesn't have `/usr/lib/systemd` or the above Docker
binaries.
```sh
sudo touch /etc/hostname
docker run --rm --net host --pid host --userns host --cap-add audit_control \
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
-v /etc:/etc \
-v /var/lib:/var/lib:ro \
-v /var/run/docker.sock:/var/run/docker.sock:ro \
--label docker_bench_security \
docker-bench-security
```
### Note
Docker bench requires Docker 1.13.0 or later in order to run.
Note that when distributions don't contain `auditctl`, the audit tests will check `/etc/audit/audit.rules` to see if a rule is present instead.
### Docker Bench for Security options
```sh
-b optional Do not print colors
-h optional Print this help message
-l FILE optional Log output in FILE, inside container if run using docker
-u USERS optional Comma delimited list of trusted docker user(s)
-c CHECK optional Comma delimited list of specific check(s) id
-e CHECK optional Comma delimited list of specific check(s) id to exclude
-i INCLUDE optional Comma delimited list of patterns within a container or image name to check
-x EXCLUDE optional Comma delimited list of patterns within a container or image name to exclude from check
-t LABEL optional Comma delimited list of labels within a container or image to check
-n LIMIT optional In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).
-p PRINT optional Disable the printing of remediation measures. Default: print remediation measures.
```
By default the Docker Bench for Security script will run all available CIS tests and produce
logs in the log folder from current directory, named `docker-bench-security.log.json` and
`docker-bench-security.log`.
If the docker container is used then the log files will be created inside the container in location `/usr/local/bin/log/`. If you wish to access them from the host after the container has been run you will need to mount a volume for storing them in.
The CIS based checks are named `check_<section>_<number>`, e.g. `check_2_6` and community contributed checks are named `check_c_<number>`.
`sh docker-bench-security.sh -c check_2_2` will only run check `2.2 Ensure the logging level is set to 'info'`.
`sh docker-bench-security.sh -e check_2_2` will run all available checks except `2.2 Ensure the logging level is set to 'info'`.
`sh docker-bench-security.sh -e docker_enterprise_configuration` will run all available checks except the docker_enterprise_configuration group
`sh docker-bench-security.sh -e docker_enterprise_configuration,check_2_2` will run all available checks except the docker_enterprise_configuration group and `2.2 Ensure the logging level is set to 'info'`
`sh docker-bench-security.sh -c container_images,container_runtime` will run just the container_images and container_runtime checks
`sh docker-bench-security.sh -c container_images -e check_4_5` will run just the container_images checks except `4.5 Ensure Content trust for Docker is Enabled`
Note that when submitting checks, provide information why it is a reasonable test to add and please include some kind of official documentation verifying that information.
================================================
FILE: Vagrantfile
================================================
Vagrant.configure("2") do |config|
config.vbguest.installer_options = { allow_kernel_upgrade: true }
config.vm.provider "virtualbox" do |v|
v.memory = 2048
v.cpus = 2
v.customize ["modifyvm", :id, "--uart1", "0x3F8", "4"]
v.customize ["modifyvm", :id, "--uartmode1", "file", File::NULL]
end
config.vm.define "jammy" do |jammy|
jammy.ssh.extra_args = ["-o","ConnectTimeout=600"]
jammy.ssh.insert_key = true
jammy.vm.boot_timeout = 600
jammy.vm.box = "ubuntu/jammy64"
jammy.vm.hostname = "jammy"
jammy.vm.provision "shell",
inline: "apt-get update && curl -sSL get.docker.com | sh && addgroup vagrant docker"
end
end
================================================
FILE: docker-bench-security.sh
================================================
#!/bin/bash
# --------------------------------------------------------------------------------------------
# Docker Bench for Security
#
# Docker, Inc. (c) 2015-2022
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# --------------------------------------------------------------------------------------------
version='1.6.0'
LIBEXEC="." # Distributions can change this to /usr/libexec or similar.
# Load dependencies
. $LIBEXEC/functions/functions_lib.sh
. $LIBEXEC/functions/helper_lib.sh
# Setup the paths
this_path=$(abspath "$0") ## Path of this file including filename
myname=$(basename "${this_path%.*}") ## file name of this script.
readonly version
readonly this_path
readonly myname
export PATH="$PATH:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/"
# Check for required program(s)
req_programs 'awk docker grep sed stat tail tee tr wc xargs'
# Ensure we can connect to docker daemon
if ! docker ps -q >/dev/null 2>&1; then
printf "Error connecting to docker daemon (does docker ps work?)\n"
exit 1
fi
usage () {
cat <<EOF
Docker Bench for Security - Docker, Inc. (c) 2015-$(date +"%Y")
Checks for dozens of common best-practices around deploying Docker containers in production.
Based on the CIS Docker Benchmark 1.6.0.
Usage: ${myname}.sh [OPTIONS]
Example:
- Only run check "2.2 - Ensure the logging level is set to 'info'":
sh docker-bench-security.sh -c check_2_2
- Run all available checks except the host_configuration group and "2.8 - Enable user namespace support":
sh docker-bench-security.sh -e host_configuration,check_2_8
- Run just the container_images checks except "4.5 - Ensure Content trust for Docker is Enabled":
sh docker-bench-security.sh -c container_images -e check_4_5
Options:
-b optional Do not print colors
-h optional Print this help message
-l FILE optional Log output in FILE, inside container if run using docker
-u USERS optional Comma delimited list of trusted docker user(s)
-c CHECK optional Comma delimited list of specific check(s) id
-e CHECK optional Comma delimited list of specific check(s) id to exclude
-i INCLUDE optional Comma delimited list of patterns within a container or image name to check
-x EXCLUDE optional Comma delimited list of patterns within a container or image name to exclude from check
-t LABEL optional Comma delimited list of labels within a container or image to check
-n LIMIT optional In JSON output, when reporting lists of items (containers, images, etc.), limit the number of reported items to LIMIT. Default 0 (no limit).
-p PRINT optional Print remediation measures. Default: Don't print remediation measures.
Complete list of checks: <https://github.com/docker/docker-bench-security/blob/master/tests/>
Full documentation: <https://github.com/docker/docker-bench-security>
Released under the Apache-2.0 License.
EOF
}
# Default values
if [ ! -d log ]; then
mkdir log
fi
logger="log/${myname}.log"
limit=0
printremediation="0"
globalRemediation=""
# Get the flags
# If you add an option here, please
# remember to update usage() above.
while getopts bhl:u:c:e:i:x:t:n:p args
do
case $args in
b) nocolor="nocolor";;
h) usage; exit 0 ;;
l) logger="$OPTARG" ;;
u) dockertrustusers="$OPTARG" ;;
c) check="$OPTARG" ;;
e) checkexclude="$OPTARG" ;;
i) include="$OPTARG" ;;
x) exclude="$OPTARG" ;;
t) labels="$OPTARG" ;;
n) limit="$OPTARG" ;;
p) printremediation="1" ;;
*) usage; exit 1 ;;
esac
done
# Load output formating
. $LIBEXEC/functions/output_lib.sh
yell_info
# Warn if not root
if [ "$(id -u)" != "0" ]; then
warn "$(yell 'Some tests might require root to run')\n"
sleep 3
fi
# Total Score
# Warn Scored -1, Pass Scored +1, Not Score -0
totalChecks=0
currentScore=0
logit "Initializing $(date +%Y-%m-%dT%H:%M:%S%:z)\n"
beginjson "$version" "$(date +%s)"
# Load all the tests from tests/ and run them
main () {
logit "\n${bldylw}Section A - Check results${txtrst}"
# Get configuration location
get_docker_configuration_file
# If there is a container with label docker_bench_security, memorize it:
benchcont="nil"
for c in $(docker ps | sed '1d' | awk '{print $NF}'); do
if docker inspect --format '{{ .Config.Labels }}' "$c" | \
grep -e 'docker.bench.security' >/dev/null 2>&1; then
benchcont="$c"
fi
done
# Get the image id of the docker_bench_security_image, memorize it:
benchimagecont="nil"
for c in $(docker images | sed '1d' | awk '{print $3}'); do
if docker inspect --format '{{ .Config.Labels }}' "$c" | \
grep -e 'docker.bench.security' >/dev/null 2>&1; then
benchimagecont="$c"
fi
done
# Format LABELS
for label in $(echo "$labels" | sed 's/,/ /g'); do
LABELS="$LABELS --filter label=$label"
done
if [ -n "$include" ]; then
pattern=$(echo "$include" | sed 's/,/|/g')
containers=$(docker ps $LABELS| sed '1d' | awk '{print $NF}' | grep -v "$benchcont" | grep -E "$pattern")
images=$(docker images $LABELS| sed '1d' | grep -E "$pattern" | awk '{print $3}' | grep -v "$benchimagecont")
elif [ -n "$exclude" ]; then
pattern=$(echo "$exclude" | sed 's/,/|/g')
containers=$(docker ps $LABELS| sed '1d' | awk '{print $NF}' | grep -v "$benchcont" | grep -Ev "$pattern")
images=$(docker images $LABELS| sed '1d' | grep -Ev "$pattern" | awk '{print $3}' | grep -v "$benchimagecont")
else
containers=$(docker ps $LABELS| sed '1d' | awk '{print $NF}' | grep -v "$benchcont")
images=$(docker images -q $LABELS| grep -v "$benchcont")
fi
for test in $LIBEXEC/tests/*.sh; do
. "$test"
done
if [ -z "$check" ] && [ ! "$checkexclude" ]; then
# No options just run
cis
elif [ -z "$check" ]; then
# No check defined but excludes defined set to calls in cis() function
check=$(sed -ne "/cis() {/,/}/{/{/d; /}/d; p;}" functions/functions_lib.sh)
fi
for c in $(echo "$check" | sed "s/,/ /g"); do
if ! command -v "$c" 2>/dev/null 1>&2; then
echo "Check \"$c\" doesn't seem to exist."
continue
fi
if [ -z "$checkexclude" ]; then
# No excludes just run the checks specified
"$c"
else
# Exludes specified and check exists
checkexcluded="$(echo ",$checkexclude" | sed -e 's/^/\^/g' -e 's/,/\$|/g' -e 's/$/\$/g')"
if echo "$c" | grep -E "$checkexcluded" 2>/dev/null 1>&2; then
# Excluded
continue
elif echo "$c" | grep -vE 'check_[0-9]|check_[a-z]' 2>/dev/null 1>&2; then
# Function not a check, fill loop_checks with all check from function
loop_checks="$(sed -ne "/$c() {/,/}/{/{/d; /}/d; p;}" functions/functions_lib.sh)"
else
# Just one check
loop_checks="$c"
fi
for lc in $loop_checks; do
if echo "$lc" | grep -vE "$checkexcluded" 2>/dev/null 1>&2; then
# Not excluded
"$lc"
fi
done
fi
done
if [ -n "${globalRemediation}" ] && [ "$printremediation" = "1" ]; then
logit "\n\n${bldylw}Section B - Remediation measures${txtrst}"
logit "${globalRemediation}"
fi
logit "\n\n${bldylw}Section C - Score${txtrst}\n"
info "Checks: $totalChecks"
info "Score: $currentScore\n"
endjson "$totalChecks" "$currentScore" "$(date +%s)"
}
main "$@"
================================================
FILE: docker-compose.yml
================================================
services:
docker-bench-security:
# use image if you have a dedicated build step:
# docker build --rm -t docker-bench-security .
# image: docker-bench-security
# use build path to Dockerfile if docker-compose should build the image
build: .
