lynis/include/helper_audit_dockerfile

#!/bin/sh

#################################################################################
#
#   Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2019, CISOfy
#
# Website  : https://cisofy.com
# Blog     : http://linux-audit.com
# GitHub   : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################

if [ $# -eq 0 ]; then
    Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}"
    Display --text " "; Display --text " "
    ExitFatal
else
    FILE=$(echo $1 | egrep "^http|https")
    if HasData "${FILE}"; then
        CreateTempFile
        TMP_FILE="${TEMP_FILE}"
        Display --indent 2 --text "Downloading URL ${FILE} with wget"
        wget -o ${TMP_FILE} ${FILE}
        if [ $? -gt 0 ]; then
            AUDIT_FILE="${TMP_FILE}"
        else
            if [ -f ${TMP_FILE} ]; then
                rm -f ${TMP_FILE}
            fi
            Display --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}"
            ExitFatal
        fi
    else
        if [ -f $1 ]; then
            AUDIT_FILE="$1"
        else
            Display --indent 2 --text "File $1 does not exist"
            ExitFatal
        fi
    fi
    Display --indent 2 --text "File to audit = ${AUDIT_FILE}"
fi

#####################################################

#
##################################################################################################
#

    InsertSection "Image"

    PKGMGR=""
    FIND=$(grep "^FROM" ${AUDIT_FILE} | sed 's/ /:space:/g')
    for I in ${FIND}; do
        IMAGE=$(echo ${I} | sed 's/:space:/ /g' | awk '{ if ($1=="FROM") { print $2 }}')
        TAG=$(echo ${IMAGE} | cut -d':' -f2)
        Display --indent 2 --text "Found image:" --result "${IMAGE}"

        IS_DEBIAN=$(echo ${IMAGE} | grep -i debian)
        IS_FEDORA=$(echo ${IMAGE} | grep -i fedora)
        IS_UBUNTU=$(echo ${IMAGE} | grep -i ubuntu)
        IS_ALPINE=$(echo ${IMAGE} | grep -i alpine)
        IS_LATEST=$(echo ${TAG} | grep -i latest)

        if [ ! "${IS_DEBIAN}" = "" ]; then IMAGE="debian"; fi
        if [ ! "${IS_FEDORA}" = "" ]; then IMAGE="fedora"; fi
        if [ ! "${IS_UBUNTU}" = "" ]; then IMAGE="ubuntu"; fi
        if [ ! "${IS_ALPINE}" = "" ]; then IMAGE="alpine"; fi
        
        if [ ! "${IS_LATEST}" = "" ]; then 
            ReportWarning "dockerfile" "latest TAG used. Specifying the version is better."
        fi

        case ${IMAGE} in
            "debian")
                LogText "Image = Debian based"
                PKGMGR="apt"
                ;;
            "fedora*")
                LogText "  Image = Fedora based"
                PKGMGR="yum"
                ;;
            "ubuntu")
                LogText "  Image = Ubuntu based"
                PKGMGR="apt"
                ;;
            "alpine")
                LogText "  Image = Alpine based"
                PKGMGR="apk"
                ;;
            *)
                Display --indent 2 --text "Unknown image" --result "" --color YELLOW
                ;;
        esac
    done

#
##################################################################################################
#

InsertSection "Basics"

    #FIND=$(egrep "^MAINTAINER" ${AUDIT_FILE} | sed 's/ /:space:/g')
    FIND=$(egrep -i "*MAINTAINER" ${AUDIT_FILE}  |  sed 's/=/ /g' | cut -d'"' -f 2)
    if [ "${FIND}" = "" ]; then
        ReportWarning "dockerfile" "No maintainer found. Unclear who created this file."
    else
        #MAINTAINER=$(echo ${FIND} | sed 's/:space:/ /g' | awk '{ if($1=="MAINTAINER") { print }}')
        MAINTAINER=$(echo ${FIND})
        Display --indent 2 --text "Maintainer" --result "${MAINTAINER}"
    fi
    
    FIND=$(grep "^ENTRYPOINT" ${AUDIT_FILE} | cut -d' ' -f2 )
    if [ "${FIND}" = "" ]; then
        ReportWarning "dockerfile" "No ENTRYPOINT defined in Dockerfile."
    else
        ENTRYPOINT=$(echo ${FIND})
        Display --indent 2 --text "ENTRYPOINT" --result "${ENTRYPOINT}"
    fi

    FIND=$(grep "^CMD" ${AUDIT_FILE} | cut -d' ' -f2 )
    if [ "${FIND}" = "" ]; then
        ReportWarning "dockerfile" "No CMD defines in Dockerfile."
    else
        CMD=$(echo ${FIND})
        Display --indent 2 --text "CMD" --result "${CMD}"
    fi

