mirror of
https://github.com/CISOfy/lynis.git
synced 2025-07-29 16:54:26 +02:00
Added new test [CONT-8108] to check file permissions of Docker files
This commit is contained in:
mboelen
parent
5fe1e6dd65
commit
1edaba4d71
@ -21,6 +21,10 @@
|
|||||||
InsertSection "Containers"
|
InsertSection "Containers"
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
|
#
|
||||||
|
DOCKER_FILE_PERMISSIONS_WARNINGS=0
|
||||||
|
#
|
||||||
|
#################################################################################
|
||||||
#
|
#
|
||||||
# Test : CONT-8004
|
# Test : CONT-8004
|
||||||
# Description : Query running Solaris zones
|
# Description : Query running Solaris zones
|
||||||
@ -160,6 +164,38 @@
|
|||||||
fi
|
fi
|
||||||
#
|
#
|
||||||
#################################################################################
|
#################################################################################
|
||||||
|
#
|
||||||
|
# Test : CONT-8108
|
||||||
|
# Description : Checking Docker file permissions
|
||||||
|
# Notes : /var/run/docker.sock - Usually root as owner, docker as group - should not be world writable
|
||||||
|
if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
|
||||||
|
Register --test-no CONT-8108 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check file permissions for Docker files"
|
||||||
|
if [ ${SKIPTEST} -eq 0 ]; then
|
||||||
|
NOT_WORLD_WRITABLE="/var/run/docker.sock"
|
||||||
|
for I in ${NOT_WORLD_WRITABLE}; do
|
||||||
|
logtext "Test: Check ${I}"
|
||||||
|
if [ -f ${I} ]; then
|
||||||
|
logtext "Result: file ${I} found, permissions will be tested"
|
||||||
|
IsWorldWritable ${I}
|
||||||
|
if [ $? -eq 1 ]; then
|
||||||
|
logtext "Result: file is writable by others, which is a security risk (e.g. privilege escalation)"
|
||||||
|
ReportWarning "${TEST_NO}" "Docker file is world writable" "${I}" "-"
|
||||||
|
DOCKER_FILE_PERMISSIONS_WARNINGS=`expr ${DOCKER_FILE_PERMISSIONS_WARNINGS} + 1`
|
||||||
|
else
|
||||||
|
logtext "Result: file is not writable by others, which is fine"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ ${DOCKER_FILE_PERMISSIONS_WARNINGS} -gt 0 ]; then
|
||||||
|
Display --indent 4 --text "- File permissions" --result WARNINGS --color YELLOW
|
||||||
|
AddHP 0 5
|
||||||
|
else
|
||||||
|
Display --indent 4 --text "- File permissions" --result OK --color GREEN
|
||||||
|
AddHP 5 5
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
#
|
||||||
|
#################################################################################
|
||||||
#
|
#
|
||||||
|
|
||||||
wait_for_keypress
|
wait_for_keypress
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user