cap_add:
- audit_control
labels:
- docker_bench_security
pid: host
stdin_open: true
tty: true
volumes:
- /var/lib:/var/lib:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /usr/lib/systemd:/usr/lib/systemd:ro
- /etc:/etc:ro
================================================
FILE: functions/functions_lib.sh
================================================
#!/bin/sh
host_configuration() {
check_1
check_1_1
check_1_1_1
check_1_1_2
check_1_1_3
check_1_1_4
check_1_1_5
check_1_1_6
check_1_1_7
check_1_1_8
check_1_1_9
check_1_1_10
check_1_1_11
check_1_1_12
check_1_1_13
check_1_1_14
check_1_1_15
check_1_1_16
check_1_1_17
check_1_1_18
check_1_2
check_1_2_1
check_1_2_2
check_1_end
}
host_configuration_level1() {
check_1
check_1_end
}
linux_hosts_specific_configuration() {
check_1_1
check_1_1_1
check_1_1_2
check_1_1_3
check_1_1_4
check_1_1_5
check_1_1_6
check_1_1_7
check_1_1_8
check_1_1_9
check_1_1_10
check_1_1_11
check_1_1_12
check_1_1_13
check_1_1_14
check_1_1_15
check_1_1_16
check_1_1_17
check_1_1_18
}
host_general_configuration() {
check_1
check_1_2
check_1_2_1
check_1_2_2
check_1_end
}
docker_daemon_configuration() {
check_2
check_2_1
check_2_2
check_2_3
check_2_4
check_2_5
check_2_6
check_2_7
check_2_8
check_2_9
check_2_10
check_2_11
check_2_12
check_2_13
check_2_14
check_2_15
check_2_16
check_2_17
check_2_18
check_2_end
}
docker_daemon_configuration_level1() {
check_2
check_2_end
}
docker_daemon_files() {
check_3
check_3_1
check_3_2
check_3_3
check_3_4
check_3_5
check_3_6
check_3_7
check_3_8
check_3_9
check_3_10
check_3_11
check_3_12
check_3_13
check_3_14
check_3_15
check_3_16
check_3_17
check_3_18
check_3_19
check_3_20
check_3_21
check_3_22
check_3_23
check_3_24
check_3_end
}
docker_daemon_files_level1() {
check_3
check_3_end
}
container_images() {
check_4
check_4_1
check_4_2
check_4_3
check_4_4
check_4_5
check_4_6
check_4_7
check_4_8
check_4_9
check_4_10
check_4_11
check_4_12
check_4_end
}
container_images_level1() {
check_4
check_4_end
}
container_runtime() {
check_5
check_running_containers
check_5_1
check_5_2
check_5_3
check_5_4
check_5_5
check_5_6
check_5_7
check_5_8
check_5_9
check_5_10
check_5_11
check_5_12
check_5_13
check_5_14
check_5_15
check_5_16
check_5_17
check_5_18
check_5_19
check_5_20
check_5_21
check_5_22
check_5_23
check_5_24
check_5_25
check_5_26
check_5_27
check_5_28
check_5_29
check_5_30
check_5_31
check_5_32
check_5_end
}
container_runtime_level1() {
check_5
check_5_end
}
docker_security_operations() {
check_6
check_6_1
check_6_2
check_6_end
}
docker_security_operations_level1() {
check_6
check_6_1
check_6_2
check_6_end
}
docker_swarm_configuration() {
check_7
check_7_1
check_7_2
check_7_3
check_7_4
check_7_5
check_7_6
check_7_7
check_7_8
check_7_9
check_7_end
}
docker_swarm_configuration_level1() {
check_7
check_7_end
}
docker_enterprise_configuration() {
check_8
check_product_license
check_8_1
check_8_1_1
check_8_1_2
check_8_1_3
check_8_1_4
check_8_1_5
check_8_1_6
check_8_1_7
check_8_2
check_8_2_1
check_8_end
}
docker_enterprise_configuration_level1() {
check_8
check_product_license
check_8_1
check_8_1_1
check_8_1_2
check_8_1_3
check_8_1_4
check_8_1_5
check_8_1_6
check_8_1_7
check_8_2
check_8_2_1
check_8_end
}
universal_control_plane_configuration() {
check_8
check_8_1
check_8_1_1
check_8_1_2
check_8_1_3
check_8_1_4
check_8_1_5
check_8_1_6
check_8_1_7
check_8_end
}
docker_trusted_registry_configuration() {
check_8
check_8_2
check_8_2_1
check_8_end
}
community_checks() {
check_c
check_c_1
check_c_1_1
check_c_2
check_c_5_3_1
check_c_5_3_2
check_c_5_3_3
check_c_5_3_4
check_c_end
}
# CIS
cis() {
host_configuration
docker_daemon_configuration
docker_daemon_files
container_images
container_runtime
docker_security_operations
docker_swarm_configuration
}
cis_level1() {
host_configuration_level1
docker_daemon_configuration_level1
docker_daemon_files_level1
container_images_level1
container_runtime_level1
docker_security_operations_level1
docker_swarm_configuration_level1
}
cis_controls_v8_ig1() {
check_1_1_2
check_1_1_3
check_2_1
check_2_13
check_2_14
check_3_1
check_3_2
check_3_3
check_3_4
check_3_5
check_3_6
check_3_7
check_3_8
check_3_9
check_3_10
check_3_11
check_3_12
check_3_13
check_3_14
check_3_15
check_3_16
check_3_17
check_3_18
check_3_19
check_3_20
check_3_21
check_3_22
check_3_23
check_3_24
check_4_8
check_4_11
check_5_5
check_5_14
check_5_18
check_5_22
check_5_23
check_5_24
check_5_25
check_5_26
check_5_32
check_7_2
check_7_6
check_7_7
check_7_8
}
cis_controls_v8_ig2() {
check_1_1_1
check_1_1_2
check_1_1_3
check_1_1_4
check_1_1_5
check_1_1_6
check_1_1_7
check_1_1_8
check_1_1_9
check_1_1_10
check_1_1_11
check_1_1_12
check_1_1_13
check_1_1_14
check_1_1_15
check_1_1_16
check_1_1_17
check_1_1_18
check_1_2_1
check_1_2_2
check_2_1
check_2_2
check_2_3
check_2_4
check_2_5
check_2_7
check_2_8
check_2_11
check_2_13
check_2_14
check_2_15
check_2_16
check_2_18
check_3_1
check_3_2
check_3_3
check_3_4
check_3_5
check_3_6
check_3_7
check_3_8
check_3_9
check_3_10
check_3_11
check_3_12
check_3_13
check_3_14
check_3_15
check_3_16
check_3_17
check_3_18
check_3_19
check_3_20
check_3_21
check_3_22
check_3_23
check_3_24
check_4_2
check_4_3
check_4_4
check_4_7
check_4_8
check_4_9
check_4_11
check_5_1
check_5_2
check_5_3
check_5_4
check_5_5
check_5_7
check_5_10
check_5_11
check_5_12
check_5_14
check_5_16
check_5_17
check_5_18
check_5_19
check_5_21
check_5_22
check_5_23
check_5_24
check_5_25
check_5_26
check_5_27
check_5_30
check_5_31
check_5_32
check_6_1
check_6_2
check_7_2
check_7_3
check_7_5
check_7_6
check_7_7
check_7_8
check_7_9
}
cis_controls_v8_ig3() {
check_1_1_1
check_1_1_2
check_1_1_3
check_1_1_4
check_1_1_5
check_1_1_6
check_1_1_7
check_1_1_8
check_1_1_9
check_1_1_10
check_1_1_11
check_1_1_12
check_1_1_13
check_1_1_14
check_1_1_15
check_1_1_16
check_1_1_17
check_1_1_18
check_1_2_1
check_1_2_2
check_2_1
check_2_2
check_2_3
check_2_4
check_2_5
check_2_7
check_2_8
check_2_11
check_2_13
check_2_14
check_2_15
check_2_16
check_2_18
check_3_1
check_3_2
check_3_3
check_3_4
check_3_5
check_3_6
check_3_7
check_3_8
check_3_9
check_3_10
check_3_11
check_3_12
check_3_13
check_3_14
check_3_15
check_3_16
check_3_17
check_3_18
check_3_19
check_3_20
check_3_21
check_3_22
check_3_23
check_3_24
check_4_2
check_4_3
check_4_4
check_4_6
check_4_7
check_4_8
check_4_9
check_4_11
check_4_12
check_5_1
check_5_2
check_5_3
check_5_4
check_5_5
check_5_7
check_5_8
check_5_9
check_5_10
check_5_11
check_5_12
check_5_14
check_5_16
check_5_17
check_5_18
check_5_19
check_5_21
check_5_22
check_5_23
check_5_24
check_5_25
check_5_26
check_5_27
check_5_30
check_5_31
check_5_32
check_6_1
check_6_2
check_7_2
check_7_3
check_7_5
check_7_6
check_7_7
check_7_8
check_7_9
}
# Community contributed
community() {
community_checks
}
# All
all() {
cis
docker_enterprise_configuration
community
}
================================================
FILE: functions/helper_lib.sh
================================================
#!/bin/bash
# Returns the absolute path of a given string
abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; esac; }
# Audit rules default path
auditrules="/etc/audit/audit.rules"
# Check for required program(s)
req_programs() {
for p in $1; do
command -v "$p" >/dev/null 2>&1 || { printf "Required program not found: %s\n" "$p"; exit 1; }
done
if command -v jq >/dev/null 2>&1; then
HAVE_JQ=true
else
HAVE_JQ=false
fi
if command -v ss >/dev/null 2>&1; then
netbin=ss
return
fi
if command -v netstat >/dev/null 2>&1; then
netbin=netstat
return
fi
echo "ss or netstat command not found."
exit 1
}
# Compares versions of software of the format X.Y.Z
do_version_check() {
[ "$1" = "$2" ] && return 10
ver1front=$(printf "%s" "$1" | cut -d "." -f -1)
ver1back=$(printf "%s" "$1" | cut -d "." -f 2-)
ver2front=$(printf "%s" "$2" | cut -d "." -f -1)
ver2back=$(printf "%s" "$2" | cut -d "." -f 2-)
if [ "$ver1front" != "$1" ] || [ "$ver2front" != "$2" ]; then
[ "$ver1front" -gt "$ver2front" ] && return 11
[ "$ver1front" -lt "$ver2front" ] && return 9
[ "$ver1front" = "$1" ] || [ -z "$ver1back" ] && ver1back=0
[ "$ver2front" = "$2" ] || [ -z "$ver2back" ] && ver2back=0
do_version_check "$ver1back" "$ver2back"
return $?
fi
[ "$1" -gt "$2" ] && return 11 || return 9
}
# Extracts commandline args from the newest running processes named like the first parameter
get_command_line_args() {
PROC="$1"
for PID in $(pgrep -f -n "$PROC"); do
tr "\0" " " < /proc/"$PID"/cmdline
done
}
# Extract the cumulative command line arguments for the docker daemon
#
# If specified multiple times, all matches are returned.
# Accounts for long and short variants, call with short option.
# Does not account for option defaults or implicit options.
get_docker_cumulative_command_line_args() {
OPTION="$1"
line_arg="dockerd"
if ! get_command_line_args "docker daemon" >/dev/null 2>&1 ; then
line_arg="docker daemon"
fi
get_command_line_args "$line_arg" |
# normalize known long options to their short versions
sed \
-e 's/\-\-debug/-D/g' \
-e 's/\-\-host/-H/g' \
-e 's/\-\-log-level/-l/g' \
-e 's/\-\-version/-v/g' \
|
# normalize parameters separated by space(s) to -O=VALUE
sed \
-e 's/\-\([DHlv]\)[= ]\([^- ][^ ]\)/-\1=\2/g' \
|
# get the last interesting option
tr ' ' "\n" |
grep "^${OPTION}" |
# normalize quoting of values
sed \
-e 's/"//g' \
-e "s/'//g"
}
# Extract the effective command line arguments for the docker daemon
#
# Accounts for multiple specifications, takes the last option.
# Accounts for long and short variants, call with short option
# Does not account for option default or implicit options.
get_docker_effective_command_line_args() {
OPTION="$1"
get_docker_cumulative_command_line_args "$OPTION" | tail -n1
}
get_docker_configuration_file() {
FILE="$(get_docker_effective_command_line_args '--config-file' | \
sed 's/.*=//g')"
if [ -f "$FILE" ]; then
CONFIG_FILE="$FILE"
return
fi
if [ -f '/etc/docker/daemon.json' ]; then
CONFIG_FILE='/etc/docker/daemon.json'
return
fi
CONFIG_FILE='/dev/null'
}
get_docker_configuration_file_args() {
OPTION="$1"
get_docker_configuration_file
if "$HAVE_JQ"; then
jq --monochrome-output --raw-output "if has(\"${OPTION}\") then .[\"${OPTION}\"] else \"\" end" "$CONFIG_FILE"
else
cat "$CONFIG_FILE" | tr , '\n' | grep "$OPTION" | sed 's/.*://g' | tr -d '" ',
fi
}
get_service_file() {
SERVICE="$1"
if [ -f "/etc/systemd/system/$SERVICE" ]; then
echo "/etc/systemd/system/$SERVICE"
return
fi
if [ -f "/lib/systemd/system/$SERVICE" ]; then
echo "/lib/systemd/system/$SERVICE"
return
fi
if find /run -name "$SERVICE" 2> /dev/null 1>&2; then
find /run -name "$SERVICE" | head -n1
return
fi
if [ "$(systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//')" != "" ]; then
systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
return
fi
echo "/usr/lib/systemd/system/$SERVICE"
}
yell_info() {
yell "# --------------------------------------------------------------------------------------------
# Docker Bench for Security v$version
#
# Docker, Inc. (c) 2015-$(date +"%Y")
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Based on the CIS Docker Benchmark 1.6.0.
# --------------------------------------------------------------------------------------------"
}
================================================
FILE: functions/output_lib.sh
================================================
#!/bin/bash
bldred='\033[1;31m' # Bold Red
bldgrn='\033[1;32m' # Bold Green
bldblu='\033[1;34m' # Bold Blue
bldylw='\033[1;33m' # Bold Yellow
txtrst='\033[0m'
if [ -n "$nocolor" ] && [ "$nocolor" = "nocolor" ]; then
bldred=''
bldgrn=''
bldblu=''
bldylw=''
txtrst=''
fi
logit () {
printf "%b\n" "$1" | tee -a "$logger"
}
info () {
local infoCountCheck
local OPTIND c
while getopts c args
do
case $args in
c) infoCountCheck="true" ;;
*) exit 1 ;;
esac
done
if [ "$infoCountCheck" = "true" ]; then
printf "%b\n" "${bldblu}[INFO]${txtrst} $2" | tee -a "$logger"
totalChecks=$((totalChecks + 1))
return
fi
printf "%b\n" "${bldblu}[INFO]${txtrst} $1" | tee -a "$logger"
}
pass () {
local passScored
local passCountCheck
local OPTIND s c
while getopts sc args
do
case $args in
s) passScored="true" ;;
c) passCountCheck="true" ;;
*) exit 1 ;;
esac
done
if [ "$passScored" = "true" ] || [ "$passCountCheck" = "true" ]; then
printf "%b\n" "${bldgrn}[PASS]${txtrst} $2" | tee -a "$logger"
totalChecks=$((totalChecks + 1))
fi
if [ "$passScored" = "true" ]; then
currentScore=$((currentScore + 1))
fi
if [ "$passScored" != "true" ] && [ "$passCountCheck" != "true" ]; then
printf "%b\n" "${bldgrn}[PASS]${txtrst} $1" | tee -a "$logger"
fi
}
warn () {
local warnScored
local OPTIND s
while getopts s args
do
case $args in
s) warnScored="true" ;;
*) exit 1 ;;
esac
done
if [ "$warnScored" = "true" ]; then
printf "%b\n" "${bldred}[WARN]${txtrst} $2" | tee -a "$logger"
totalChecks=$((totalChecks + 1))
currentScore=$((currentScore - 1))
return
fi
printf "%b\n" "${bldred}[WARN]${txtrst} $1" | tee -a "$logger"
}
note () {
local noteCountCheck
local OPTIND c
while getopts c args
do
case $args in
c) noteCountCheck="true" ;;
*) exit 1 ;;
esac
done
if [ "$noteCountCheck" = "true" ]; then
printf "%b\n" "${bldylw}[NOTE]${txtrst} $2" | tee -a "$logger"
totalChecks=$((totalChecks + 1))
return
fi
printf "%b\n" "${bldylw}[NOTE]${txtrst} $1" | tee -a "$logger"
}
yell () {
printf "%b\n" "${bldylw}$1${txtrst}\n"
}
beginjson () {
printf "{\n \"dockerbenchsecurity\": \"%s\",\n \"start\": %s,\n \"tests\": [" "$1" "$2" | tee "$logger.json" 2>/dev/null 1>&2
}
endjson (){
printf "\n ],\n \"checks\": %s,\n \"score\": %s,\n \"end\": %s\n}" "$1" "$2" "$3" | tee -a "$logger.json" 2>/dev/null 1>&2
}
logjson (){
printf "\n \"%s\": \"%s\"," "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
}
SSEP=
SEP=
startsectionjson() {
printf "%s\n {\n \"id\": \"%s\",\n \"desc\": \"%s\",\n \"results\": [" "$SSEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
SEP=
SSEP=","
}
endsectionjson() {
printf "\n ]\n }" | tee -a "$logger.json" 2>/dev/null 1>&2
}
starttestjson() {
printf "%s\n {\n \"id\": \"%s\",\n \"desc\": \"%s\",\n " "$SEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
SEP=","
}
log_to_json() {
if [ $# -eq 1 ]; then
printf "\"result\": \"%s\"" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2
return
fi
if [ $# -eq 2 ] && [ $# -ne 1 ]; then
# Result also contains details
printf "\"result\": \"%s\",\n \"details\": \"%s\"" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
return
fi
# Result also includes details and a list of items. Add that directly to details and to an array property "items"
# Also limit the number of items to $limit, if $limit is non-zero
truncItems=$3
if [ "$limit" != 0 ]; then
truncItems=""
ITEM_COUNT=0
for item in $3; do
truncItems="$truncItems $item"
ITEM_COUNT=$((ITEM_COUNT + 1));
if [ "$ITEM_COUNT" == "$limit" ]; then
truncItems="$truncItems (truncated)"
break;
fi
done
fi
itemsJson=$(printf "[\n "; ISEP=""; ITEMCOUNT=0; for item in $truncItems; do printf "%s\"%s\"" "$ISEP" "$item"; ISEP=","; done; printf "\n ]")
printf "\"result\": \"%s\",\n \"details\": \"%s: %s\",\n \"items\": %s" "$1" "$2" "$truncItems" "$itemsJson" | tee -a "$logger.json" 2>/dev/null 1>&2
}
logcheckresult() {
# Log to JSON
log_to_json "$@"
# Log remediation measure to JSON
if [ -n "$remediation" ] && [ "$1" != "PASS" ] && [ "$printremediation" = "1" ]; then
printf ",\n \"remediation\": \"%s\"" "$remediation" | tee -a "$logger.json" 2>/dev/null 1>&2
if [ -n "$remediationImpact" ]; then
printf ",\n \"remediation-impact\": \"%s\"" "$remediationImpact" | tee -a "$logger.json" 2>/dev/null 1>&2
fi
fi
printf "\n }" | tee -a "$logger.json" 2>/dev/null 1>&2
# Save remediation measure for print log to stdout
if [ -n "$remediation" ] && [ "$1" != "PASS" ]; then
if [ -n "${checkHeader}" ]; then
if [ -n "${addSpaceHeader}" ]; then
globalRemediation="${globalRemediation}\n"
fi
globalRemediation="${globalRemediation}\n${bldblu}[INFO]${txtrst} ${checkHeader}"
checkHeader=""
addSpaceHeader="1"
fi
globalRemediation="${globalRemediation}\n${bldblu}[INFO]${txtrst} ${id} - ${remediation}"
if [ -n "${remediationImpact}" ]; then
globalRemediation="${globalRemediation} Remediation Impact: ${remediationImpact}"
fi
fi
}
================================================
FILE: tests/1_host_configuration.sh
================================================
#!/bin/bash
check_1() {
logit ""
local id="1"
local desc="Host Configuration"
checkHeader="$id - $desc"
info "$checkHeader"
startsectionjson "$id" "$desc"
}
check_1_1() {
local id="1.1"
local desc="Linux Hosts Specific Configuration"
local check="$id - $desc"
info "$check"
}
check_1_1_1() {
local id="1.1.1"
local desc="Ensure a separate partition for containers has been created (Automated)"
local remediation="For new installations, you should create a separate partition for the /var/lib/docker mount point. For systems that have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
docker_root_dir=$(docker info -f '{{ .DockerRootDir }}')
if docker info | grep -q userns ; then
docker_root_dir=$(readlink -f "$docker_root_dir/..")
