-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathapply_docker_stigs.sh
More file actions
executable file
·547 lines (489 loc) · 26.5 KB
/
Copy pathapply_docker_stigs.sh
File metadata and controls
executable file
·547 lines (489 loc) · 26.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
#!/bin/bash
set -e
# Colours
CMD='\e[0;34m'
CMDB='\e[1;34m'
DBG='\e[2;30m'
WRN='\e[0;33m'
ERR='\e[0;31m'
OK='\e[0;32m'
NC='\e[0m'
function display_help() {
echo "Usage IE:"
echo "${0} --verbose"
echo ""
echo "Flag Description"
echo "---------------------------------------------------------------------------------------------------------------"
echo -e "| ${CMD}-h|--help${NC} | Display this help menu |"
echo -e "| ${CMD}-v|--verbose${NC} | Show output of STIG validation commands |"
echo "---------------------------------------------------------------------------------------------------------------"
}
# Command line opts
ARGS=("$@")
for index in "${!ARGS[@]}"; do
case ${ARGS[index]} in
-v|--verbose)
SHOW_ARTIFACT=true
;;
-h|--help)
display_help
exit 1
;;
*)
echo "Unknown option ${ARGS[index]}"
display_help
cleanup_log
exit 1
;;
esac
done
if [[ $EUID -ne 0 ]]; then
echo "This script must be run as root"
exit 1
fi
command -v jq &>/dev/null || { echo >&2 "The jq package is required, please install and restart the script. Aborting."; exit 1; }
command -v auditctl &>/dev/null || { echo >&2 "The audit package is required, please install and restart the script. Aborting."; exit 1; }
command -v ausearch &>/dev/null || { echo >&2 "The audit package is required, please install and restart the script. Aborting."; exit 1; }
# Pretty logging
log_success() {
printf %b "$1, ${OK}PASS${NC}, $2\n"
}
log_failure() {
printf %b "$1, ${ERR}FAIL${NC}, $2\n"
}
log_na() {
printf %b "$1, ${CMD}N/A${NC}, $2\n"
}
log_manual() {
printf %b "$1, ${WRN}MANUAL${NC}, $2\n"
}
DOCKER_DAEMON_JSON_PATH=/etc/docker/daemon.json
DOCKER_SOCK_PATH=/run/containerd/containerd.sock
DOCKER_LEGACY_CONF=/etc/default/docker
DEFAULT_DOCKER_PATH=/var/lib/docker
ETC_DOCKER_PATH=/etc/docker/
DOCKER_SOCKET_PATH=/lib/systemd/system/docker.socket
DOCKER_SERVICE_PATH=/lib/systemd/system/docker.service
PRI_INTERFACE=$(ip route | grep -m 1 'default via' | grep -Po '(?<=dev )\S+')
PRI_IP=$(ip -f inet addr show "${PRI_INTERFACE}" | grep -Po '(?<=inet )(\d{1,3}\.)+\d{1,3}')
read -rp "Please verify that ${PRI_IP} is the IP address that docker should bind to (y/n)? " choice
case "${choice}" in
y|Y )
;;
n|N )
echo "Cannot continue, manually set the PRI_INTERFACE and PRI_IP variables in the script as desired."
