tyler.durden
/
lynis
mirror of https://github.com/CISOfy/lynis.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
lynis/include/helper_audit_dockerfile

209 lines
6.5 KiB
Bash
Raw Blame History

#!/bin/sh
#################################################################################
#
# Lynis
# ------------------
#
# Copyright 2007-2013, Michael Boelen
# Copyright 2007-2017, CISOfy
#
# Website : https://cisofy.com
# Blog : http://linux-audit.com
# GitHub : https://github.com/CISOfy/lynis
#
# Lynis comes with ABSOLUTELY NO WARRANTY. This is free software, and you are
# welcome to redistribute it under the terms of the GNU General Public License.
# See LICENSE file for usage of this software.
#
#################################################################################
if [ $# -eq 0 ]; then
Display --indent 2 --text "${RED}Error: ${WHITE}Provide URL or file${NORMAL}"
Display --text " "; Display --text " "
ExitFatal
else
FILE=$(echo $1 | egrep "^http|https")
if HasData "${FILE}"; then
CreateTempFile
TMP_FILE="${TEMP_FILE}"
Display --indent 2 --text "Downloading URL ${FILE} with wget"
wget -o ${TMP_FILE} ${FILE}
if [ $? -gt 0 ]; then
AUDIT_FILE="${TMP_FILE}"
else
if [ -f ${TMP_FILE} ]; then
rm -f ${TMP_FILE}
fi
Display --indent 2 --text "${RED}Error: ${WHITE}can not download file${NORMAL}"
ExitFatal
fi
else
if [ -f $1 ]; then
AUDIT_FILE="$1"
else
Display --indent 2 --text "File $1 does not exist"
ExitFatal
fi
fi
Display --indent 2 --text "File to audit = ${AUDIT_FILE}"
fi
#####################################################
#
##################################################################################################
#
InsertSection "Image"
PKGMGR=""
FIND=$(grep "^FROM" ${AUDIT_FILE} | sed 's/ /:space:/g')
for I in ${FIND}; do
IMAGE=$(echo ${I} | sed 's/:space:/ /g' | awk '{ if ($1=="FROM") { print $2 }}')
Display --indent 2 --text "Found image:" --result "${IMAGE}"
IS_UBUNTU=$(echo ${IMAGE} | grep -i ubuntu)
if [ ! "${IS_DEBIAN}" = "" ]; then IMAGE="debian"; fi
if [ ! "${IS_FEDORA}" = "" ]; then IMAGE="fedora"; fi
if [ ! "${IS_UBUNTU}" = "" ]; then IMAGE="ubuntu"; fi
case ${IMAGE} in
"debian")
LogText "Image = Debian based"
PKGMGR="apt"
;;
"fedora*")
LogText " Image = Fedora based"
PKGMGR="yum"
;;
"ubuntu")
LogText " Image = Ubuntu based"
PKGMGR="apt"
;;
*)
Display --indent 2 --text "Unknown image" --result "" --color YELLOW
;;
esac
done
#
##################################################################################################
#
InsertSection "Basics"
FIND=$(egrep "^MAINTAINER" ${AUDIT_FILE} | sed 's/ /:space:/g')
if [ "${FIND}" = "" ]; then
ReportWarning "dockerfile" "No maintainer found. Unclear who created this file."
else
MAINTAINER=$(echo ${FIND} | sed 's/:space:/ /g' | awk '{ if($1=="MAINTAINER") { print }}')
Display --indent 2 --text "Maintainer" --result "${MAINTAINER}"
fi
#
##################################################################################################
#
InsertSection "Software"
case $PKGMGR in
"apt")
FIND=$(egrep "apt-get(.*) install" ${AUDIT_FILE})
if [ ! "${FIND}" = "" ]; then
LogText "Found installation via apt-get"
else
LogText "No installations found via apt-get"
fi
;;
*)
LogText "Unknown package manager"
;;
esac
FIND=$(egrep " (gcc|libc6-dev|make)" ${AUDIT_FILE} | grep -v "^#")
if [ ! "${FIND}" = "" ]; then
ReportWarning "dockerfile" "Possible development utilities found, which is not advised for production environment"
LogText "Details: ${FIND}"
fi
# SSH
FIND_OPENSSH=$(grep openssh ${AUDIT_FILE})
if [ ! "${FIND_OPENSSH}" = "" ]; then
Display --indent 2 --text "OpenSSH" --result "FOUND" --color RED
ReportSuggestion "dockerfile" "Don't use OpenSSH in container, use 'docker exec' instead"
fi
#
##################################################################################################
#
InsertSection "Downloads"
FILE_DOWNLOAD=0
LogText "Checking usage of cURL"
FIND_CURL=$(grep curl ${AUDIT_FILE})
if [ ! "${FIND_CURL}" = "" ]; then
Display --indent 4 --text "Download tool" --result "curl"
FILE_DOWNLOAD=1
fi
LogText "Checking usage of wget"
FIND_WGET=$(grep wget ${AUDIT_FILE})
if HasData "${FIND_WGET}"; then
Display --indent 4 --text "Download tool" --result "wget"
FILE_DOWNLOAD=1
fi
FIND=$(grep "^ADD http" ${AUDIT_FILE})
if HasData "${FIND}"; then
FILE_DOWNLOAD=1
ReportWarning "dockerfile" "Found download of file via ADD. Unclear if the integrity of this file is checked, or file is signed"
LogText "Details: ${FIND}"
fi
if [ ${FILE_DOWNLOAD} -eq 1 ]; then
SSL_USED_FIND=$(egrep "(https)" ${AUDIT_FILE})
if HasData "${SSL_USED_FIND}"; then
SSL_USED="YES"
COLOR="GREEN"
else
SSL_USED="NO"
COLOR="RED"
ReportSuggestion "Use SSL downloads when possible to increase security (DNSSEC, HTTPS, validation of domain, avoid MitM)"
fi
Display --indent 2 --text "Integrity testing performed" --result "${SSL_USED}" --color ${COLOR}
HASHING_USED=$(egrep "(sha1sum|sha256sum|sha512sum)" ${AUDIT_FILE})
Display --indent 2 --text "Hashing" --result "${HASHING_USED}"
KEYS_USED=$(egrep "(apt-key adv)" ${AUDIT_FILE})
Display --indent 2 --text "Signing keys used" --result ${KEYS_USED}
Display --indent 2 --text "All downloads properly checked" --result "?"
else
Display --indent 2 --text "No files seems to be downloaded in this Dockerfile"
fi
#
##################################################################################################
#
InsertSection "Permissions"
FIND=$(grep -i "chmod 777" ${AUDIT_FILE})
if HasData "${FIND}"; then
ReportWarning "dockerfile" "Warning: chmod 777 found"
fi
#
##################################################################################################
#
# Removing temp file
LogText "Action: Removing temporary file ${TMP_FILE}"
if [ -f ${TMP_FILE} ]; then
rm -f ${TMP_FILE}
fi
# The End
Reference in New Issue View Git Blame Copy Permalink