fi
if mountpoint -q -- "$docker_root_dir" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_1_1_2() {
local id="1.1.2"
local desc="Ensure only trusted users are allowed to control Docker daemon (Automated)"
local remediation="You should remove any untrusted users from the docker group using command sudo gpasswd -d <your-user> docker or add trusted users to the docker group using command sudo usermod -aG docker <your-user>. You should not create a mapping of sensitive directories from the host to container volumes."
local remediationImpact="Only trust user are allow to build and execute containers as normal user."
local check="$id - $desc"
starttestjson "$id" "$desc"
docker_users=$(grep 'docker' /etc/group)
if command -v getent >/dev/null 2>&1; then
docker_users=$(getent group docker)
fi
docker_users=$(printf "%s" "$docker_users" | awk -F: '{print $4}')
local doubtfulusers=""
if [ -n "$dockertrustusers" ]; then
for u in $(printf "%s" "$docker_users" | sed "s/,/ /g"); do
if ! printf "%s" "$dockertrustusers" | grep -q "$u" ; then
doubtfulusers="$u"
if [ -n "${doubtfulusers}" ]; then
doubtfulusers="${doubtfulusers},$u"
fi
fi
done
else
info -c "$check"
info " * Users: $docker_users"
logcheckresult "INFO" "doubtfulusers" "$docker_users"
fi
if [ -n "${doubtfulusers}" ]; then
warn -s "$check"
warn " * Doubtful users: $doubtfulusers"
logcheckresult "WARN" "doubtfulusers" "$doubtfulusers"
fi
if [ -z "${doubtfulusers}" ] && [ -n "${dockertrustusers}" ]; then
pass -s "$check"
logcheckresult "PASS"
fi
}
check_1_1_3() {
local id="1.1.3"
local desc="Ensure auditing is configured for the Docker daemon (Automated)"
local remediation="Install auditd. Add -w /usr/bin/dockerd -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/usr/bin/dockerd"
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_1_1_4() {
local id="1.1.4"
local desc="Ensure auditing is configured for Docker files and directories -/run/containerd (Automated)"
local remediation="Install auditd. Add -a exit,always -F path=/run/containerd -F perm=war -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/run/containerd"
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_1_1_5() {
local id="1.1.5"
local desc="Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated)"
local remediation="Install auditd. Add -w /var/lib/docker -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
directory="/var/lib/docker"
if [ -d "$directory" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $directory >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
}
check_1_1_6() {
local id="1.1.6"
local desc="Ensure auditing is configured for Docker files and directories - /etc/docker (Automated)"
local remediation="Install auditd. Add -w /etc/docker -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
directory="/etc/docker"
if [ -d "$directory" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $directory >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
}
check_1_1_7() {
local id="1.1.7"
local desc="Ensure auditing is configured for Docker files and directories - docker.service (Automated)"
local remediation
remediation="Install auditd. Add -w $(get_service_file docker.service) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="$(get_service_file docker.service)"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_8() {
local id="1.1.8"
local desc="Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)"
local remediation
remediation="Install auditd. Add -w $(get_service_file containerd.sock) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="$(get_service_file containerd.sock)"
if [ -e "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_9() {
local id="1.1.9"
local desc="Ensure auditing is configured for Docker files and directories - docker.socket (Automated)"
local remediation
remediation="Install auditd. Add -w $(get_service_file docker.socket) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="$(get_service_file docker.socket)"
if [ -e "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep "$file" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_10() {
local id="1.1.10"
local desc="Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated)"
local remediation="Install auditd. Add -w /etc/default/docker -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/default/docker"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_11() {
local id="1.1.11"
local desc="Ensure auditing is configured for Dockerfiles and directories - /etc/docker/daemon.json (Automated)"
local remediation="Install auditd. Add -w /etc/docker/daemon.json -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_12() {
local id="1.1.12"
local desc="1.1.12 Ensure auditing is configured for Dockerfiles and directories - /etc/containerd/config.toml (Automated)"
local remediation="Install auditd. Add -w /etc/containerd/config.toml -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/containerd/config.toml"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_13() {
local id="1.1.13"
local desc="Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated)"
local remediation="Install auditd. Add -w /etc/sysconfig/docker -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/sysconfig/docker"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_14() {
local id="1.1.14"
local desc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated)"
local remediation="Install auditd. Add -w /usr/bin/containerd -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/usr/bin/containerd"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_15() {
local id="1.1.15"
local desc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated)"
local remediation="Install auditd. Add -w /usr/bin/containerd-shim -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/usr/bin/containerd-shim"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_16() {
local id="1.1.16"
local desc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated)"
local remediation="Install auditd. Add -w /usr/bin/containerd-shim-runc-v1 -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/usr/bin/containerd-shim-runc-v1"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_17() {
local id="1.1.17"
local desc="Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated)"
local remediation="Install auditd. Add -w /usr/bin/containerd-shim-runc-v2 -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/usr/bin/containerd-shim-runc-v2"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_1_18() {
local id="1.1.18"
local desc="Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated)"
local remediation="Install auditd. Add -w /usr/bin/runc -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
local remediationImpact="Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/usr/bin/runc"
if [ -f "$file" ]; then
if command -v auditctl >/dev/null 2>&1; then
if auditctl -l | grep $file >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_1_2() {
local id="1.2"
local desc="General Configuration"
local check="$id - $desc"
info "$check"
}
check_1_2_1() {
local id="1.2.1"
local desc="Ensure the container host has been Hardened (Manual)"
local remediation="You may consider various Security Benchmarks for your container host."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "INFO"
}
check_1_2_2() {
local id="1.2.2"
local desc="Ensure that the version of Docker is up to date (Manual)"
local remediation="You should monitor versions of Docker releases and make sure your software is updated as required."
local remediationImpact="You should perform a risk assessment regarding Docker version updates and review how they may impact your operations."
local check="$id - $desc"
starttestjson "$id" "$desc"
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,')
docker_current_version="$(date +%y.%m.0 -d @$(( $(date +%s) - 2592000)))"
do_version_check "$docker_current_version" "$docker_version"
if [ $? -eq 11 ]; then
pass -c "$check"
info " * Using $docker_version, verify is it up to date as deemed necessary"
logcheckresult "INFO" "Using $docker_version"
return
fi
pass -c "$check"
info " * Using $docker_version which is current"
info " * Check with your operating system vendor for support and security maintenance for Docker"
logcheckresult "PASS" "Using $docker_version"
}
check_1_end() {
endsectionjson
}
================================================
FILE: tests/2_docker_daemon_configuration.sh
================================================
#!/bin/bash
check_2() {
logit ""
local id="2"
local desc="Docker daemon configuration"
checkHeader="$id - $desc"
info "$checkHeader"
startsectionjson "$id" "$desc"
}
check_2_1() {
local id="2.1"
local desc="Run the Docker daemon as a non-root user, if possible (Manual)"
local remediation="Follow the current Dockerdocumentation on how to install the Docker daemon as a non-root user."
local remediationImpact="There are multiple prerequisites depending on which distribution that is in use, and also known limitations regarding networking and resource limitation. Running in rootless mode also changes the location of any configuration files in use, including all containers using the daemon."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "INFO"
}
check_2_2() {
local id="2.2"
local desc="Ensure network traffic is restricted between containers on the default bridge (Scored)"
local remediation="Edit the Docker daemon configuration file to ensure that inter-container communication is disabled: icc: false."
local remediationImpact="Inter-container communication is disabled on the default network bridge. If any communication between containers on the same host is desired, it needs to be explicitly defined using container linking or custom networks."
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
if [[ $(get_docker_configuration_file_args 'icc' | grep "false") ]] && [[ $(get_docker_configuration_file_args 'icc' | grep "false") != "null" ]] ; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_2_3() {
local id="2.3"
local desc="Ensure the logging level is set to 'info' (Scored)"
local remediation="Ensure that the Docker daemon configuration file has the following configuration included log-level: info. Alternatively, run the Docker daemon as following: dockerd --log-level=info"
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_configuration_file_args 'log-level' >/dev/null 2>&1; then
if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
if [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
if get_docker_effective_command_line_args '-l'; then
if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
pass -s "$check"
logcheckresult "PASS"
}
check_2_4() {
local id="2.4"
local desc="Ensure Docker is allowed to make changes to iptables (Scored)"
local remediation="Do not run the Docker daemon with --iptables=false option."
local remediationImpact="The Docker daemon service requires iptables rules to be enabled before it starts."
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then
warn -s "$check"
logcheckresult "WARN"
return
fi
if [[ $(get_docker_configuration_file_args 'iptables' | grep "false") ]] && [[ $(get_docker_configuration_file_args 'iptables' | grep "false") != "null" ]] ; then
warn -s "$check"
logcheckresult "WARN"
return
fi
pass -s "$check"
logcheckresult "PASS"
}
check_2_5() {
local id="2.5"
local desc="Ensure insecure registries are not used (Scored)"
local remediation="You should ensure that no insecure registries are in use."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then
warn -s "$check"
logcheckresult "WARN"
return
fi
if [[ $(get_docker_configuration_file_args 'insecure-registries' | grep -v '\[]') ]] && [[ $(get_docker_configuration_file_args 'insecure-registries' | grep -v '\[]') != "null" ]] ; then
warn -s "$check"
logcheckresult "WARN"
return
fi
pass -s "$check"
logcheckresult "PASS"
}
check_2_6() {
local id="2.6"
local desc="Ensure aufs storage driver is not used (Scored)"
local remediation="Do not start Docker daemon as using dockerd --storage-driver aufs option."
local remediationImpact="aufs is the only storage driver that allows containers to share executable and shared library memory. Its use should be reviewed in line with your organization's security policy."
local check="$id - $desc"
starttestjson "$id" "$desc"
if docker info 2>/dev/null | grep -e "^\sStorage Driver:\s*aufs\s*$" >/dev/null 2>&1; then
warn -s "$check"
logcheckresult "WARN"
return
fi
pass -s "$check"
logcheckresult "PASS"
}
check_2_7() {
local id="2.7"
local desc="Ensure TLS authentication for Docker daemon is configured (Scored)"
local remediation="Follow the steps mentioned in the Docker documentation or other references. By default, TLS authentication is not configured."
local remediationImpact="You would need to manage and guard certificates and keys for the Docker daemon and Docker clients."
local check="$id - $desc"
starttestjson "$id" "$desc"
if $(grep -qE "host.*tcp://" "$CONFIG_FILE") || \
[ $(get_docker_cumulative_command_line_args '-H' | grep -vE '(unix|fd)://') > /dev/null 2>&1 ]; then
if [ $(get_docker_configuration_file_args '"tlsverify":' | grep 'true') ] || \
[ $(get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify') >/dev/null 2>&1 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
if [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \
[ $(get_docker_cumulative_command_line_args '--tls' | grep 'tls$') >/dev/null 2>&1 ]; then
warn -s "$check"
warn " * Docker daemon currently listening on TCP with TLS, but no verification"
logcheckresult "WARN" "Docker daemon currently listening on TCP with TLS, but no verification"
return
fi
warn -s "$check"
warn " * Docker daemon currently listening on TCP without TLS"
logcheckresult "WARN" "Docker daemon currently listening on TCP without TLS"
return
fi
info -c "$check"
info " * Docker daemon not listening on TCP"
logcheckresult "INFO" "Docker daemon not listening on TCP"
}
check_2_8() {
local id="2.8"
local desc="Ensure the default ulimit is configured appropriately (Manual)"
local remediation="Run Docker in daemon mode and pass --default-ulimit as option with respective ulimits as appropriate in your environment and in line with your security policy. Example: dockerd --default-ulimit nproc=1024:2048 --default-ulimit nofile=100:200"
local remediationImpact="If ulimits are set incorrectly this could cause issues with system resources, possibly causing a denial of service condition."
local check="$id - $desc"
starttestjson "$id" "$desc"
if [[ $(get_docker_configuration_file_args 'default-ulimits' | grep -v '{}') ]] && [[ $(get_docker_configuration_file_args 'default-ulimits' | grep -v '{}') != "null" ]] ; then
pass -c "$check"
logcheckresult "PASS"
return
fi
if get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
pass -c "$check"
logcheckresult "PASS"
return
fi
info -c "$check"
info " * Default ulimit doesn't appear to be set"
logcheckresult "INFO" "Default ulimit doesn't appear to be set"
}
check_2_9() {
local id="2.9"
local desc="Enable user namespace support (Scored)"
local remediation="Please consult the Docker documentation for various ways in which this can be configured depending upon your requirements. The high-level steps are: Ensure that the files /etc/subuid and /etc/subgid exist. Start the docker daemon with --userns-remap flag."
local remediationImpact="User namespace remapping is incompatible with a number of Docker features and also currently breaks some of its functionalities."
local check="$id - $desc"
starttestjson "$id" "$desc"
if [[ $(get_docker_configuration_file_args 'userns-remap' | grep -v '""') ]] && [[ $(get_docker_configuration_file_args 'userns-remap' | grep -v '""') != "null" ]] ; then
pass -s "$check"
logcheckresult "PASS"
return
fi
if get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_2_10() {
local id="2.10"
local desc="Ensure the default cgroup usage has been confirmed (Scored)"
local remediation="The default setting is in line with good security practice and can be left in situ."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_configuration_file_args 'cgroup-parent' | grep -v ''; then
warn -s "$check"
info " * Confirm cgroup usage"
logcheckresult "WARN" "Confirm cgroup usage"
return
fi
if get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
warn -s "$check"
info " * Confirm cgroup usage"
logcheckresult "WARN" "Confirm cgroup usage"
return
fi
pass -s "$check"
logcheckresult "PASS"
}
check_2_11() {
local id="2.11"
local desc="Ensure base device size is not changed until needed (Scored)"
local remediation="Do not set --storage-opt dm.basesize until needed."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then
warn -s "$check"
logcheckresult "WARN"
return
fi
if get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
warn -s "$check"
logcheckresult "WARN"
return
fi
pass -s "$check"
logcheckresult "PASS"
}
check_2_12() {
local id="2.12"
local desc="Ensure that authorization for Docker client commands is enabled (Scored)"
local remediation="Install/Create an authorization plugin. Configure the authorization policy as desired. Start the docker daemon using command dockerd --authorization-plugin=<PLUGIN_ID>"
local remediationImpact="Each Docker command needs to pass through the authorization plugin mechanism. This may have a performance impact"
local check="$id - $desc"
starttestjson "$id" "$desc"
if [[ $(get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]') ]] && [[ $(get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]') != "null" ]] ; then
pass -s "$check"
logcheckresult "PASS"
return
fi
if get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_2_13() {
local id="2.13"
local desc="Ensure centralized and remote logging is configured (Scored)"
local remediation="Set up the desired log driver following its documentation. Start the docker daemon using that logging driver. Example: dockerd --log-driver=syslog --log-opt syslog-address=tcp://192.xxx.xxx.xxx"
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then
warn -s "$check"
logcheckresult "WARN"
return
fi
pass -s "$check"
logcheckresult "PASS"
}
check_2_14() {
local id="2.14"
local desc="Ensure containers are restricted from acquiring new privileges (Scored)"
local remediation="You should run the Docker daemon using command: dockerd --no-new-privileges"
local remediationImpact="no_new_priv prevents LSMs such as SELinux from escalating the privileges of individual containers."