exit 1
;;
* )
echo "Invalid Response"
echo "Installation cannot continue"
exit 1
;;
esac
if [[ ! -f "${DOCKER_DAEMON_JSON_PATH}" ]]; then
echo "${DOCKER_DAEMON_JSON_PATH} does not exist, creating"
echo "{}" > ${DOCKER_DAEMON_JSON_PATH}
else
cp ${DOCKER_DAEMON_JSON_PATH} ${DOCKER_DAEMON_JSON_PATH}.bak
echo "A backup of the docker daemon configuration has been placed at ${DOCKER_DAEMON_JSON_PATH}.bak"
fi
if [[ ! -S "${DOCKER_SOCK_PATH}" ]]; then
echo "ERROR: Docker sock at ${DOCKER_SOCK_PATH} does not exist, exiting"
exit 1
fi
chown root:root ${DOCKER_DAEMON_JSON_PATH}
log_success "V-235867" "set daemon.json ownership to root:root"
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: stat -c %U:%G ${DOCKER_DAEMON_JSON_PATH}"
echo "Output: $(stat -c %U:%G ${DOCKER_DAEMON_JSON_PATH})"
fi
chmod 0644 ${DOCKER_DAEMON_JSON_PATH}
log_success "V-235868" "set daemon.json permissions to 644"
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: stat -c %a ${DOCKER_DAEMON_JSON_PATH}"
echo "Output: $(stat -c %a ${DOCKER_DAEMON_JSON_PATH})"
fi
chmod 0660 ${DOCKER_SOCK_PATH}
log_success "V-235866" "Set docker sock permission to 660"
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: stat -c %a ${DOCKER_SOCK_PATH}"
echo "Output: $(stat -c %a ${DOCKER_SOCK_PATH})"
fi
chown root:docker ${DOCKER_SOCK_PATH}
log_success "V-235865" "Set docker sock ownership to root:docker"
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: stat -c %U:%G ${DOCKER_SOCK_PATH}"
echo "Output: $(stat -c %U:%G ${DOCKER_SOCK_PATH})"
fi
if [[ ! -f "${DOCKER_LEGACY_CONF}" ]]; then
log_na 'V-235869' 'Legacy Docker configuration file not present.'
log_na "V-235870" "Legacy Docker configuration file not present."
else
chown root:root ${DOCKER_LEGACY_CONF}
log_success 'V-235869' 'Set ownership of legacy docker conf file to root:root.'
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: stat -c %U:%G ${DOCKER_LEGACY_CONF}"
echo "Output: $(stat -c %U:%G ${DOCKER_LEGACY_CONF})"
fi
chmod 0644 ${DOCKER_LEGACY_CONF}
log_success "V-235870" "Set $DEFAULT_DOCKER_PATH permissions to 644"
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: stat -c %a ${DOCKER_LEGACY_CONF}"
echo "Output: $(stat -c %a ${DOCKER_LEGACY_CONF})"
fi
fi
chown root:root ${ETC_DOCKER_PATH}
log_success "V-235855" "Set ${ETC_DOCKER_PATH} ownership to root:root"
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: stat -c %U:%G ${ETC_DOCKER_PATH}"
echo "Output: $(stat -c %U:%G ${ETC_DOCKER_PATH})"
fi
chmod 755 ${ETC_DOCKER_PATH}
log_success "V-235856" "Set ${ETC_DOCKER_PATH} permissions to 755"
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: stat -c %a ${ETC_DOCKER_PATH}"
echo "Output: $(stat -c %a ${ETC_DOCKER_PATH})"
fi
chown root:root ${DOCKER_SOCKET_PATH}
log_success "V-235853" "Set docker.socket file ownership to root:root"
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: stat -c %U:%G ${DOCKER_SOCKET_PATH}"
echo "Output: $(stat -c %U:%G ${DOCKER_SOCKET_PATH})"
fi
chmod 0644 ${DOCKER_SOCKET_PATH}
log_success "V-235854" "Set docker.socket file permissions to 644"
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: stat -c %a ${DOCKER_SOCKET_PATH}"
echo "Output: $(stat -c %a ${DOCKER_SOCKET_PATH})"
fi
chown root:root ${DOCKER_SERVICE_PATH}
log_success "V-235851" "Set docker.service file ownership to root:root"
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command:stat -c %U:%G ${DOCKER_SERVICE_PATH}"
echo "Output: $(stat -c %U:%G ${DOCKER_SERVICE_PATH})"
fi
chmod 0644 ${DOCKER_SERVICE_PATH}
log_success "V-235852" "Set docker.service file permissions to 0644"
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: stat -c %a ${DOCKER_SERVICE_PATH}"
echo "Output: $(stat -c %a ${DOCKER_SERVICE_PATH})"
fi
if docker ps --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}' 2>/dev/null | grep -i --quiet unconfined; then
log_failure "V-235812" "found container with seccomp unconfined."
