76 lines
2.9 KiB
Bash
76 lines
2.9 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
function run_test {
|
|
# the suite name below will only be used when rtunning this file directly, when
|
|
# running through "test.sh" it must be provided using the "--suite" option.
|
|
tinitialize "Docker-Kong test suite" "${BASH_SOURCE[0]}"
|
|
|
|
tchapter "CIS-Sec tests $KONG_DOCKER_TAG"
|
|
ttest "CIS-Sec for docker-compose"
|
|
|
|
docker kill $(docker ps -q)
|
|
docker run -d kong-$BASE tail -f /dev/null
|
|
docker rmi kong:1.5.0
|
|
docker rmi postgres:9.5
|
|
docker images
|
|
|
|
rm -rf tests/docker-bench-security
|
|
|
|
LOG_OUTPUT=docker-bench-security.log
|
|
|
|
# * 5.1 is "apparmor". That option is not available in docker compose 3.x
|
|
# * 5.10 is "mem_limit". That option is not available in docker compose 3.x (it has moved to resources)
|
|
# * 5.11 is "cpu_shares". That option is not available in docker compose 3.x
|
|
# * 5.28 is "pids_limit". That option is also not available in docker compose 3.x
|
|
# * See https://github.com/docker/compose/issues/4513 for more examples of incompatibilities
|
|
LINUX_EXCLUDE_TESTS=5_1,5_10,5_11,5_28
|
|
|
|
if [[ -f /lib/systemd/system/docker.service ]]; then # Ubuntu
|
|
mkdir tests/docker-bench-security
|
|
pushd tests/docker-bench-security
|
|
docker run --rm --net host --pid host --userns host --cap-add audit_control \
|
|
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
|
|
-v /etc:/etc:ro \
|
|
-v /lib/systemd/system:/lib/systemd/system:ro \
|
|
-v /usr/bin/containerd:/usr/bin/containerd:ro \
|
|
-v /usr/bin/runc:/usr/bin/runc:ro \
|
|
-v /usr/lib/systemd:/usr/lib/systemd:ro \
|
|
-v /var/lib:/var/lib:ro \
|
|
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
|
--label docker_bench_security \
|
|
docker/docker-bench-security -e $LINUX_EXCLUDE_TESTS > $LOG_OUTPUT
|
|
|
|
else # all other linux distros
|
|
mkdir tests/docker-bench-security
|
|
pushd tests/docker-bench-security
|
|
docker run --rm --net host --pid host --userns host --cap-add audit_control \
|
|
-e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
|
|
-v /etc:/etc:ro \
|
|
-v /usr/bin/containerd:/usr/bin/containerd:ro \
|
|
-v /usr/bin/runc:/usr/bin/runc:ro \
|
|
-v /usr/lib/systemd:/usr/lib/systemd:ro \
|
|
-v /var/lib:/var/lib:ro \
|
|
-v /var/run/docker.sock:/var/run/docker.sock:ro \
|
|
--label docker_bench_security \
|
|
docker/docker-bench-security -e $LINUX_EXCLUDE_TESTS > $LOG_OUTPUT
|
|
fi
|
|
|
|
if cat "$LOG_OUTPUT" | grep WARN | grep kong -B 1; then
|
|
tmessage "Found warnings in docker-bench-security report"
|
|
tfailure
|
|
else
|
|
tsuccess
|
|
fi
|
|
|
|
popd
|
|
rm -rf tests/docker-bench-security
|
|
|
|
tfinish
|
|
}
|
|
|
|
# No need to modify anything below this comment
|
|
|
|
# shellcheck disable=SC1090 # do not follow source
|
|
[[ "$T_PROJECT_NAME" == "" ]] && set -e && if [[ -f "${1:-$(dirname "$(realpath "$0")")/test.sh}" ]]; then source "${1:-$(dirname "$(realpath "$0")")/test.sh}"; else source "${1:-$(dirname "$(realpath "$0")")/run.sh}"; fi && set +e
|
|
run_test
|