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_effective_command_line_args '--no-new-privileges' | grep "no-new-privileges" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
if get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_2_15() {
local id="2.15"
local desc="Ensure live restore is enabled (Scored)"
local remediation="Run Docker in daemon mode and pass --live-restore option."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
pass -s "$check (Incompatible with swarm mode)"
logcheckresult "PASS"
return
fi
if get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_2_16() {
local id="2.16"
local desc="Ensure Userland Proxy is Disabled (Scored)"
local remediation="You should run the Docker daemon using command: dockerd --userland-proxy=false"
local remediationImpact="Some systems with older Linux kernels may not be able to support hairpin NAT and therefore require the userland proxy service. Also, some networking setups can be impacted by the removal of the userland proxy."
local check="$id - $desc"
starttestjson "$id" "$desc"
if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
if get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_2_17() {
local id="2.17"
local desc="Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual)"
local remediation="By default, Docker's default seccomp profile is applied. If this is adequate for your environment, no action is necessary."
local remediationImpact="A misconfigured seccomp profile could possibly interrupt your container environment. You should therefore exercise extreme care if you choose to override the default settings."
local check="$id - $desc"
starttestjson "$id" "$desc"
if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then
pass -c "$check"
logcheckresult "PASS"
return
fi
info -c "$check"
logcheckresult "INFO"
}
check_2_18() {
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,.' | cut -c 1-4)
local id="2.18"
local desc="Ensure that experimental features are not implemented in production (Scored)"
local remediation="You should not pass --experimental as a runtime parameter to the Docker daemon on production systems."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if [ "$docker_version" -le 1903 ]; then
if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
local desc="$desc (Deprecated)"
local check="$id - $desc"
info -c "$desc"
logcheckresult "INFO"
}
check_2_end() {
endsectionjson
}
================================================
FILE: tests/3_docker_daemon_configuration_files.sh
================================================
#!/bin/bash
check_3() {
logit ""
local id="3"
local desc="Docker daemon configuration files"
checkHeader="$id - $desc"
info "$checkHeader"
startsectionjson "$id" "$desc"
}
check_3_1() {
local id="3.1"
local desc="Ensure that the docker.service file ownership is set to root:root (Automated)"
local remediation="Find out the file location: systemctl show -p FragmentPath docker.service. If the file does not exist, this recommendation is not applicable. If the file does exist, you should run the command chown root:root <path>, in order to set the ownership and group ownership for the file to root."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file=$(get_service_file docker.service)
if [ -f "$file" ]; then
if [ "$(stat -c %u%g "$file")" -eq 00 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_2() {
local id="3.2"
local desc="Ensure that docker.service file permissions are appropriately set (Automated)"
local remediation="Find out the file location: systemctl show -p FragmentPath docker.service. If the file does not exist, this recommendation is not applicable. If the file exists, run the command chmod 644 <path> to set the file permissions to 644."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file=$(get_service_file docker.service)
if [ -f "$file" ]; then
if [ "$(stat -c %a "$file")" -le 644 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_3() {
local id="3.3"
local desc="Ensure that docker.socket file ownership is set to root:root (Automated)"
local remediation="Find out the file location: systemctl show -p FragmentPath docker.socket. If the file does not exist, this recommendation is not applicable. If the file exists, run the command chown root:root <path> to set the ownership and group ownership for the file to root."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file=$(get_service_file docker.socket)
if [ -f "$file" ]; then
if [ "$(stat -c %u%g "$file")" -eq 00 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_4() {
local id="3.4"
local desc="Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated)"
local remediation="Find out the file location: systemctl show -p FragmentPath docker.socket. If the file does not exist, this recommendation is not applicable. If the file does exist, you should run the command chmod 644 <path> to set the file permissions to 644."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file=$(get_service_file docker.socket)
if [ -f "$file" ]; then
if [ "$(stat -c %a "$file")" -le 644 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_5() {
local id="3.5"
local desc="Ensure that the /etc/docker directory ownership is set to root:root (Automated)"
local remediation="You should run the following command: chown root:root /etc/docker. This sets the ownership and group ownership for the directory to root."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
directory="/etc/docker"
if [ -d "$directory" ]; then
if [ "$(stat -c %u%g $directory)" -eq 00 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong ownership for $directory"
logcheckresult "WARN" "Wrong ownership for $directory"
return
fi
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
}
check_3_6() {
local id="3.6"
local desc="Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated)"
local remediation="You should run the following command: chmod 755 /etc/docker. This sets the permissions for the directory to 755."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
directory="/etc/docker"
if [ -d "$directory" ]; then
if [ "$(stat -c %a $directory)" -le 755 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong permissions for $directory"
logcheckresult "WARN" "Wrong permissions for $directory"
return
fi
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
}
check_3_7() {
local id="3.7"
local desc="Ensure that registry certificate file ownership is set to root:root (Automated)"
local remediation="You should run the following command: chown root:root /etc/docker/certs.d/<registry-name>/*. This would set the individual ownership and group ownership for the registry certificate files to root."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then
fail=0
owners=$(find "$directory" -type f -name '*.crt')
for p in $owners; do
if [ "$(stat -c %u "$p")" -ne 0 ]; then
fail=1
fi
done
if [ $fail -eq 1 ]; then
warn -s "$check"
warn " * Wrong ownership for $directory"
logcheckresult "WARN" "Wrong ownership for $directory"
return
fi
pass -s "$check"
logcheckresult "PASS"
return
fi
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
}
check_3_8() {
local id="3.8"
local desc="Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated)"
local remediation="You should run the following command: chmod 444 /etc/docker/certs.d/<registry-name>/*. This would set the permissions for the registry certificate files to 444."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
directory="/etc/docker/certs.d/"
if [ -d "$directory" ]; then
fail=0
perms=$(find "$directory" -type f -name '*.crt')
for p in $perms; do
if [ "$(stat -c %a "$p")" -gt 444 ]; then
fail=1
fi
done
if [ $fail -eq 1 ]; then
warn -s "$check"
warn " * Wrong permissions for $directory"
logcheckresult "WARN" "Wrong permissions for $directory"
return
fi
pass -s "$check"
logcheckresult "PASS"
return
fi
info -c "$check"
info " * Directory not found"
logcheckresult "INFO" "Directory not found"
}
check_3_9() {
local id="3.9"
local desc="Ensure that TLS CA certificate file ownership is set to root:root (Automated)"
local remediation="You should run the following command: chown root:root <path to TLS CA certificate file>. This sets the individual ownership and group ownership for the TLS CA certificate file to root."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then
tlscacert=$(get_docker_configuration_file_args 'tlscacert')
fi
if [ -f "$tlscacert" ]; then
if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong ownership for $tlscacert"
logcheckresult "WARN" "Wrong ownership for $tlscacert"
return
fi
info -c "$check"
info " * No TLS CA certificate found"
logcheckresult "INFO" "No TLS CA certificate found"
}
check_3_10() {
local id="3.10"
local desc="Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated)"
local remediation="You should run the following command: chmod 444 <path to TLS CA certificate file>. This sets the file permissions on the TLS CA file to 444."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then
tlscacert=$(get_docker_configuration_file_args 'tlscacert')
fi
if [ -f "$tlscacert" ]; then
if [ "$(stat -c %a "$tlscacert")" -le 444 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong permissions for $tlscacert"
logcheckresult "WARN" "Wrong permissions for $tlscacert"
return
fi
info -c "$check"
info " * No TLS CA certificate found"
logcheckresult "INFO" "No TLS CA certificate found"
}
check_3_11() {
local id="3.11"
local desc="Ensure that Docker server certificate file ownership is set to root:root (Automated)"
local remediation="You should run the following command: chown root:root <path to Docker server certificate file>. This sets the individual ownership and the group ownership for the Docker server certificate file to root."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then
tlscert=$(get_docker_configuration_file_args 'tlscert')
fi
if [ -f "$tlscert" ]; then
if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong ownership for $tlscert"
logcheckresult "WARN" "Wrong ownership for $tlscert"
return
fi
info -c "$check"
info " * No TLS Server certificate found"
logcheckresult "INFO" "No TLS Server certificate found"
}
check_3_12() {
local id="3.12"
local desc="Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated)"
local remediation="You should run the following command: chmod 444 <path to Docker server certificate file>. This sets the file permissions of the Docker server certificate file to 444."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then
tlscert=$(get_docker_configuration_file_args 'tlscert')
fi
if [ -f "$tlscert" ]; then
if [ "$(stat -c %a "$tlscert")" -le 444 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong permissions for $tlscert"
logcheckresult "WARN" "Wrong permissions for $tlscert"
return
fi
info -c "$check"
info " * No TLS Server certificate found"
logcheckresult "INFO" "No TLS Server certificate found"
}
check_3_13() {
local id="3.13"
local desc="Ensure that the Docker server certificate key file ownership is set to root:root (Automated)"
local remediation="You should run the following command: chown root:root <path to Docker server certificate key file>. This sets the individual ownership and group ownership for the Docker server certificate key file to root."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then
tlskey=$(get_docker_configuration_file_args 'tlskey')
fi
if [ -f "$tlskey" ]; then
if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong ownership for $tlskey"
logcheckresult "WARN" "Wrong ownership for $tlskey"
return
fi
info -c "$check"
info " * No TLS Key found"
logcheckresult "INFO" "No TLS Key found"
}
check_3_14() {
local id="3.14"
local desc="Ensure that the Docker server certificate key file permissions are set to 400 (Automated)"
local remediation="You should run the following command: chmod 400 <path to Docker server certificate key file>. This sets the Docker server certificate key file permissions to 400."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then
tlskey=$(get_docker_configuration_file_args 'tlskey')
fi
if [ -f "$tlskey" ]; then
if [ "$(stat -c %a "$tlskey")" -eq 400 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong permissions for $tlskey"
logcheckresult "WARN" "Wrong permissions for $tlskey"
return
fi
info -c "$check"
info " * No TLS Key found"
logcheckresult "INFO" "No TLS Key found"
}
check_3_15() {
local id="3.15"
local desc="Ensure that the Docker socket file ownership is set to root:docker (Automated)"
local remediation="You should run the following command: chown root:docker /var/run/docker.sock. This sets the ownership to root and group ownership to docker for the default Docker socket file."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/var/run/docker.sock"
if [ -S "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_16() {
local id="3.16"
local desc="Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated)"
local remediation="You should run the following command: chmod 660 /var/run/docker.sock. This sets the file permissions of the Docker socket file to 660."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/var/run/docker.sock"
if [ -S "$file" ]; then
if [ "$(stat -c %a $file)" -le 660 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_17() {
local id="3.17"
local desc="Ensure that the daemon.json file ownership is set to root:root (Automated)"
local remediation="You should run the following command: chown root:root /etc/docker/daemon.json. This sets the ownership and group ownership for the file to root."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_18() {
local id="3.18"
local desc="Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated)"
local remediation="You should run the following command: chmod 644 /etc/docker/daemon.json. This sets the file permissions for this file to 644."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/docker/daemon.json"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -le 644 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_19() {
local id="3.19"
local desc="Ensure that the /etc/default/docker file ownership is set to root:root (Automated)"
local remediation="You should run the following command: chown root:root /etc/default/docker. This sets the ownership and group ownership of the file to root."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/default/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_20() {
local id="3.20"
local desc="Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated)"
local remediation="You should run the following command: chmod 644 /etc/default/docker. This sets the file permissions for this file to 644."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/default/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -le 644 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_21() {
local id="3.21"
local desc="Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated)"
local remediation="You should run the following command: chmod 644 /etc/sysconfig/docker. This sets the file permissions for this file to 644."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/sysconfig/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %a $file)" -le 644 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_22() {
local id="3.22"
local desc="Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated)"
local remediation="You should run the following command: chown root:root /etc/sysconfig/docker. This sets the ownership and group ownership for the file to root."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/etc/sysconfig/docker"
if [ -f "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_23() {
local id="3.23"
local desc="Ensure that the Containerd socket file ownership is set to root:root (Automated)"
local remediation="You should run the following command: chown root:root /run/containerd/containerd.sock. This sets the ownership and group ownership for the file to root."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/run/containerd/containerd.sock"
if [ -S "$file" ]; then
if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong ownership for $file"
logcheckresult "WARN" "Wrong ownership for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_24() {
local id="3.24"
local desc="Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated)"
local remediation="You should run the following command: chmod 660 /run/containerd/containerd.sock. This sets the file permissions for this file to 660."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
file="/run/containerd/containerd.sock"
if [ -S "$file" ]; then
if [ "$(stat -c %a $file)" -le 660 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
warn " * Wrong permissions for $file"
logcheckresult "WARN" "Wrong permissions for $file"
return
fi
info -c "$check"
info " * File not found"
logcheckresult "INFO" "File not found"
}
check_3_end() {
endsectionjson
}
================================================
FILE: tests/4_container_images.sh
================================================
#!/bin/bash
check_4() {
logit ""
local id="4"
local desc="Container Images and Build File"
checkHeader="$id - $desc"
info "$checkHeader"
startsectionjson "$id" "$desc"
}
check_4_1() {
local id="4.1"
local desc="Ensure that a user for the container has been created (Automated)"
local remediation="You should ensure that the Dockerfile for each container image contains the information: USER <username or ID>. If there is no specific user created in the container base image, then make use of the useradd command to add a specific user before the USER instruction in the Dockerfile."
local remediationImpact="Running as a non-root user can present challenges where you wish to bind mount volumes from the underlying host. In this case, care should be taken to ensure that the user running the contained process can read and write to the bound directory, according to their requirements."