else
log_success "V-235812" "no seccomp unconfined containers found"
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: docker ps --all | grep -iv \"ucp\|kube\|dtr\" | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}' "
echo "Output: $(docker ps --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}')"
fi
if docker ps --quiet --all | xargs --no-run-if-empty -- docker inspect --format '{{ .Id }}: Ulimits={{ .HostConfig.Ulimits }}' 2>/dev/null | grep -v "no value"; then
log_failure "V-235844" "container overrides ulimit"
else
log_success "V-235844" "no containers override default ulimit"
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Ulimits={{ .HostConfig.Ulimits }}' "
echo "Output: $(docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Ulimits={{ .HostConfig.Ulimits }}')"
fi
if [[ "$(jq -r '."log-opts"."max-size"' /etc/docker/daemon.json)" != 'null' ]] && [[ "$(jq -r '."log-opts"."max-file"' /etc/docker/daemon.json)" != 'null' ]]; then
log_manual "V-235786" "Manually set max-size and max-file in the daemon.json file, if the version of Docker that is installed supports this feature."
else
log_manual "V-235786" "Manually set max-size and max-file in the daemon.json file, if the version of Docker that is installed supports this feature."
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: grep -Pi '\"max-file\"\s*:' /etc/docker/daemon.json"
echo "Output: $(grep -Pi '"max-file"\s*:' /etc/docker/daemon.json)"
echo "Command: grep -Pi '\"max-size\"\s*:' /etc/docker/daemon.json"
echo "Output: $(grep -Pi '"max-size"\s*:' /etc/docker/daemon.json)"
fi
# can be configured as docker daemon argument
if pgrep -af dockerd | grep --quiet 'insecure-registry'; then
log_failure "V-235789" "insecure Registries are configured."
else
log_success "V-235789" "no insecure Registries configured."
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: pgrep -af dockerd "
echo "Output: $(pgrep -af dockerd)"
fi
# can be configured in daemon.json
if grep --quiet 'insecure-registry' /etc/docker/daemon.json; then
log_failure "V-235789" "insecure Registries are configured."
else
log_success "V-235789" "no insecure Registries configured."
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: grep 'insecure-registry' /etc/docker/daemon.json"
echo "Output $(grep 'insecure-registry' /etc/docker/daemon.json)"
fi
if docker ps --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: PidMode={{ .HostConfig.PidMode }}' 2>/dev/null | grep -i pidmode=host; then
log_failure 'V-235784' 'containers present running with host PID namespace'
else
log_success 'V-235784' 'no containers running with host PID namespace detected'
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: docker ps --all | grep -iv \"ucp\|kube\|dtr\" | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: PidMode={{ .HostConfig.PidMode }}'"
echo "Output: $(docker ps --all | grep -iv 'ucp\|kube\|dtr' | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: PidMode={{ .HostConfig.PidMode }}')"
fi
if docker ps --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: IpcMode={{ .HostConfig.IpcMode }}' 2>/dev/null | grep -i ipcmode=host; then
log_failure 'V-235785' 'containers present running with host IPC namespace'
else
log_success 'V-235785' 'no containers running with host IPC namespace detected'
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: docker ps --all | grep -iv 'ucp\|kube\|dtr' | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: IpcMode={{ .HostConfig.IpcMode }}'"
echo "Output: $(docker ps --all | grep -iv 'ucp\|kube\|dtr' | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: IpcMode={{ .HostConfig.IpcMode }}')"
fi
# can be configured as docker daemon argument
if pgrep -f dockerd | grep --quiet 'userland-proxy'; then
log_failure "V-235791" "Remove userland-proxy flag from docker service arguments, use /etc/docker/daemon.json."
else
log_success "V-235791" "userland-proxy flag not used as docker service arguments."
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: pgrep -f dockerd"
echo "Output: $(pgrep -f dockerd)"
fi
# can be configured in daemon.json
if grep --quiet -Pi '"userland-proxy"\s*:\s*false' /etc/docker/daemon.json; then
log_success "V-235791" "userland-proxy is disabled."
else
jq '. |= . + {"userland-proxy": false}' /etc/docker/daemon.json > /tmp/daemon.json.tmp
cp /tmp/daemon.json.tmp /etc/docker/daemon.json
rm /tmp/daemon.json.tmp
log_success "V-235791" "userland-proxy has been disabled by this script, be sure to restart the docker service."
