Skip to content

Commit c491038

Browse files
konstruktoidkonstruktoid
authored
Merge pull request #204 from konstruktoid/113_5
1.13 Section 5
2 parents ea4205d + 7f87db0 commit c491038

File tree

1 file changed

+16
-26
lines changed

1 file changed

+16
-26
lines changed

tests/5_container_runtime.sh

Lines changed: 16 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ else
1111
set -f; IFS=$'
1212
'
1313
# 5.1
14-
check_5_1="5.1 - Verify AppArmor Profile, if applicable"
14+
check_5_1="5.1 - Do not disable AppArmor Profile"
1515

1616
fail=0
1717
for c in $containers; do
@@ -116,17 +116,15 @@ else
116116
/usr'
117117
fail=0
118118
for c in $containers; do
119-
docker inspect --format '{{ .VolumesRW }}' "$c" 2>/dev/null 1>&2
120-
121-
if [ $? -eq 0 ]; then
119+
if docker inspect --format '{{ .VolumesRW }}' "$c" 2>/dev/null 1>&2; then
122120
volumes=$(docker inspect --format '{{ .VolumesRW }}' "$c")
123121
else
124122
volumes=$(docker inspect --format '{{ .Mounts }}' "$c")
125123
fi
126124
# Go over each directory in sensitive dir and see if they exist in the volumes
127125
for v in $sensitive_dirs; do
128126
sensitive=0
129-
contains "$volumes" "$v:" && sensitive=1
127+
contains "$volumes" "$v" && sensitive=1
130128
if [ $sensitive -eq 1 ]; then
131129
# If it's the first container, fail the test
132130
if [ $fail -eq 0 ]; then
@@ -433,7 +431,6 @@ else
433431
# 5.18
434432
check_5_18="5.18 - Override default ulimit at runtime only if needed"
435433

436-
# List all the running containers, ouput their ID and host devices
437434
fail=0
438435
for c in $containers; do
439436
ulimits=$(docker inspect --format 'Ulimits={{ .HostConfig.Ulimits }}' "$c")
@@ -505,9 +502,7 @@ else
505502

506503
fail=0
507504
for c in $containers; do
508-
docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'seccomp:unconfined' 2>/dev/null 1>&2
509-
510-
if [ $? -eq 0 ]; then
505+
if docker inspect --format 'SecurityOpt={{.HostConfig.SecurityOpt }}' "$c" | grep 'seccomp:unconfined' 2>/dev/null 1>&2; then
511506
# If it's the first container, fail the test
512507
if [ $fail -eq 0 ]; then
513508
warn "$check_5_21"
@@ -541,11 +536,11 @@ else
541536
if [ "$mode" != "CgroupParent=x" ]; then
542537
# If it's the first container, fail the test
543538
if [ $fail -eq 0 ]; then
544-
info "$check_5_24"
545-
info " * Confirm cgroup usage: $c"
539+
warn "$check_5_24"
540+
warn " * Confirm cgroup usage: $c"
546541
fail=1
547542
else
548-
info " * Confirm cgroup usage: $c"
543+
warn " * Confirm cgroup usage: $c"
549544
fi
550545
fi
551546
done
@@ -582,8 +577,7 @@ else
582577

583578
fail=0
584579
for c in $containers; do
585-
docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}' "$c" 2>/dev/null 1>&2
586-
if [ $? -ne 0 ]; then
580+
if ! docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}' "$c" 2>/dev/null 1>&2; then
587581
if [ $fail -eq 0 ]; then
588582
warn "$check_5_26"
589583
warn " * Health check not set: $c"
@@ -608,7 +602,7 @@ else
608602
for c in $containers; do
609603
pidslimit=$(docker inspect --format '{{.HostConfig.PidsLimit }}' "$c")
610604

611-
if [ $pidslimit -le 0 ]; then
605+
if [ "$pidslimit" -le 0 ]; then
612606
# If it's the first container, fail the test
613607
if [ $fail -eq 0 ]; then
614608
warn "$check_5_28"
@@ -630,17 +624,17 @@ else
630624
fail=0
631625
networks=$(docker network ls -q 2>/dev/null)
632626
for net in $networks; do
633-
docker network inspect --format '{{ .Options }}' "$net" 2>/dev/null | grep "com.docker.network.bridge.name:docker0" >/dev/null 2>&1
634-
635-
if [ $? -eq 0 ]; then
636-
docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" 2>/dev/null)
627+
if docker network inspect --format '{{ .Options }}' "$net" 2>/dev/null | grep "com.docker.network.bridge.name:docker0" >/dev/null 2>&1; then
628+
docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" | \
629+
sed -e 's/^ //' -e 's/ /\n/g' 2>/dev/null)
637630
if [ -n "$docker0Containers" ]; then
638631
if [ $fail -eq 0 ]; then
639632
info "$check_5_29"
640633
fail=1
641634
fi
642635
for c in $docker0Containers; do
643-
info " * Container in docker0 network: $c"
636+
cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g')
637+
info " * Container in docker0 network: $cName"
644638
done
645639
fi
646640
fi
@@ -655,9 +649,7 @@ else
655649

656650
fail=0
657651
for c in $containers; do
658-
docker inspect --format '{{ .HostConfig.UsernsMode }}' "$c" 2>/dev/null | grep -i 'host' >/dev/null 2>&1
659-
660-
if [ $? -eq 0 ]; then
652+
if docker inspect --format '{{ .HostConfig.UsernsMode }}' "$c" 2>/dev/null | grep -i 'host' >/dev/null 2>&1; then
661653
# If it's the first container, fail the test
662654
if [ $fail -eq 0 ]; then
663655
warn "$check_5_30"
@@ -678,9 +670,7 @@ else
678670

679671
fail=0
680672
for c in $containers; do
681-
docker inspect --format '{{ .Mounts }}' "$c" 2>/dev/null | grep 'docker.sock' >/dev/null 2>&1
682-
683-
if [ $? -eq 0 ]; then
673+
if docker inspect --format '{{ .Mounts }}' "$c" 2>/dev/null | grep 'docker.sock' >/dev/null 2>&1; then
684674
# If it's the first container, fail the test
685675
if [ $fail -eq 0 ]; then
686676
warn "$check_5_31"

0 commit comments

Comments
 (0)