Merge pull request #199 from konstruktoid/info_messages

update info messages, not scored

Author: konstruktoid

tests/1_host_configuration.sh

@@ -22,16 +22,20 @@ else
   pass "$check_1_2"
 fi
 
+# 1.3
+check_1_3="1.3  - Harden the container host"
+info "$check_1_3"
+
 # 1.4
 check_1_4="1.4  - Remove all non-essential services from the host - Network"
 # Check for listening network services.
 listening_services=$(netstat -na | grep -v tcp6 | grep -v unix | grep -c LISTEN)
 if [ "$listening_services" -eq 0 ]; then
-  warn "1.4  - Failed to get listening services for check: $check_1_4"
+  info "1.4  - Failed to get listening services for check: $check_1_4"
 else
   if [ "$listening_services" -gt 5 ]; then
-    warn "$check_1_4"
-    warn "     * Host listening on: $listening_services ports"
+    info "$check_1_4"
+    info "     * Host listening on: $listening_services ports"
 else
     pass "$check_1_4"
   fi
@@ -45,8 +49,8 @@ docker_current_version="1.13.0"
 docker_current_date="2017-01-18"
 do_version_check "$docker_current_version" "$docker_version"
 if [ $? -eq 11 ]; then
-  warn "$check_1_5"
-  warn "     * Using $docker_version, when $docker_current_version is current as of $docker_current_date"
+  info "$check_1_5"
+  info "     * Using $docker_version, when $docker_current_version is current as of $docker_current_date"
   info "     * Your operating system vendor may provide support and security maintenance for docker"
 else
   pass "$check_1_5"

tests/2_docker_daemon_configuration.sh

@@ -78,7 +78,7 @@ fi
 
 
 # 2.7
-check_2_7="2.7 - Set default ulimit as appropriate"
+check_2_7="2.7  - Set default ulimit as appropriate"
 get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1
 if [ $? -eq 0 ]; then
   pass "$check_2_7"

tests/4_container_images.sh

@@ -40,6 +40,18 @@ set +f; unset IFS
 
 images=$(docker images -q)
 
+# 4.2
+check_4_2="4.2  - Use trusted base images for containers"
+info "$check_4_2"
+
+# 4.3
+check_4_3="4.3  - Do not install unnecessary packages in the container"
+info "$check_4_3"
+
+# 4.4
+check_4_4="4.4  - Scan and rebuild the images to include security patches"
+info "$check_4_4"
+
 # 4.5
 check_4_5="4.5  - Enable Content trust for Docker"
 if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
@@ -88,6 +100,10 @@ if [ $fail -eq 0 ]; then
   pass "$check_4_7"
 fi
 
+# 4.8
+check_4_8="4.8  - Remove setuid and setgid permissions in the images"
+info "$check_4_8"
+
 # 4.9
 check_4_9="4.9  - Use COPY instead of ADD in Dockerfile"
 fail=0
@@ -107,3 +123,11 @@ done
 if [ $fail -eq 0 ]; then
   pass "$check_4_9"
 fi
+
+# 4.10
+check_4_10="4.10 - Do not store secrets in Dockerfiles"
+info "$check_4_10"
+
+# 4.11
+check_4_11="4.11 - Install verified packages only"
+info "$check_4_11"

tests/5_container_runtime.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 logit "\n"
-info "5  - Container Runtime"
+info "5 - Container Runtime"
 
 # If containers is empty, there are no running containers
 if [ -z "$containers" ]; then
@@ -207,8 +207,12 @@ else
       pass "$check_5_7"
   fi
 
+  # 5.8
+  check_5_8="5.8  - Open only needed ports on container"
+  info "$check_5_8"
+
   # 5.9
-  check_5_9="5.9 - Do not share the host's network namespace"
+  check_5_9="5.9  - Do not share the host's network namespace"
 
   fail=0
   for c in $containers; do
@@ -519,6 +523,13 @@ else
       pass "$check_5_21"
   fi
 
+  # 5.22
+  check_5_22="5.22 - Do not docker exec commands with privileged option"
+  info "$check_5_22"
+
+  # 5.23
+  check_5_23="5.23 - Do not docker exec commands with user option"
+  info "$check_5_23"
 
   # 5.24
   check_5_24="5.24 - Confirm cgroup usage"
@@ -586,6 +597,10 @@ else
       pass "$check_5_26"
   fi
 
+  # 5.27
+  check_5_27="5.27 - Ensure docker commands always get the latest version of the image"
+  info "$check_5_27"
+
   # 5.28
   check_5_28="5.28 - Use PIDs cgroup limit"
 
@@ -597,10 +612,10 @@ else
       # If it's the first container, fail the test
       if [ $fail -eq 0 ]; then
         warn "$check_5_28"
-        warn "     * PID limit not set: $c"
+        warn "     * PIDs limit not set: $c"
         fail=1
       else
-        warn "     * PID limit not set: $c"
+        warn "     * PIDs limit not set: $c"
       fi
     fi
   done
@@ -621,11 +636,11 @@ else
       docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" 2>/dev/null)
       if [ -n "$docker0Containers" ]; then
         if [ $fail -eq 0 ]; then
-          warn "$check_5_29"
+          info "$check_5_29"
           fail=1
         fi
         for c in $docker0Containers; do
-          warn "     * Container in docker0 network: $c"
+          info "     * Container in docker0 network: $c"
         done
       fi
     fi

tests/6_docker_security_operations.sh

@@ -1,10 +1,22 @@
 #!/bin/sh
 
 logit "\n"
-info "6  - Docker Security Operations"
+info "6 - Docker Security Operations"
+
+# 6.1
+check_6_1="6.1  - Perform regular security audits of your host system and containers"
+info "$check_6_1"
+
+# 6.2
+check_6_2="6.2  - Monitor Docker containers usage, performance and metering"
+info "$check_6_2"
+
+# 6.3
+check_6_3="6.3  - Backup container data"
+info "$check_6_3"
 
 # 6.4
-check_6_4="6.4 - Avoid image sprawl"
+check_6_4="6.4  - Avoid image sprawl"
 images=$(docker images -q | sort -u | wc -l | awk '{print $1}')
 active_images=0
 
@@ -14,26 +26,21 @@ for c in $(docker inspect -f "{{.Image}}" $(docker ps -qa)); do
   fi
 done
 
-if [ "$images" -gt 100 ]; then
-  warn "$check_6_4"
-  warn "     * There are currently: $images images"
-else
   info "$check_6_4"
   info "     * There are currently: $images images"
-fi
 
 if [ "$active_images" -lt "$((images / 2))" ]; then
-  warn "     * Only $active_images out of $images are in use"
+  info "     * Only $active_images out of $images are in use"
 fi
 
 # 6.5
-check_6_5="6.5 - Avoid container sprawl"
+check_6_5="6.5  - Avoid container sprawl"
 total_containers=$(docker info 2>/dev/null | grep "Containers" | awk '{print $2}')
 running_containers=$(docker ps -q | wc -l | awk '{print $1}')
 diff="$((total_containers - running_containers))"
 if [ "$diff" -gt 25 ]; then
-  warn "$check_6_5"
-  warn "     * There are currently a total of $total_containers containers, with only $running_containers of them currently running"
+  info "$check_6_5"
+  info "     * There are currently a total of $total_containers containers, with only $running_containers of them currently running"
 else
   info "$check_6_5"
   info "     * There are currently a total of $total_containers containers, with $running_containers of them currently running"