local check="$id - $desc"
starttestjson "$id" "$desc"
# If container_users is empty, there are no running containers
if [ -z "$containers" ]; then
info -c "$check"
info " * No containers running"
logcheckresult "INFO" "No containers running"
return
fi
# We have some containers running, set failure flag to 0. Check for Users.
fail=0
# Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$'
'
root_containers=""
for c in $containers; do
user=$(docker inspect --format 'User={{.Config.User}}' "$c")
if [ "$user" = "User=0" ] || [ "$user" = "User=root" ] || [ "$user" = "User=" ] || [ "$user" = "User=[]" ] || [ "$user" = "User=<no value>" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Running as root: $c"
root_containers="$root_containers $c"
fail=1
continue
fi
warn " * Running as root: $c"
root_containers="$root_containers $c"
fi
done
# We went through all the containers and found none running as root
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "running as root" "$root_containers"
# Make the loop separator go back to space
set +f; unset IFS
}
check_4_2() {
local id="4.2"
local desc="Ensure that containers use only trusted base images (Manual)"
local remediation="Configure and use Docker Content trust. View the history of each Docker image to evaluate its risk, dependent on the sensitivity of the application you wish to deploy using it. Scan Docker images for vulnerabilities at regular intervals."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "NOTE"
}
check_4_3() {
local id="4.3"
local desc="Ensure that unnecessary packages are not installed in the container (Manual)"
local remediation="You should not install anything within the container that is not required. You should consider using a minimal base image if you can. Some of the options available include BusyBox and Alpine. Not only can this trim your image size considerably, but there would also be fewer pieces of software which could contain vectors for attack."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "NOTE"
}
check_4_4() {
local id="4.4"
local desc="Ensure images are scanned and rebuilt to include security patches (Manual)"
local remediation="Images should be re-built ensuring that the latest version of the base images are used, to keep the operating system patch level at an appropriate level. Once the images have been re-built, containers should be re-started making use of the updated images."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "NOTE"
}
check_4_5() {
local id="4.5"
local desc="Ensure Content trust for Docker is Enabled (Automated)"
local remediation="Add DOCKER_CONTENT_TRUST variable to the /etc/environment file using command echo DOCKER_CONTENT_TRUST=1 | sudo tee -a /etc/environment."
local remediationImpact="This prevents users from working with tagged images unless they contain a signature."
local check="$id - $desc"
starttestjson "$id" "$desc"
if [ "$DOCKER_CONTENT_TRUST" = "1" ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_4_6() {
local id="4.6"
local desc="Ensure that HEALTHCHECK instructions have been added to container images (Automated)"
local remediation="You should follow the Docker documentation and rebuild your container images to include the HEALTHCHECK instruction."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
no_health_images=""
for img in $images; do
if docker inspect --format='{{.Config.Healthcheck}}' "$img" 2>/dev/null | grep -e "<nil>" >/dev/null 2>&1; then
if [ $fail -eq 0 ]; then
fail=1
warn -s "$check"
fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then
warn " * No Healthcheck found: $imgName"
no_health_images="$no_health_images $imgName"
else
warn " * No Healthcheck found: $img"
no_health_images="$no_health_images $img"
fi
fi
done
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Images w/o HEALTHCHECK" "$no_health_images"
}
check_4_7() {
local id="4.7"
local desc="Ensure update instructions are not used alone in the Dockerfile (Manual)"
local remediation="You should use update instructions together with install instructions and version pinning for packages while installing them. This prevent caching and force the extraction of the required versions. Alternatively, you could use the --no-cache flag during the docker build process to avoid using cached layers."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
update_images=""
for img in $images; do
if docker history "$img" 2>/dev/null | grep -e "update" >/dev/null 2>&1; then
if [ $fail -eq 0 ]; then
fail=1
info -c "$check"
fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then
info " * Update instruction found: $imgName"
update_images="$update_images $imgName"
fi
fi
done
if [ $fail -eq 0 ]; then
pass -c "$check"
logcheckresult "PASS"
return
fi
logcheckresult "INFO" "Update instructions found" "$update_images"
}
check_4_8() {
local id="4.8"
local desc="Ensure setuid and setgid permissions are removed (Manual)"
local remediation="You should allow setuid and setgid permissions only on executables which require them. You could remove these permissions at build time by adding the following command in your Dockerfile, preferably towards the end of the Dockerfile: RUN find / -perm /6000 -type f -exec chmod a-s {} ; || true"
local remediationImpact="The above command would break all executables that depend on setuid or setgid permissions including legitimate ones. You should therefore be careful to modify the command to suit your requirements so that it does not reduce the permissions of legitimate programs excessively. Because of this, you should exercise a degree of caution and examine all processes carefully before making this type of modification in order to avoid outages."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "NOTE"
}
check_4_9() {
local id="4.9"
local desc="Ensure that COPY is used instead of ADD in Dockerfiles (Manual)"
local remediation="You should use COPY rather than ADD instructions in Dockerfiles."
local remediationImpact="Care needs to be taken in implementing this control if the application requires functionality that is part of the ADD instruction, for example, if you need to retrieve files from remote URLS."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
add_images=""
for img in $images; do
if docker history --format "{{ .CreatedBy }}" --no-trunc "$img" | \
sed '$d' | grep -q 'ADD'; then
if [ $fail -eq 0 ]; then
fail=1
info -c "$check"
fi
imgName=$(docker inspect --format='{{.RepoTags}}' "$img" 2>/dev/null)
if ! [ "$imgName" = '[]' ]; then
info " * ADD in image history: $imgName"
add_images="$add_images $imgName"
fi
fi
done
if [ $fail -eq 0 ]; then
pass -c "$check"
logcheckresult "PASS"
return
fi
logcheckresult "INFO" "Images using ADD" "$add_images"
}
check_4_10() {
local id="4.10"
local desc="Ensure secrets are not stored in Dockerfiles (Manual)"
local remediation="Do not store any kind of secrets within Dockerfiles. Where secrets are required during the build process, make use of a secrets management tool, such as the buildkit builder included with Docker."
local remediationImpact="A proper secrets management process will be required for Docker image building."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "NOTE"
}
check_4_11() {
local id="4.11"
local desc="Ensure only verified packages are installed (Manual)"
local remediation="You should use a secure package distribution mechanism of your choice to ensure the authenticity of software packages."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "NOTE"
}
check_4_12() {
local id="4.12"
local desc="Ensure all signed artifacts are validated (Manual)"
local remediation="Validate artifacts signatures before uploading to the package registry."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "NOTE"
}
check_4_end() {
endsectionjson
}
================================================
FILE: tests/5_container_runtime.sh
================================================
#!/bin/bash
check_5() {
logit ""
local id="5"
local desc="Container Runtime"
checkHeader="$id - $desc"
info "$checkHeader"
startsectionjson "$id" "$desc"
}
check_running_containers() {
# If containers is empty, there are no running containers
if [ -z "$containers" ]; then
info " * No containers running, skipping Section 5"
return
fi
# Make the loop separator be a new-line in POSIX compliant fashion
set -f; IFS=$'
'
}
check_5_1() {
local id="5.1"
local desc="Ensure swarm mode is not Enabled, if not needed (Automated)"
local remediation="If swarm mode has been enabled on a system in error, you should run the command: docker swarm leave"
local remediationImpact="Disabling swarm mode will impact the operation of Docker Enterprise components if these are in use."
local check="$id - $desc"
starttestjson "$id" "$desc"
if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_5_2() {
if [ -z "$containers" ]; then
return
fi
local id="5.2"
local desc="Ensure that, if applicable, an AppArmor Profile is enabled (Automated)"
local remediation="If AppArmor is applicable for your Linux OS, you should enable it. Alternatively, Docker's default AppArmor policy can be used."
local remediationImpact="The container will have the security controls defined in the AppArmor profile. It should be noted that if the AppArmor profile is misconfigured, this may cause issues with the operation of the container."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
no_apparmor_containers=""
for c in $containers; do
policy=$(docker inspect --format 'AppArmorProfile={{ .AppArmorProfile }}' "$c")
if [ "$policy" = "AppArmorProfile=" ] || [ "$policy" = "AppArmorProfile=[]" ] || [ "$policy" = "AppArmorProfile=<no value>" ] || [ "$policy" = "AppArmorProfile=unconfined" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * No AppArmorProfile Found: $c"
no_apparmor_containers="$no_apparmor_containers $c"
fail=1
continue
fi
warn " * No AppArmorProfile Found: $c"
no_apparmor_containers="$no_apparmor_containers $c"
fi
done
# We went through all the containers and found none without AppArmor
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers with no AppArmorProfile" "$no_apparmor_containers"
}
check_5_3() {
if [ -z "$containers" ]; then
return
fi
local id="5.3"
local desc="Ensure that, if applicable, SELinux security options are set (Automated)"
local remediation="Set the SELinux State. Set the SELinux Policy. Create or import a SELinux policy template for Docker containers. Start Docker in daemon mode with SELinux enabled. Start your Docker container using the security options."
local remediationImpact="Any restrictions defined in the SELinux policy will be applied to your containers. It should be noted that if your SELinux policy is misconfigured, this may have an impact on the correct operation of the affected containers."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
no_securityoptions_containers=""
for c in $containers; do
policy=$(docker inspect --format 'SecurityOpt={{ .HostConfig.SecurityOpt }}' "$c")
if [ "$policy" = "SecurityOpt=" ] || [ "$policy" = "SecurityOpt=[]" ] || [ "$policy" = "SecurityOpt=<no value>" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * No SecurityOptions Found: $c"
no_securityoptions_containers="$no_securityoptions_containers $c"
fail=1
continue
fi
warn " * No SecurityOptions Found: $c"
no_securityoptions_containers="$no_securityoptions_containers $c"
fi
done
# We went through all the containers and found none without SELinux
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers with no SecurityOptions" "$no_securityoptions_containers"
}
check_5_4() {
if [ -z "$containers" ]; then
return
fi
local id="5.4"
local desc="Ensure that Linux kernel capabilities are restricted within containers (Automated)"
local remediation="You could remove all the currently configured capabilities and then restore only the ones you specifically use: docker run --cap-drop=all --cap-add={<Capability 1>,<Capability 2>} <Run arguments> <Container Image Name or ID> <Command>"
local remediationImpact="Restrictions on processes within a container are based on which Linux capabilities are in force. Removal of the NET_RAW capability prevents the container from creating raw sockets which is good security practice under most circumstances, but may affect some networking utilities."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
caps_containers=""
for c in $containers; do
container_caps=$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd }}' "$c")
caps=$(echo "$container_caps" | tr "[:lower:]" "[:upper:]" | \
sed 's/CAPADD/CapAdd/' | \
sed -r "s/CAP_AUDIT_WRITE|CAP_CHOWN|CAP_DAC_OVERRIDE|CAP_FOWNER|CAP_FSETID|CAP_KILL|CAP_MKNOD|CAP_NET_BIND_SERVICE|CAP_NET_RAW|CAP_SETFCAP|CAP_SETGID|CAP_SETPCAP|CAP_SETUID|CAP_SYS_CHROOT|\s//g" | \
sed -r "s/AUDIT_WRITE|CHOWN|DAC_OVERRIDE|FOWNER|FSETID|KILL|MKNOD|NET_BIND_SERVICE|NET_RAW|SETFCAP|SETGID|SETPCAP|SETUID|SYS_CHROOT|\s//g")
if [ "$caps" != 'CapAdd=' ] && [ "$caps" != 'CapAdd=[]' ] && [ "$caps" != 'CapAdd=<no value>' ] && [ "$caps" != 'CapAdd=<nil>' ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Capabilities added: $caps to $c"
caps_containers="$caps_containers $c"
fail=1
continue
fi
warn " * Capabilities added: $caps to $c"
caps_containers="$caps_containers $c"
fi
done
# We went through all the containers and found none with extra capabilities
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Capabilities added for containers" "$caps_containers"
}
check_5_5() {
if [ -z "$containers" ]; then
return
fi
local id="5.5"
local desc="Ensure that privileged containers are not used (Automated)"
local remediation="You should not run containers with the --privileged flag."
local remediationImpact="If you start a container without the --privileged flag, it will not have excessive default capabilities."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
privileged_containers=""
for c in $containers; do
privileged=$(docker inspect --format '{{ .HostConfig.Privileged }}' "$c")
if [ "$privileged" = "true" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Container running in Privileged mode: $c"
privileged_containers="$privileged_containers $c"
fail=1
continue
fi
warn " * Container running in Privileged mode: $c"
privileged_containers="$privileged_containers $c"
fi
done
# We went through all the containers and found no privileged containers
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers running in privileged mode" "$privileged_containers"
}
check_5_6() {
if [ -z "$containers" ]; then
return
fi
local id="5.6"
local desc="Ensure sensitive host system directories are not mounted on containers (Automated)"
local remediation="You should not mount directories which are security sensitive on the host within containers, especially in read-write mode."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
# List of sensitive directories to test for. Script uses new-lines as a separator.
# Note the lack of identation. It needs it for the substring comparison.
sensitive_dirs='/
/boot
/dev
/etc
/lib
/proc
/sys
/usr'
fail=0
sensitive_mount_containers=""
for c in $containers; do
volumes=$(docker inspect --format '{{ .Mounts }}' "$c")
if docker inspect --format '{{ .VolumesRW }}' "$c" 2>/dev/null 1>&2; then
volumes=$(docker inspect --format '{{ .VolumesRW }}' "$c")
fi
# Go over each directory in sensitive dir and see if they exist in the volumes
for v in $sensitive_dirs; do
sensitive=0
if echo "$volumes" | grep -e "{.*\s$v\s.*true\s.*}" 2>/tmp/null 1>&2; then
sensitive=1
fi
if [ $sensitive -eq 1 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Sensitive directory $v mounted in: $c"
sensitive_mount_containers="$sensitive_mount_containers $c:$v"
fail=1
continue
fi
warn " * Sensitive directory $v mounted in: $c"
sensitive_mount_containers="$sensitive_mount_containers $c:$v"
fi
done
done
# We went through all the containers and found none with sensitive mounts
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers with sensitive directories mounted" "$sensitive_mount_containers"
}
check_5_7() {
if [ -z "$containers" ]; then
return
fi
local id="5.7"
local desc="Ensure sshd is not run within containers (Automated)"
local remediation="Uninstall the SSH daemon from the container and use docker exec to enter a container on the remote host."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
ssh_exec_containers=""
printcheck=0
for c in $containers; do
processes=$(docker exec "$c" ps -el 2>/dev/null | grep -c sshd | awk '{print $1}')
if [ "$processes" -ge 1 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Container running sshd: $c"
ssh_exec_containers="$ssh_exec_containers $c"
fail=1
printcheck=1
else
warn " * Container running sshd: $c"
ssh_exec_containers="$ssh_exec_containers $c"
fi
fi
exec_check=$(docker exec "$c" ps -el 2>/dev/null)
if [ $? -eq 265 ]; then
if [ $printcheck -eq 0 ]; then
warn -s "$check"
printcheck=1
fi
warn " * Docker exec fails: $c"
ssh_exec_containers="$ssh_exec_containers $c"
fail=1
fi
done
# We went through all the containers and found none with sshd
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers with sshd/docker exec failures" "$ssh_exec_containers"
}
check_5_8() {
if [ -z "$containers" ]; then
return
fi
local id="5.8"
local desc="Ensure privileged ports are not mapped within containers (Automated)"
local remediation="You should not map container ports to privileged host ports when starting a container. You should also, ensure that there is no such container to host privileged port mapping declarations in the Dockerfile."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
privileged_port_containers=""
for c in $containers; do
# Port format is private port -> ip: public port
ports=$(docker port "$c" | awk '{print $0}' | cut -d ':' -f2)
# iterate through port range (line delimited)
for port in $ports; do
if [ -n "$port" ] && [ "$port" -lt 1025 ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Privileged Port in use: $port in $c"
privileged_port_containers="$privileged_port_containers $c:$port"
fail=1
continue
fi
warn " * Privileged Port in use: $port in $c"
privileged_port_containers="$privileged_port_containers $c:$port"
fi
done
done
# We went through all the containers and found no privileged ports
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers using privileged ports" "$privileged_port_containers"
}
check_5_9() {
if [ -z "$containers" ]; then
return
fi
local id="5.9"
local desc="Ensure that only needed ports are open on the container (Manual)"
local remediation="You should ensure that the Dockerfile for each container image only exposes needed ports."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
open_port_containers=""
for c in $containers; do
ports=$(docker port "$c" | awk '{print $0}' | cut -d ':' -f2)
for port in $ports; do
if [ -n "$port" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Port in use: $port in $c"
open_port_containers="$open_port_containers $c:$port"
fail=1
continue
fi
warn " * Port in use: $port in $c"
open_port_containers="$open_port_containers $c:$port"
fi
done
done
# We went through all the containers and found none with open ports
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers with open ports" "$open_port_containers"
}
check_5_10() {
if [ -z "$containers" ]; then
return
fi
local id="5.10"
local desc="Ensure that the host's network namespace is not shared (Automated)"
local remediation="You should not pass the --net=host option when starting any container."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
net_host_containers=""
for c in $containers; do
mode=$(docker inspect --format 'NetworkMode={{ .HostConfig.NetworkMode }}' "$c")
if [ "$mode" = "NetworkMode=host" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Container running with networking mode 'host': $c"
net_host_containers="$net_host_containers $c"
fail=1
continue
fi
warn " * Container running with networking mode 'host': $c"
net_host_containers="$net_host_containers $c"
fi
done
# We went through all the containers and found no Network Mode host
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers running with networking mode 'host'" "$net_host_containers"
}
check_5_11() {
if [ -z "$containers" ]; then
return
fi
local id="5.11"
local desc="Ensure that the memory usage for containers is limited (Automated)"
local remediation="You should run the container with only as much memory as it requires by using the --memory argument."