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: grep -Pi '\"userland-proxy\"\s*:\s*false' /etc/docker/daemon.json"
echo "Output: $(grep -Pi '"userland-proxy"\s*:\s*false' /etc/docker/daemon.json)"
fi
if grep --quiet -Pi '"ip"\s*:\s*"[^0]' /etc/docker/daemon.json; then
log_success "V-235820" "Docker is configured to listen on specific IP address."
else
if grep '"ip"' /etc/docker/daemon.json; then
log_failure 'V-235820' '/etc/docker/daemon.json configured with IP set to 0.0.0.0, manually fix and rerun'
else
jq ". |= . + {\"ip\": \"${PRI_IP}\"}" /etc/docker/daemon.json > /tmp/daemon.json.tmp
cp /tmp/daemon.json.tmp /etc/docker/daemon.json
rm /tmp/daemon.json.tmp
log_success "V-235820" "docker has been bound to ${PRI_IP}, be sure to restart the docker service."
fi
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: grep -Pi '\"ip\"\s*:\s*\"[^0]' /etc/docker/daemon.json"
echo "Output: $(grep -Pi '"ip"\s*:\s*"[^0]' /etc/docker/daemon.json)"
fi
if docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: AppArmorProfile={{ .AppArmorProfile }}' | grep -i "AppArmorProfile=unconfined"; then
log_failure 'V-235799' 'containers present running without apparmor'
else
log_success 'V-235799' 'all containers running with apparmor profiles'
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: AppArmorProfile={{ .AppArmorProfile }}'"
echo "Output: $(docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: AppArmorProfile={{ .AppArmorProfile }}')"
fi
log_manual 'V-235837' 'review below ports and ensure they are in the SSP, look at the HostPort field.'
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: docker ps -q | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: {{ .Name }}: Ports={{ .NetworkSettings.Ports }}' | grep HostPort | cat "
echo "Output: $(docker ps -q | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: {{ .Name }}: Ports={{ .NetworkSettings.Ports }}' | grep HostPort | cat) "
else
docker ps -q | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: {{ .Name }}: Ports={{ .NetworkSettings.Ports }}' | grep HostPort | cat
fi
log_manual 'V-235804' 'review below ports and ensure they are in the SSP, look at the HostPort field.'
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: docker ps --quiet | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}' | grep -i host | cat"
echo "Output: $(docker ps --quiet | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}' | grep -i host | cat) "
else
docker ps --quiet | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}' | grep -i host | cat
fi
if ausearch -k docker 2>/dev/null | grep exec | grep --quiet privileged; then
log_failure 'V-235813' 'there is an exec session running with privileged flag'
else
log_success 'V-235813' 'no exec sessions with privileged flag found'
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: ausearch -k docker 2>/dev/null | grep exec | grep privileged "
echo "Output: $(ausearch -k docker 2>/dev/null | grep exec | grep privileged)"
fi
fi
if docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: UsernsMode={{ .HostConfig.UsernsMode }}' | grep --quiet -i "UsernsMode=host"; then
log_failure 'V-235817' 'containers present sharing host user namespace'
else
log_success 'V-235817' 'no containers running sharing host user namespace detected'
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: UsernsMode={{ .HostConfig.UsernsMode }}'"
echo "Output: $(docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: UsernsMode={{ .HostConfig.UsernsMode }}')"
fi
LOW_HOST_PORT=$(docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}' | grep -Pio '(?<=HostPort:)\d+' | sort -n | head -n 1)
if [[ -n "${LOW_HOST_PORT}" ]]; then
if [[ "${LOW_HOST_PORT}" -lt 1024 ]]; then
log_failure 'V-235819' 'host ports below 1024 are mapped into containers.';
else
log_success 'V-235819' 'no host ports mapped below 1024';
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}' "
echo "Output: $(docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}') "
fi
fi
if docker ps --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | tail -n +2 | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: NetworkMode={{ .HostConfig.NetworkMode }}' | grep --quiet -i "NetworkMode=host"; then
log_failure 'V-235805' 'containers present sharing hosts network namespace'
else
log_success 'V-235805' 'no containers running sharing hosts network namespace'
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: docker ps --all | grep -iv \"ucp\|kube\|dtr\" | awk '{print $1}' | tail -n +2 | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: NetworkMode={{ .HostConfig.NetworkMode }}'"
echo "Output: $(docker ps --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | tail -n +2 | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: NetworkMode={{ .HostConfig.NetworkMode }}') "
fi
if docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: Devices={{ .HostConfig.Devices }}' | grep --quiet -i 'pathincontainer'; then
log_failure 'V-235809' 'containers present with host devices passed in.'
else
log_success 'V-235809' 'no containers running with host devices passed in.'