    FIND=$(grep "^USER" ${AUDIT_FILE} | cut -d' ' -f2 )
    if [ "${FIND}" = "" ]; then
        ReportWarning "dockerfile" "No user declared in Dockerfile. Container will execute command as root"
    else
        USER=$(echo ${FIND})
        Display --indent 2 --text "User" --result "${USER}"
    fi


#
##################################################################################################
#

    InsertSection "Software"

    case $PKGMGR in
    "apt")
        FIND=$(egrep "apt-get(.*) install" ${AUDIT_FILE})
        if [ ! "${FIND}" = "" ]; then
            LogText "Found installation via apt-get"
        else
            LogText "No installations found via apt-get"
        fi
        ;;
     "apk")
        FIND=$(egrep "apk(.*) add" ${AUDIT_FILE})
        if [ ! "${FIND}" = "" ]; then
            LogText "Found installation via apk"
        else
            LogText "No installations found via apk"
        fi
        ;;
    *)
        LogText "Unknown package manager"
    ;;
    esac

    FIND=$(egrep " (gcc|libc6-dev|make)" ${AUDIT_FILE} | grep -v "^#")
    if [ ! "${FIND}" = "" ]; then
        ReportWarning "dockerfile" "Possible development utilities found, which is not advised for production environment"
        LogText "Details: ${FIND}"
    fi

    # SSH
    FIND_OPENSSH=$(grep openssh ${AUDIT_FILE})
    if [ ! "${FIND_OPENSSH}" = "" ]; then
        Display --indent 2 --text "OpenSSH" --result "FOUND" --color RED
        ReportSuggestion "dockerfile" "Don't use OpenSSH in container, use 'docker exec' instead"
    fi
#
##################################################################################################
#
    InsertSection "Downloads"

    FILE_DOWNLOAD=0

    LogText "Checking usage of cURL"
    FIND_CURL=$(grep curl ${AUDIT_FILE})
    if [ ! "${FIND_CURL}" = "" ]; then
        Display --indent 4 --text "Download tool" --result "curl"
        FILE_DOWNLOAD=1
    fi

    LogText "Checking usage of wget"
    FIND_WGET=$(grep wget ${AUDIT_FILE})
    if HasData "${FIND_WGET}"; then
        Display --indent 4 --text "Download tool" --result "wget"
        FILE_DOWNLOAD=1
    fi


    FIND=$(grep "^ADD http" ${AUDIT_FILE})
    if HasData "${FIND}"; then
        FILE_DOWNLOAD=1
        ReportWarning "dockerfile" "Found download of file via ADD. Unclear if the integrity of this file is checked, or file is signed"
        LogText "Details: ${FIND}"
    fi

    if [ ${FILE_DOWNLOAD} -eq 1 ]; then

        SSL_USED_FIND=$(egrep "(https)" ${AUDIT_FILE})

        if HasData "${SSL_USED_FIND}"; then
            SSL_USED="YES"
            COLOR="GREEN"
        else
            SSL_USED="NO"
            COLOR="RED"
            ReportSuggestion "Use SSL downloads when possible to increase security (DNSSEC, HTTPS, validation of domain, avoid MitM)"
        fi
        Display --indent 2 --text "Integrity testing performed" --result "${SSL_USED}" --color ${COLOR}
        HASHING_USED=$(egrep "(sha1sum|sha256sum|sha512sum)" ${AUDIT_FILE})
        Display --indent 2 --text "Hashing" --result "${HASHING_USED}"
        KEYS_USED=$(egrep "(apt-key adv)" ${AUDIT_FILE}| sed 's/RUN apt-key adv//g'| sed 's/--keyserver/Key Server:/g' | sed 's/--recv/Key Value:/g')
        Display --indent 2 --text "Signing keys used" --result "${KEYS_USED}"
        Display --indent 2 --text "All downloads properly checked" --result "?"
    else
        Display --indent 2 --text "No files seems to be downloaded in this Dockerfile"

    fi
#
##################################################################################################
#
    InsertSection "Permissions"

    FIND=$(grep -i "chmod 777" ${AUDIT_FILE})
    if HasData "${FIND}"; then
        ReportWarning "dockerfile" "Warning: chmod 777 found"
    fi
#
##################################################################################################
#

    # Removing temp file
    LogText "Action: Removing temporary file ${TMP_FILE}"
    if [ -f ${TMP_FILE} ]; then
        rm -f ${TMP_FILE}
    fi


# The End