local remediationImpact="If correct memory limits are not set on each container, one process can expand its usage and cause other containers to run out of resources."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
mem_unlimited_containers=""
for c in $containers; do
memory=$(docker inspect --format '{{ .HostConfig.Memory }}' "$c")
if docker inspect --format '{{ .Config.Memory }}' "$c" 2> /dev/null 1>&2; then
memory=$(docker inspect --format '{{ .Config.Memory }}' "$c")
fi
if [ "$memory" = "0" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Container running without memory restrictions: $c"
mem_unlimited_containers="$mem_unlimited_containers $c"
fail=1
continue
fi
warn " * Container running without memory restrictions: $c"
mem_unlimited_containers="$mem_unlimited_containers $c"
fi
done
# We went through all the containers and found no lack of Memory restrictions
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Container running without memory restrictions" "$mem_unlimited_containers"
}
check_5_12() {
if [ -z "$containers" ]; then
return
fi
local id="5.12"
local desc="Ensure that CPU priority is set appropriately on containers (Automated)"
local remediation="You should manage the CPU runtime between your containers dependent on their priority within your organization. To do so start the container using the --cpu-shares argument."
local remediationImpact="If you do not correctly assign CPU thresholds, the container process may run out of resources and become unresponsive. If CPU resources on the host are not constrainted, CPU shares do not place any restrictions on individual resources."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
cpu_unlimited_containers=""
for c in $containers; do
cpushares=$(docker inspect --format '{{ .HostConfig.CpuShares }}' "$c")
nanocpus=$(docker inspect --format '{{ .HostConfig.NanoCpus }}' "$c")
if docker inspect --format '{{ .Config.CpuShares }}' "$c" 2> /dev/null 1>&2; then
cpushares=$(docker inspect --format '{{ .Config.CpuShares }}' "$c")
nanocpus=$(docker inspect --format '{{ .Config.NanoCpus }}' "$c")
fi
if [ "$cpushares" = "0" ] && [ "$nanocpus" = "0" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Container running without CPU restrictions: $c"
cpu_unlimited_containers="$cpu_unlimited_containers $c"
fail=1
continue
fi
warn " * Container running without CPU restrictions: $c"
cpu_unlimited_containers="$cpu_unlimited_containers $c"
fi
done
# We went through all the containers and found no lack of CPUShare restrictions
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers running without CPU restrictions" "$cpu_unlimited_containers"
}
check_5_13() {
if [ -z "$containers" ]; then
return
fi
local id="5.13"
local desc="Ensure that the container's root filesystem is mounted as read only (Automated)"
local remediation="You should add a --read-only flag at a container's runtime to enforce the container's root filesystem being mounted as read only."
local remediationImpact="Enabling --read-only at container runtime may break some container OS packages if a data writing strategy is not defined. You should define what the container's data should and should not persist at runtime in order to decide which strategy to use."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
fsroot_mount_containers=""
for c in $containers; do
read_status=$(docker inspect --format '{{ .HostConfig.ReadonlyRootfs }}' "$c")
if [ "$read_status" = "false" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Container running with root FS mounted R/W: $c"
fsroot_mount_containers="$fsroot_mount_containers $c"
fail=1
continue
fi
warn " * Container running with root FS mounted R/W: $c"
fsroot_mount_containers="$fsroot_mount_containers $c"
fi
done
# We went through all the containers and found no R/W FS mounts
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers running with root FS mounted R/W" "$fsroot_mount_containers"
}
check_5_14() {
if [ -z "$containers" ]; then
return
fi
local id="5.14"
local desc="Ensure that incoming container traffic is bound to a specific host interface (Automated)"
local remediation="You should bind the container port to a specific host interface on the desired host port. Example: docker run --detach --publish 10.2.3.4:49153:80 nginx In this example, the container port 80 is bound to the host port on 49153 and would accept incoming connection only from the 10.2.3.4 external interface."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
incoming_unbound_containers=""
for c in $containers; do
for ip in $(docker port "$c" | awk '{print $3}' | cut -d ':' -f1); do
if [ "$ip" = "0.0.0.0" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Port being bound to wildcard IP: $ip in $c"
incoming_unbound_containers="$incoming_unbound_containers $c:$ip"
fail=1
continue
fi
warn " * Port being bound to wildcard IP: $ip in $c"
incoming_unbound_containers="$incoming_unbound_containers $c:$ip"
fi
done
done
# We went through all the containers and found no ports bound to 0.0.0.0
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers with port bound to wildcard IP" "$incoming_unbound_containers"
}
check_5_15() {
if [ -z "$containers" ]; then
return
fi
local id="5.15"
local desc="Ensure that the 'on-failure' container restart policy is set to '5' (Automated)"
local remediation="If you wish a container to be automatically restarted, a sample command is docker run --detach --restart=on-failure:5 nginx"
local remediationImpact="If this option is set, a container will only attempt to restart itself 5 times."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
maxretry_unset_containers=""
for c in $containers; do
container_name=$(docker inspect "$c" --format '{{.Name}}')
if [ "$(docker info --format '{{.Swarm.LocalNodeState}}')" = "active" ]; then
for s in $(docker service ls --format '{{.Name}}'); do
if echo $container_name | grep -q "$s"; then
task_id=$(docker inspect "$c" --format '{{.Name}}' | awk -F '.' '{print $NF}')
# a container name could arbitrary include a service one: it belongs to a service (created by Docker
# as part of the service), if the container task ID matches one of the task IDs of the service.
if docker service ps --no-trunc "$s" --format '{{.ID}}' | grep -q "$task_id"; then
restart_policy=$(docker inspect --format '{{ .Spec.TaskTemplate.RestartPolicy.MaxAttempts }}' "$s")
break
fi
fi
done
fi
if docker inspect --format '{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c" &>/dev/null; then
restart_policy=$(docker inspect --format '{{ .HostConfig.RestartPolicy.MaximumRetryCount }}' "$c")
fi
if [ "$restart_policy" -gt "5" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * MaximumRetryCount is not set to 5 or less: $c"
maxretry_unset_containers="$maxretry_unset_containers $c"
fail=1
continue
fi
warn " * MaximumRetryCount is not set to 5 or less: $c"
maxretry_unset_containers="$maxretry_unset_containers $c"
fi
done
# We went through all the containers and they all had MaximumRetryCount=5
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5 or less" "$maxretry_unset_containers"
}
check_5_16() {
if [ -z "$containers" ]; then
return
fi
local id="5.16"
local desc="Ensure that the host's process namespace is not shared (Automated)"
local remediation="You should not start a container with the --pid=host argument."
local remediationImpact="Container processes cannot see processes on the host system."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
pidns_shared_containers=""
for c in $containers; do
mode=$(docker inspect --format 'PidMode={{.HostConfig.PidMode }}' "$c")
if [ "$mode" = "PidMode=host" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Host PID namespace being shared with: $c"
pidns_shared_containers="$pidns_shared_containers $c"
fail=1
continue
fi
warn " * Host PID namespace being shared with: $c"
pidns_shared_containers="$pidns_shared_containers $c"
fi
done
# We went through all the containers and found none with PidMode as host
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers sharing host PID namespace" "$pidns_shared_containers"
}
check_5_17() {
if [ -z "$containers" ]; then
return
fi
local id="5.17"
local desc="Ensure that the host's IPC namespace is not shared (Automated)"
local remediation="You should not start a container with the --ipc=host argument."
local remediationImpact="Shared memory segments are used in order to accelerate interprocess communications, commonly in high-performance applications. If this type of application is containerized into multiple containers, you might need to share the IPC namespace of the containers in order to achieve high performance. Under these circumstances, you should still only share container specific IPC namespaces and not the host IPC namespace."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
ipcns_shared_containers=""
for c in $containers; do
mode=$(docker inspect --format 'IpcMode={{.HostConfig.IpcMode }}' "$c")
if [ "$mode" = "IpcMode=host" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Host IPC namespace being shared with: $c"
ipcns_shared_containers="$ipcns_shared_containers $c"
fail=1
continue
fi
warn " * Host IPC namespace being shared with: $c"
ipcns_shared_containers="$ipcns_shared_containers $c"
fi
done
# We went through all the containers and found none with IPCMode as host
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers sharing host IPC namespace" "$ipcns_shared_containers"
}
check_5_18() {
if [ -z "$containers" ]; then
return
fi
local id="5.18"
local desc="Ensure that host devices are not directly exposed to containers (Manual)"
local remediation="You should not directly expose host devices to containers. If you do need to expose host devices to containers, you should use granular permissions as appropriate to your organization."
local remediationImpact="You would not be able to use host devices directly within containers."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
hostdev_exposed_containers=""
for c in $containers; do
devices=$(docker inspect --format 'Devices={{ .HostConfig.Devices }}' "$c")
if [ "$devices" != "Devices=" ] && [ "$devices" != "Devices=[]" ] && [ "$devices" != "Devices=<no value>" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
info -c "$check"
info " * Container has devices exposed directly: $c"
hostdev_exposed_containers="$hostdev_exposed_containers $c"
fail=1
continue
fi
info " * Container has devices exposed directly: $c"
hostdev_exposed_containers="$hostdev_exposed_containers $c"
fi
done
# We went through all the containers and found none with devices
if [ $fail -eq 0 ]; then
pass -c "$check"
logcheckresult "PASS"
return
fi
logcheckresult "INFO" "Containers with host devices exposed directly" "$hostdev_exposed_containers"
}
check_5_19() {
if [ -z "$containers" ]; then
return
fi
local id="5.19"
local desc="Ensure that the default ulimit is overwritten at runtime if needed (Manual)"
local remediation="You should only override the default ulimit settings if needed in a specific case."
local remediationImpact="If ulimits are not set correctly, overutilization by individual containers could make the host system unusable."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
no_ulimit_containers=""
for c in $containers; do
ulimits=$(docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' "$c")
if [ "$ulimits" = "Ulimits=" ] || [ "$ulimits" = "Ulimits=[]" ] || [ "$ulimits" = "Ulimits=<no value>" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
info -c "$check"
info " * Container no default ulimit override: $c"
no_ulimit_containers="$no_ulimit_containers $c"
fail=1
continue
fi
info " * Container no default ulimit override: $c"
no_ulimit_containers="$no_ulimit_containers $c"
fi
done
# We went through all the containers and found none without Ulimits
if [ $fail -eq 0 ]; then
pass -c "$check"
logcheckresult "PASS"
return
fi
logcheckresult "INFO" "Containers with no default ulimit override" "$no_ulimit_containers"
}
check_5_20() {
if [ -z "$containers" ]; then
return
fi
local id="5.20"
local desc="Ensure mount propagation mode is not set to shared (Automated)"
local remediation="Do not mount volumes in shared mode propagation."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
mountprop_shared_containers=""
for c in $containers; do
if docker inspect --format 'Propagation={{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}' "$c" | \
grep shared 2>/dev/null 1>&2; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Mount propagation mode is shared: $c"
mountprop_shared_containers="$mountprop_shared_containers $c"
fail=1
continue
fi
warn " * Mount propagation mode is shared: $c"
mountprop_shared_containers="$mountprop_shared_containers $c"
fi
done
# We went through all the containers and found none with shared propagation mode
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers with shared mount propagation" "$mountprop_shared_containers"
}
check_5_21() {
if [ -z "$containers" ]; then
return
fi
local id="5.21"
local desc="Ensure that the host's UTS namespace is not shared (Automated)"
local remediation="You should not start a container with the --uts=host argument."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
utcns_shared_containers=""
for c in $containers; do
mode=$(docker inspect --format 'UTSMode={{.HostConfig.UTSMode }}' "$c")
if [ "$mode" = "UTSMode=host" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Host UTS namespace being shared with: $c"
utcns_shared_containers="$utcns_shared_containers $c"
fail=1
continue
fi
warn " * Host UTS namespace being shared with: $c"
utcns_shared_containers="$utcns_shared_containers $c"
fi
done
# We went through all the containers and found none with UTSMode as host
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers sharing host UTS namespace" "$utcns_shared_containers"
}
check_5_22() {
if [ -z "$containers" ]; then
return
fi
local id="5.22"
local desc="Ensure the default seccomp profile is not Disabled (Automated)"
local remediation="By default, seccomp profiles are enabled. You do not need to do anything unless you want to modify and use a modified seccomp profile."
local remediationImpact="With Docker 1.10 and greater, the default seccomp profile blocks syscalls, regardless of -- cap-add passed to the container."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
seccomp_disabled_containers=""
for c in $containers; do
if docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | \
grep -E 'seccomp:unconfined|seccomp=unconfined' 2>/dev/null 1>&2; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Default seccomp profile disabled: $c"
seccomp_disabled_containers="$seccomp_disabled_containers $c"
fail=1
else
warn " * Default seccomp profile disabled: $c"
seccomp_disabled_containers="$seccomp_disabled_containers $c"
fi
fi
done
# We went through all the containers and found none with default secomp profile disabled
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers with default seccomp profile disabled" "$seccomp_disabled_containers"
}
check_5_23() {
if [ -z "$containers" ]; then
return
fi
local id="5.23"
local desc="Ensure that docker exec commands are not used with the privileged option (Automated)"
local remediation="You should not use the --privileged option in docker exec commands."