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: Devices={{ .HostConfig.Devices }}'"
echo "Output: $(docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: Devices={{ .HostConfig.Devices }}')"
fi
if docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep -iv "ucp\|kubelet\|dtr" | grep -Po 'Source:\S+' | grep -P '\:(/|/boot|/dev|/etc|/lib|/proc|/sys|/usr)$'; then
log_failure 'V-235783' 'sensitive directories mapped into containers detected.'
else
log_success 'V-235783' 'no sensitive directories found mapped into containers'
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep -iv 'ucp\|kubelet\|dtr'"
echo "Output: $(docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep -iv 'ucp\|kubelet\|dtr')"
fi
if docker info | grep --quiet -e "^Storage Driver:\s*aufs\s*$"; then
log_failure 'V-235790' 'aufs file system detected.'
else
log_success 'V-235790' 'aufs file system not detected'
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: docker info | grep -e '^Storage Driver:\s*aufs\s*$'"
echo "Output: $(docker info | grep -e '^Storage Driver:\s*aufs\s*$')"
fi
# shellcheck disable=SC2016
if docker ps --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: Propagation={{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}' 2>/dev/null | grep --quiet 'shared'; then
log_failure 'V-235810' 'mount propagation mode set to shared.'
else
log_success 'V-235810' 'no mounts set to shared propagation mode found'
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: docker ps --all | grep -iv 'ucp\|kube\|dtr' | awk '{print $1}' | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: Propagation={{range \$mnt := .Mounts}} {{json \$mnt.Propagation}} {{end}}'"
# shellcheck disable=SC2016
echo "Output: $(docker ps --all | grep -iv 'ucp\|kube\|dtr' | awk '{print $1}' | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: Propagation={{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}')"
fi
if docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: UTSMode={{ .HostConfig.UTSMode }}' | grep -i '=host'; then
log_failure 'V-235811' 'host UTS namespace shared to container.'
else
log_success 'V-235811' 'no containers found with host UTC namespace shared'
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: UTSMode={{ .HostConfig.UTSMode }}'"
echo "Output: $(docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: UTSMode={{ .HostConfig.UTSMode }}')"
fi
if pgrep -af 'docker exec' | grep -E '\-u|\-\-user'; then
log_failure 'V-235814' 'there is an exec session running with user flag'
else
log_success 'V-235814' 'no exec sessions with user flag found'
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: ausearch -k docker 2>/dev/null | grep exec | grep user"
echo "Output: $(ausearch -k docker 2>/dev/null | grep exec | grep user)"
fi
if docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}' | grep -P '=\w+'; then
log_failure 'V-235815' 'cgroup usage detected, must be manually checked.'
else
log_success 'V-235815' 'only default cgroups defined on running containers'
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}'"
echo "Output: $(docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}')"
fi
if docker ps --quiet --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: Privileged={{ .HostConfig.Privileged }}' | grep true; then
log_failure 'V-235802' 'containers running as privileged.'
else
log_success 'V-235802' 'no containers found running as privileged'
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: docker ps --quiet --all | grep -iv 'ucp\|kube\|dtr' | awk '{print $1}' | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: Privileged={{ .HostConfig.Privileged }}'"
echo "Output: $(docker ps --quiet --all | grep -iv 'ucp\|kube\|dtr' | awk '{print $1}' | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: Privileged={{ .HostConfig.Privileged }}')"
fi
if ! systemctl show -p FragmentPath docker.service or auditctl -l | grep docker.service; then
log_failure 'V-235779' 'docker.service auditd rule missing'
fi
if ! systemctl show -p FragmentPath docker.socket or auditctl -l | grep docker.sock; then
log_failure 'V-235779' 'docker.docket auditd rule missing'
fi
log_success 'V-235779' 'Required auditd rules for docker are present'
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: systemctl show -p FragmentPath docker.service or auditctl -l | grep docker.service"
echo "Output: $(systemctl show -p FragmentPath docker.service or auditctl -l | grep docker.service)"
echo "Command: systemctl show -p FragmentPath docker.socket or auditctl -l | grep docker.sock "
echo "Output: $(systemctl show -p FragmentPath docker.socket or auditctl -l | grep docker.sock )"
fi
if docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: CapAdd={{ .HostConfig.CapAdd }} CapDrop={{ .HostConfig.CapDrop }}' | grep -v ': CapAdd=<no value> CapDrop=<no value>$'; then
log_failure 'V-235801' 'containers running with added capabilities, you will need to manually confirm with SSP.'