local remediationImpact="If you need enhanced capabilities within a container, then run it with all the permissions it requires. These should be specified individually."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "NOTE"
}
check_5_24() {
if [ -z "$containers" ]; then
return
fi
local id="5.24"
local desc="Ensure that docker exec commands are not used with the user=root option (Manual)"
local remediation="You should not use the --user=root option in docker exec commands."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "NOTE"
}
check_5_25() {
if [ -z "$containers" ]; then
return
fi
local id="5.25"
local desc="Ensure that cgroup usage is confirmed (Automated)"
local remediation="You should not use the --cgroup-parent option within the docker run command unless strictly required."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
unexpected_cgroup_containers=""
for c in $containers; do
mode=$(docker inspect --format 'CgroupParent={{.HostConfig.CgroupParent }}x' "$c")
if [ "$mode" != "CgroupParent=x" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Confirm cgroup usage: $c"
unexpected_cgroup_containers="$unexpected_cgroup_containers $c"
fail=1
continue
fi
warn " * Confirm cgroup usage: $c"
unexpected_cgroup_containers="$unexpected_cgroup_containers $c"
fi
done
# We went through all the containers and found none with UTSMode as host
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers using unexpected cgroup" "$unexpected_cgroup_containers"
}
check_5_26() {
if [ -z "$containers" ]; then
return
fi
local id="5.26"
local desc="Ensure that the container is restricted from acquiring additional privileges (Automated)"
local remediation="You should start your container with the options: docker run --rm -it --security-opt=no-new-privileges ubuntu bash"
local remediationImpact="The no_new_priv option prevents LSMs like SELinux from allowing processes to acquire new privileges."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
no_priv_config=0
addprivs_containers=""
if get_docker_effective_command_line_args '--no-new-privileges' | grep "no-new-privileges" >/dev/null 2>&1; then
no_priv_config=1
elif get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then
no_priv_config=1
else
for c in $containers; do
if ! docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'no-new-privileges' 2>/dev/null 1>&2; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Privileges not restricted: $c"
addprivs_containers="$addprivs_containers $c"
fail=1
continue
fi
warn " * Privileges not restricted: $c"
addprivs_containers="$addprivs_containers $c"
fi
done
fi
# We went through all the containers and found none with capability to acquire additional privileges
if [ $fail -eq 0 ] || [ $no_priv_config -eq 1 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers without restricted privileges" "$addprivs_containers"
}
check_5_27() {
if [ -z "$containers" ]; then
return
fi
local id="5.27"
local desc="Ensure that container health is checked at runtime (Automated)"
local remediation="You should run the container using the --health-cmd parameter."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
nohealthcheck_containers=""
for c in $containers; do
if ! docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}' "$c" 2>/dev/null 1>&2; then
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Health check not set: $c"
nohealthcheck_containers="$nohealthcheck_containers $c"
fail=1
continue
fi
warn " * Health check not set: $c"
nohealthcheck_containers="$nohealthcheck_containers $c"
fi
done
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers without health check" "$nohealthcheck_containers"
}
check_5_28() {
if [ -z "$containers" ]; then
return
fi
local id="5.28"
local desc="Ensure that Docker commands always make use of the latest version of their image (Manual)"
local remediation="You should use proper version pinning mechanisms (the <latest> tag which is assigned by default is still vulnerable to caching attacks) to avoid extracting cached older versions. Version pinning mechanisms should be used for base images, packages, and entire images. You can customize version pinning rules according to your requirements."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
info -c "$check"
logcheckresult "INFO"
}
check_5_29() {
if [ -z "$containers" ]; then
return
fi
local id="5.29"
local desc="Ensure that the PIDs cgroup limit is used (Automated)"
local remediation="Use --pids-limit flag with an appropriate value when launching the container."
local remediationImpact="Set the PIDs limit value as appropriate. Incorrect values might leave containers unusable."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
nopids_limit_containers=""
for c in $containers; do
pidslimit="$(docker inspect --format '{{.HostConfig.PidsLimit }}' "$c")"
if [ "$pidslimit" = "0" ] || [ "$pidslimit" = "<nil>" ] || [ "$pidslimit" = "-1" ]; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * PIDs limit not set: $c"
nopids_limit_containers="$nopids_limit_containers $c"
fail=1
continue
fi
warn " * PIDs limit not set: $c"
nopids_limit_containers="$nopids_limit_containers $c"
fi
done
# We went through all the containers and found all with PIDs limit
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers without PIDs cgroup limit" "$nopids_limit_containers"
}
check_5_30() {
if [ -z "$containers" ]; then
return
fi
local id="5.30"
local desc="Ensure that Docker's default bridge 'docker0' is not used (Manual)"
local remediation="You should follow the Docker documentation and set up a user-defined network. All the containers should be run in this network."
local remediationImpact="User-defined networks need to be configured and managed in line with organizational security policy."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
docker_network_containers=""
networks=$(docker network ls -q 2>/dev/null)
for net in $networks; do
if docker network inspect --format '{{ .Options }}' "$net" 2>/dev/null | grep "com.docker.network.bridge.name:docker0" >/dev/null 2>&1; then
docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" | \
sed -e 's/^ //' -e 's/ /\n/g' 2>/dev/null)
if [ -n "$docker0Containers" ]; then
if [ $fail -eq 0 ]; then
info -c "$check"
fail=1
fi
for c in $docker0Containers; do
if [ -z "$exclude" ]; then
cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g')
else
pattern=$(echo "$exclude" | sed 's/,/|/g')
cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g' | grep -Ev "$pattern" )
fi
if [ -n "$cName" ]; then
info " * Container in docker0 network: $cName"
docker_network_containers="$docker_network_containers $c:$cName"
fi
done
fi
fi
done
# We went through all the containers and found none in docker0 network
if [ $fail -eq 0 ]; then
pass -c "$check"
logcheckresult "PASS"
return
fi
logcheckresult "INFO" "Containers using docker0 network" "$docker_network_containers"
}
check_5_31() {
if [ -z "$containers" ]; then
return
fi
local id="5.31"
local desc="Ensure that the host's user namespaces are not shared (Automated)"
local remediation="You should not share user namespaces between host and containers."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
hostns_shared_containers=""
for c in $containers; do
if docker inspect --format '{{ .HostConfig.UsernsMode }}' "$c" 2>/dev/null | grep -i 'host' >/dev/null 2>&1; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Namespace shared: $c"
hostns_shared_containers="$hostns_shared_containers $c"
fail=1
continue
fi
warn " * Namespace shared: $c"
hostns_shared_containers="$hostns_shared_containers $c"
fi
done
# We went through all the containers and found none with host's user namespace shared
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers sharing host user namespace" "$hostns_shared_containers"
}
check_5_32() {
if [ -z "$containers" ]; then
return
fi
local id="5.32"
local desc="Ensure that the Docker socket is not mounted inside any containers (Automated)"
local remediation="You should ensure that no containers mount docker.sock as a volume."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
docker_sock_containers=""
for c in $containers; do
if docker inspect --format '{{ .Mounts }}' "$c" 2>/dev/null | grep 'docker.sock' >/dev/null 2>&1; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * Docker socket shared: $c"
docker_sock_containers="$docker_sock_containers $c"
fail=1
continue
fi
warn " * Docker socket shared: $c"
docker_sock_containers="$docker_sock_containers $c"
fi
done
# We went through all the containers and found none with docker.sock shared
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Containers sharing docker socket" "$docker_sock_containers"
}
check_5_end() {
endsectionjson
}
================================================
FILE: tests/6_docker_security_operations.sh
================================================
#!/bin/bash
check_6() {
logit ""
local id="6"
local desc="Docker Security Operations"
checkHeader="$id - $desc"
info "$checkHeader"
startsectionjson "$id" "$desc"
}
check_6_1() {
local id="6.1"
local desc="Ensure that image sprawl is avoided (Manual)"
local remediation="You should keep only the images that you actually need and establish a workflow to remove old or stale images from the host. Additionally, you should use features such as pull-by-digest to get specific images from the registry."
local remediationImpact="docker system prune -a removes all exited containers as well as all images and volumes that are not referenced by running containers, including for UCP and DTR."
local check="$id - $desc"
starttestjson "$id" "$desc"
images=$(docker images -q | sort -u | wc -l | awk '{print $1}')
active_images=0
for c in $(docker inspect --format "{{.Image}}" $(docker ps -qa) 2>/dev/null); do
if docker images --no-trunc -a | grep "$c" > /dev/null ; then
active_images=$(( active_images += 1 ))
fi
done
info -c "$check"
info " * There are currently: $images images"
if [ "$active_images" -lt "$((images / 2))" ]; then
info " * Only $active_images out of $images are in use"
fi
logcheckresult "INFO" "$active_images active/$images in use"
}
check_6_2() {
local id="6.2"
local desc="Ensure that container sprawl is avoided (Manual)"
local remediation="You should periodically check your container inventory on each host and clean up containers which are not in active use with the command: docker container prune"
local remediationImpact="You should retain containers that are actively in use, and delete ones which are no longer needed."
local check="$id - $desc"
starttestjson "$id" "$desc"
total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}')
running_containers=$(docker ps -q | wc -l | awk '{print $1}')
diff="$((total_containers - running_containers))"
info -c "$check"
if [ "$diff" -gt 25 ]; then
info " * There are currently a total of $total_containers containers, with only $running_containers of them currently running"
else
info " * There are currently a total of $total_containers containers, with $running_containers of them currently running"
fi
logcheckresult "INFO" "$total_containers total/$running_containers running"
}
check_6_end() {
endsectionjson
}
================================================
FILE: tests/7_docker_swarm_configuration.sh
================================================
#!/bin/bash
check_7() {
logit ""
local id="7"
local desc="Docker Swarm Configuration"
checkHeader="$id - $desc"
info "$checkHeader"
startsectionjson "$id" "$desc"
}
check_7_1() {
local id="7.1"
local desc="Ensure that the minimum number of manager nodes have been created in a swarm (Automated)"
local remediation="If an excessive number of managers is configured, the excess nodes can be demoted to workers using command: docker node demote <manager node ID to be demoted>"
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
managernodes=$(docker node ls | grep -c "Leader")
if [ "$managernodes" -eq 1 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
pass -s "$check (Swarm mode not enabled)"
logcheckresult "PASS"
}
check_7_2() {
local id="7.2"
local desc="Ensure that swarm services are bound to a specific host interface (Automated)"
local remediation="Resolving this issues requires re-initialization of the swarm, specifying a specific interface for the --listen-addr parameter."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
$netbin -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1
if [ $? -eq 1 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
pass -s "$check (Swarm mode not enabled)"
logcheckresult "PASS"
}
check_7_3() {
local id="7.3"
local desc="Ensure that all Docker swarm overlay networks are encrypted (Automated)"
local remediation="You should create overlay networks the with --opt encrypted flag."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
unencrypted_networks=""
for encnet in $(docker network ls --filter driver=overlay --quiet); do
if docker network inspect --format '{{.Name}} {{ .Options }}' "$encnet" | \
grep -v 'encrypted:' 2>/dev/null 1>&2; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
fail=1
fi
warn " * Unencrypted overlay network: $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
unencrypted_networks="$unencrypted_networks $(docker network inspect --format '{{ .Name }} ({{ .Scope }})' "$encnet")"
fi
done
# We went through all the networks and found none that are unencrypted
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "Unencrypted overlay networks:" "$unencrypted_networks"
}
check_7_4() {
local id="7.4"
local desc="Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual)"
local remediation="You should follow the docker secret documentation and use it to manage secrets effectively."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then
pass -c "$check"
logcheckresult "PASS"
return
fi
info -c "$check"
logcheckresult "INFO"
return
fi
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
}
check_7_5() {
local id="7.5"
local desc="Ensure that swarm manager is run in auto-lock mode (Automated)"
local remediation="If you are initializing a swarm, use the command: docker swarm init --autolock. If you want to set --autolock on an existing swarm manager node, use the command: docker swarm update --autolock."
local remediationImpact="A swarm in auto-lock mode will not recover from a restart without manual intervention from an administrator to enter the unlock key. This may not always be desirable, and should be reviewed at a policy level."
local check="$id - $desc"
starttestjson "$id" "$desc"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then
warn -s "$check"
logcheckresult "WARN"
return
fi
pass -s "$check"
logcheckresult "PASS"
return
fi
pass -s "$check (Swarm mode not enabled)"
logcheckresult "PASS"
}
check_7_6() {
local id="7.6"
local desc="Ensure that the swarm manager auto-lock key is rotated periodically (Manual)"
local remediation="You should run the command docker swarm unlock-key --rotate to rotate the keys. To facilitate auditing of this recommendation, you should maintain key rotation records and ensure that you establish a pre-defined frequency for key rotation."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
note -c "$check"
logcheckresult "NOTE"
return
fi
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
}
check_7_7() {
local id="7.7"
local desc="Ensure that node certificates are rotated as appropriate (Manual)"
local remediation="You should run the command docker swarm update --cert-expiry 48h to set the desired expiry time on the node certificate."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then
pass -c "$check"
logcheckresult "PASS"
return
fi
info -c "$check"
logcheckresult "INFO"
return
fi
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
}
check_7_8() {
local id="7.8"
local desc="Ensure that CA certificates are rotated as appropriate (Manual)"
local remediation="You should run the command docker swarm ca --rotate to rotate a certificate."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
info -c "$check"
logcheckresult "INFO"
return
fi
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
}
check_7_9() {
local id="7.9"
local desc="Ensure that management plane traffic is separated from data plane traffic (Manual)"
local remediation="You should initialize the swarm with dedicated interfaces for management and data planes respectively. Example: docker swarm init --advertise-addr=192.168.0.1 --data-path-addr=17.1.0.3"
local remediationImpact="This requires two network interfaces per node."
local check="$id - $desc"
starttestjson "$id" "$desc"
if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
info -c "$check"
logcheckresult "INFO"
return
fi
pass -c "$check (Swarm mode not enabled)"
logcheckresult "PASS"
}
check_7_end() {
endsectionjson
}
================================================
FILE: tests/8_docker_enterprise_configuration.sh
================================================
#!/bin/bash
check_8() {
logit ""
local id="8"
local desc="Docker Enterprise Configuration"
checkHeader="$id - $desc"
info "$checkHeader"
startsectionjson "$id" "$desc"
}
check_product_license() {
enterprise_license=1
if docker version | grep -Eqi '^Server.*Community$|Version.*-ce$'; then
info " * Community Engine license, skipping section 8"
enterprise_license=0
fi
}
check_8_1() {
if [ "$enterprise_license" -ne 1 ]; then
return
fi
local id="8.1"
local desc="Universal Control Plane Configuration"
local check="$id - $desc"
info "$check"
}
check_8_1_1() {
if [ "$enterprise_license" -ne 1 ]; then
return
fi
local id="8.1.1"
local desc="Configure the LDAP authentication service (Automated)"
local remediation="You can configure LDAP integration via the UCP Admin Settings UI. LDAP integration can also be enabled via a configuration file"
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "INFO"
}
check_8_1_2() {
if [ "$enterprise_license" -ne 1 ]; then
return
fi
local id="8.1.2"
local desc="Use external certificates (Automated)"
local remediation="You can configure your own certificates for UCP either during installation or after installation via the UCP Admin Settings user interface."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "INFO"
}
check_8_1_3() {
if [ "$enterprise_license" -ne 1 ]; then
return
fi
local id="8.1.3"
local desc="Enforce the use of client certificate bundles for unprivileged users (Not Scored)"
local remediation="Client certificate bundles can be created in one of two ways. User Management UI: UCP Administrators can provision client certificate bundles on behalf of users. Self-Provision: Users with access to the UCP console can create client certificate bundles themselves."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "INFO"
}
check_8_1_4() {
if [ "$enterprise_license" -ne 1 ]; then
return
fi
local id="8.1.4"
local desc="Configure applicable cluster role-based access control policies (Not Scored)"
local remediation="UCP RBAC components can be configured as required via the UCP User Management UI."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "INFO"
}
check_8_1_5() {
if [ "$enterprise_license" -ne 1 ]; then
return
fi
local id="8.1.5"
local desc="Enable signed image enforcement (Automated)"
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "INFO"
}
check_8_1_6() {
if [ "$enterprise_license" -ne 1 ]; then
return
fi
local id="8.1.6"
local desc="Set the Per-User Session Limit to a value of '3' or lower (Automated)"
local remediation="Retrieve a UCP API token. Retrieve and save UCP config. Open the ucp-config.toml file, set the per_user_limit entry under the [auth.sessions] section to a value of 3 or lower, but greater than 0. Update UCP with the new configuration."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "INFO"
}
check_8_1_7() {
if [ "$enterprise_license" -ne 1 ]; then
return
fi
local id="8.1.7"
local desc="Set the 'Lifetime Minutes' and 'Renewal Threshold Minutes' values to '15' or lower and '0' respectively (Automated)"
local remediation="Retrieve a UCP API token. Retrieve and save UCP config. Open the ucp-config.toml file, set the lifetime_minutes and renewal_threshold_minutes entries under the [auth.sessions] section to values of 15 or lower and 0 respectively. Update UCP with the new configuration."
local remediationImpact="Setting the Lifetime Minutes setting to a value that is too lower would result in users having to constantly re-authenticate to their Docker Enterprise cluster."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "INFO"
}
check_8_2() {
if [ "$enterprise_license" -ne 1 ]; then
return
fi
local id="8.2"
local desc="Docker Trusted Registry Configuration"
local check="$id - $desc"
info "$check"
}
check_8_2_1() {
if [ "$enterprise_license" -ne 1 ]; then
return
fi
local id="8.2.1"
local desc="Enable image vulnerability scanning (Automated)"
local remediation="You can navigate to DTR Settings UI and select the Security tab to access the image scanning configuration. Select the Enable Scanning slider to enable this functionality."
local remediationImpact="None."
local check="$id - $desc"
starttestjson "$id" "$desc"
note -c "$check"
logcheckresult "INFO"
}
check_8_end() {
endsectionjson
}
================================================
FILE: tests/99_community_checks.sh
================================================
#!/bin/bash
check_c() {
logit ""
local id="99"
local desc="Community contributed checks"
checkHeader="$id - $desc"
info "$checkHeader"
startsectionjson "$id" "$desc"
}
check_c_1() {
local id="C.1"
local desc="This is a example check for a Automated check"
local remediation="This is an example remediation measure for a Automated check"
local remediationImpact="This is an example remediation impact for a Automated check"
local check="$id - $desc"
starttestjson "$id" "$desc"
if docker info --format='{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>&2; then
pass -s "$check"
logcheckresult "PASS"
return
fi
if docker info --format='{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>&2; then
info -c "$check"
logcheckresult "INFO"
return
fi
warn -s "$check"
logcheckresult "WARN"
}
check_c_1_1() {
local id="C.1.1"
local desc="This is a example check for a Manual check"
local remediation="This is an example remediation measure for a Manual check"
local remediationImpact="This is an example remediation impact for a Manual check"
local check="$id - $desc"
starttestjson "$id" "$desc"
if docker info --format='{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>&2; then
pass -c "$check"
logcheckresult "PASS"
return
fi
if docker info --format='{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>&2; then
info -c "$check"
logcheckresult "INFO"
return
fi
warn -c "$check"
logcheckresult "WARN"
}
check_c_2() {
docker_version=$(docker version | grep -i -A2 '^server' | grep ' Version:' \
| awk '{print $NF; exit}' | tr -d '[:alpha:]-,.' | cut -c 1-4)
local id="C.2"
local desc="Ensure operations on legacy registry (v1) are Disabled"
local remediation="Start docker daemon with --disable-legacy-registry=false flag. Starting with Docker 17.12, support for V1 registries has been removed, and the --disable-legacy-registry flag can no longer be used."
local remediationImpact="Prevents the docker daemon from pull, push, and login operations against v1 registries."
local check="$id - $desc"
starttestjson "$id" "$desc"
if [ "$docker_version" -lt 1712 ]; then
if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
if get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then
pass -s "$check"
logcheckresult "PASS"
return
fi
warn -s "$check"
logcheckresult "WARN"
return
fi
local desc="$desc (Deprecated)"
local check="$id - $desc"
info -c "$check"
logcheckresult "INFO"
}
check_c_5_3_1() {
local id="C.5.3.1"
local desc="Ensure that CAP_DAC_READ_SEARCH Linux kernel capability is disabled (Automated)"
local remediation="Please refer to https://github.com/cdk-team/CDK/wiki/Exploit:-cap-dac-read-search for PoC."
local remediationImpact=""
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
caps_containers=""
for c in $containers; do
container_caps=$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd }}' "$c")
caps=$(echo "$container_caps" | tr "[:lower:]" "[:upper:]" | \
sed 's/CAPADD/CapAdd/')
if echo "$caps" | grep -q "DAC_READ_SEARCH"; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * CAP_DAC_READ_SEARCH added to $c"
caps_containers="$caps_containers $c"
fail=1
continue
fi
warn " * CAP_DAC_READ_SEARCH added to $c"
caps_containers="$caps_containers $c"
fi
done
# We went through all the containers and found none with extra capabilities
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "CAP_DAC_READ_SEARCH capability added for containers" "$caps_containers"
}
check_c_5_3_2() {
local id="C.5.3.2"
local desc="Ensure that CAP_SYS_MODULE Linux kernel capability is disabled (Automated)"
local remediation="Please refer to https://xcellerator.github.io/posts/docker_escape/ for PoC."
local remediationImpact=""
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
caps_containers=""
for c in $containers; do
container_caps=$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd }}' "$c")
caps=$(echo "$container_caps" | tr "[:lower:]" "[:upper:]" | \
sed 's/CAPADD/CapAdd/')
if echo "$caps" | grep -q "SYS_MODULE"; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * CAP_SYS_MODULE added to $c"
caps_containers="$caps_containers $c"
fail=1
continue
fi
warn " * CAP_SYS_MODULE added to $c"
caps_containers="$caps_containers $c"
fi
done
# We went through all the containers and found none with extra capabilities
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "CAP_SYS_MODULE capability added for containers" "$caps_containers"
}
check_c_5_3_3() {
local id="C.5.3.3"
local desc="Ensure that CAP_SYS_ADMIN Linux kernel capability is disabled (Automated)"
local remediation="Please refer to https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/ for PoC."
local remediationImpact=""
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
caps_containers=""
for c in $containers; do
container_caps=$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd }}' "$c")
caps=$(echo "$container_caps" | tr "[:lower:]" "[:upper:]" | \
sed 's/CAPADD/CapAdd/')
if echo "$caps" | grep -q "SYS_ADMIN"; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * CAP_SYS_ADMIN added to $c"
caps_containers="$caps_containers $c"
fail=1
continue
fi
warn " * CAP_SYS_ADMIN added to $c"
caps_containers="$caps_containers $c"
fi
done
# We went through all the containers and found none with extra capabilities
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "CAP_SYS_ADMIN capability added for containers" "$caps_containers"
}
check_c_5_3_4() {
local id="C.5.3.4"
local desc="Ensure that CAP_SYS_PTRACE Linux kernel capability is disabled (Automated)"
local remediation="Please refer to https://0xn3va.gitbook.io/cheat-sheets/container/escaping/excessive-capabilities#cap_sys_ptrace"
local remediationImpact=""
local check="$id - $desc"
starttestjson "$id" "$desc"
fail=0
caps_containers=""
for c in $containers; do
container_caps=$(docker inspect --format 'CapAdd={{ .HostConfig.CapAdd }}' "$c")
caps=$(echo "$container_caps" | tr "[:lower:]" "[:upper:]" | \
sed 's/CAPADD/CapAdd/')
if echo "$caps" | grep -q "SYS_PTRACE"; then
# If it's the first container, fail the test
if [ $fail -eq 0 ]; then
warn -s "$check"
warn " * CAP_SYS_PTRACE added to $c"
caps_containers="$caps_containers $c"
fail=1
continue
fi
warn " * CAP_SYS_PTRACE added to $c"
caps_containers="$caps_containers $c"
fi
done
# We went through all the containers and found none with extra capabilities
if [ $fail -eq 0 ]; then
pass -s "$check"
logcheckresult "PASS"
return
fi
logcheckresult "WARN" "CAP_SYS_PTRACE capability added for containers" "$caps_containers"
}
check_c_end() {
endsectionjson
}
gitextract__ccq7ioz/
├── .dockerignore
├── .github/
│ └── workflows/
│ ├── issues.yml
│ └── slsa.yml
├── .gitignore
├── CONTRIBUTING.md
├── CONTRIBUTORS.md
├── Dockerfile
├── LICENSE.md
├── MAINTAINERS
├── README.md
├── Vagrantfile
├── docker-bench-security.sh
├── docker-compose.yml
├── functions/
│ ├── functions_lib.sh
│ ├── helper_lib.sh
│ └── output_lib.sh
└── tests/
├── 1_host_configuration.sh
├── 2_docker_daemon_configuration.sh
├── 3_docker_daemon_configuration_files.sh
├── 4_container_images.sh
├── 5_container_runtime.sh
├── 6_docker_security_operations.sh
├── 7_docker_swarm_configuration.sh
├── 8_docker_enterprise_configuration.sh
└── 99_community_checks.sh
Condensed preview — 25 files, each showing path, character count, and a content snippet. Download the .json file or copy for the full structured content (205K chars).
[
{
"path": ".dockerignore",
"chars": 60,
"preview": "*\n!docker-bench-security.sh\n!functions/\n!tests/\n!log/\nlog/*\n"
},
{
"path": ".github/workflows/issues.yml",
"chars": 357,
"preview": "name: Issue assignment\n\non:\n issues:\n types: [opened]\n\npermissions:\n contents: read\n\njobs:\n auto-assign:\n permi"
},
{
"path": ".github/workflows/slsa.yml",
"chars": 2444,
"preview": "---\nname: SLSA\non:\n push:\n release:\n permissions:\n contents: write\n types: [published, released]\n\npermissio"
},
{
"path": ".gitignore",
"chars": 23,
"preview": "log/*\n*.swp*\n.vagrant/\n"
},
{
"path": "CONTRIBUTING.md",
"chars": 1865,
"preview": "# Contributing to Docker Bench for Security\n\nWant to hack on Docker Bench? Awesome! Here are instructions to get you\nsta"
},
{
"path": "CONTRIBUTORS.md",
"chars": 2390,
"preview": "The following people, listed in alphabetical order, have contributed to docker-bench-security:\n\n* alberto <alberto@tutum"
},
{
"path": "Dockerfile",
"chars": 512,
"preview": "FROM alpine:3.18@sha256:eece025e432126ce23f223450a0326fbebde39cdf496a85d8c016293fc851978\n\nLABEL \\\n org.label-schema.nam"
},
{
"path": "LICENSE.md",
"chars": 11343,
"preview": " Apache License\n Version 2.0, January 2004\n "
},
{
"path": "MAINTAINERS",
"chars": 943,
"preview": "# Docker Bench for Security maintainers file\n#\n# This file describes who runs the docker/docker-bench-security project a"
},
{
"path": "README.md",
"chars": 6534,
"preview": "# Docker Bench for Security\n\n\n\nThe Docker Bench for Security "
},
{
"path": "Vagrantfile",
"chars": 672,
"preview": "Vagrant.configure(\"2\") do |config|\n config.vbguest.installer_options = { allow_kernel_upgrade: true }\n config.vm.provi"
},
{
"path": "docker-bench-security.sh",
"chars": 7386,
"preview": "#!/bin/bash\n# --------------------------------------------------------------------------------------------\n# Docker Benc"
},
{
"path": "docker-compose.yml",
"chars": 599,
"preview": "services:\n docker-bench-security:\n # use image if you have a dedicated build step:\n # docker build --rm -t "
},
{
"path": "functions/functions_lib.sh",
"chars": 7420,
"preview": "#!/bin/sh\n\nhost_configuration() {\n check_1\n check_1_1\n check_1_1_1\n check_1_1_2\n check_1_1_3\n check_1_1_4\n check_"
},
{
"path": "functions/helper_lib.sh",
"chars": 4598,
"preview": "#!/bin/bash\n\n# Returns the absolute path of a given string\nabspath () { case \"$1\" in /*)printf \"%s\\n\" \"$1\";; *)printf \"%"
},
{
"path": "functions/output_lib.sh",
"chars": 5398,
"preview": "#!/bin/bash\n\nbldred='\\033[1;31m' # Bold Red\nbldgrn='\\033[1;32m' # Bold Green\nbldblu='\\033[1;34m' # Bold Blue\nbldylw='\\03"
},
{
"path": "tests/1_host_configuration.sh",
"chars": 24024,
"preview": "#!/bin/bash\n\ncheck_1() {\n logit \"\"\n local id=\"1\"\n local desc=\"Host Configuration\"\n checkHeader=\"$id - $desc\"\n info "
},
{
"path": "tests/2_docker_daemon_configuration.sh",
"chars": 16116,
"preview": "#!/bin/bash\n\ncheck_2() {\n logit \"\"\n local id=\"2\"\n local desc=\"Docker daemon configuration\"\n checkHeader=\"$id - $desc"
},
{
"path": "tests/3_docker_daemon_configuration_files.sh",
"chars": 22314,
"preview": "#!/bin/bash\n\ncheck_3() {\n logit \"\"\n local id=\"3\"\n local desc=\"Docker daemon configuration files\"\n checkHeader=\"$id -"
},
{
"path": "tests/4_container_images.sh",
"chars": 10168,
"preview": "#!/bin/bash\n\ncheck_4() {\n logit \"\"\n local id=\"4\"\n local desc=\"Container Images and Build File\"\n checkHeader=\"$id - $"
},
{
"path": "tests/5_container_runtime.sh",
"chars": 44705,
"preview": "#!/bin/bash\n\ncheck_5() {\n logit \"\"\n local id=\"5\"\n local desc=\"Container Runtime\"\n checkHeader=\"$id - $desc\"\n info \""
},
{
"path": "tests/6_docker_security_operations.sh",
"chars": 2432,
"preview": "#!/bin/bash\n\ncheck_6() {\n logit \"\"\n local id=\"6\"\n local desc=\"Docker Security Operations\"\n checkHeader=\"$id - $desc\""
},
{
"path": "tests/7_docker_swarm_configuration.sh",
"chars": 7262,
"preview": "#!/bin/bash\n\ncheck_7() {\n logit \"\"\n local id=\"7\"\n local desc=\"Docker Swarm Configuration\"\n checkHeader=\"$id - $desc\""
},
{
"path": "tests/8_docker_enterprise_configuration.sh",
"chars": 4903,
"preview": "#!/bin/bash\n\ncheck_8() {\n logit \"\"\n local id=\"8\"\n local desc=\"Docker Enterprise Configuration\"\n checkHeader=\"$id - $"
},
{
"path": "tests/99_community_checks.sh",
"chars": 7736,
"preview": "#!/bin/bash\n\ncheck_c() {\n logit \"\"\n local id=\"99\"\n local desc=\"Community contributed checks\"\n checkHeader=\"$id - $de"
}
]
About this extraction
This page contains the full source code of the docker/docker-bench-security GitHub repository, extracted and formatted as plain text for AI agents and large language models (LLMs). The extraction includes 25 files (187.7 KB), approximately 54.8k tokens. Use this with OpenClaw, Claude, ChatGPT, Cursor, Windsurf, or any other AI tool that accepts text input. You can copy the full output to your clipboard or download it as a .txt file.
Extracted by GitExtract — free GitHub repo to text converter for AI. Built by Nikandr Surkov.