else
log_success 'V-235801' 'no containers found with additional capabilities passed in.'
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: CapAdd={{ .HostConfig.CapAdd }} CapDrop={{ .HostConfig.CapDrop }}'"
echo "Output: $(docker ps --quiet --all | xargs --no-run-if-empty docker inspect --format '{{ .Id }}: CapAdd={{ .HostConfig.CapAdd }} CapDrop={{ .HostConfig.CapDrop }}')"
fi
PASS=1
for i in $(docker ps -q); do
if docker exec "${i}" ps -el | grep -i sshd; then
log_failure 'V-235803' 'containers running sshd found.'
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: docker exec \"${i}\" ps -el | grep -i sshd"
echo "Output: $(docker exec "${i}" ps -el | grep -i sshd)"
fi
PASS=0
fi
done
if [[ $PASS -eq 1 ]]; then
log_success 'V-235803' 'no containers running sshd found.'
fi
if docker version --format '{{ .Server.Experimental }}' | grep --quiet false; then
log_success "V-235792" "Experimental features are disabled"
else
log_failure "V-235792" "Experimental features are enabled"
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: docker version --format '{{ .Server.Experimental }}' | grep false"
echo "Output: $(docker version --format '{{ .Server.Experimental }}' | grep false)"
fi
# enforce the Kasm logging plugin as the log driver if installed, otherwise fall back to syslog
KASM_LOGGER_PLUGIN=$(docker plugin ls --format '{{.Name}}' 2>/dev/null | grep '^kasmweb/logger' | head -1)
LOG_DRIVER="${KASM_LOGGER_PLUGIN:-syslog}"
if jq -e --arg driver "${LOG_DRIVER}" '."log-driver" == $driver' /etc/docker/daemon.json | grep --quiet true; then
log_success "V-235831" "log driver is enabled"
else
jq --arg driver "${LOG_DRIVER}" '. + {"log-driver": $driver}' /etc/docker/daemon.json > /tmp/daemon.json.tmp
cp /tmp/daemon.json.tmp /etc/docker/daemon.json
rm /tmp/daemon.json.tmp
log_success "V-235831" "log driver has been configured in script"
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: cat ${DOCKER_DAEMON_JSON_PATH} | grep -i log-driver"
echo "Output: $(cat ${DOCKER_DAEMON_JSON_PATH} | grep -i log-driver)"
fi
if jq -e '."log-driver" == "syslog"' /etc/docker/daemon.json | grep --quiet true; then
if ! grep --quiet "syslog-address" /etc/docker/daemon.json; then
jq '. + {"log-opts": {"syslog-address": "udp://127.0.0.1:25224", "tag": "container_name/{{.Name}}", "syslog-facility": "daemon" }}' /etc/docker/daemon.json > /tmp/daemon.json.tmp
cp /tmp/daemon.json.tmp /etc/docker/daemon.json
rm /tmp/daemon.json.tmp
log_success "V-235833" "Script configured docker daemon remote syslog settings"
else
log_success "V-235833" "Remote syslog already configured"
fi
else
log_na "V-235833" "Non-syslog log driver configured; syslog-address not applicable"
fi
if [[ -n "${SHOW_ARTIFACT}" ]]; then
echo "Command: cat ${DOCKER_DAEMON_JSON_PATH} | grep -i log-driver"
echo "Output: $(cat ${DOCKER_DAEMON_JSON_PATH} | grep -i log-driver)"
fi
echo -e "${OK}Docker stig application complete${NC}"