diff options
| author | mboelen <michael@cisofy.com> | 2015-09-24 21:29:05 +0300 |
|---|---|---|
| committer | mboelen <michael@cisofy.com> | 2015-09-24 21:29:05 +0300 |
| commit | 1edaba4d71346e0f09aa2d12657040e1b3eaaedf (patch) | |
| tree | 7af86fbc2e06e5da77495f420e8fa3f5fbdc9d7b /include/tests_containers | |
| parent | 5fe1e6dd656424aa850838292f2d343424a165e8 (diff) | |
Added new test [CONT-8108] to check file permissions of Docker files
Diffstat (limited to 'include/tests_containers')
| -rw-r--r-- | include/tests_containers | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/include/tests_containers b/include/tests_containers index c1ce3379..33c67a0b 100644 --- a/include/tests_containers +++ b/include/tests_containers @@ -22,6 +22,10 @@ # ################################################################################# # + DOCKER_FILE_PERMISSIONS_WARNINGS=0 +# +################################################################################# +# # Test : CONT-8004 # Description : Query running Solaris zones if [ -x /usr/sbin/zoneadm ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi @@ -161,6 +165,38 @@ # ################################################################################# # + # Test : CONT-8108 + # Description : Checking Docker file permissions + # Notes : /var/run/docker.sock - Usually root as owner, docker as group - should not be world writable + if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi + Register --test-no CONT-8108 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check file permissions for Docker files" + if [ ${SKIPTEST} -eq 0 ]; then + NOT_WORLD_WRITABLE="/var/run/docker.sock" + for I in ${NOT_WORLD_WRITABLE}; do + logtext "Test: Check ${I}" + if [ -f ${I} ]; then + logtext "Result: file ${I} found, permissions will be tested" + IsWorldWritable ${I} + if [ $? -eq 1 ]; then + logtext "Result: file is writable by others, which is a security risk (e.g. privilege escalation)" + ReportWarning "${TEST_NO}" "Docker file is world writable" "${I}" "-" + DOCKER_FILE_PERMISSIONS_WARNINGS=`expr ${DOCKER_FILE_PERMISSIONS_WARNINGS} + 1` + else + logtext "Result: file is not writable by others, which is fine" + fi + fi + done + if [ ${DOCKER_FILE_PERMISSIONS_WARNINGS} -gt 0 ]; then + Display --indent 4 --text "- File permissions" --result WARNINGS --color YELLOW + AddHP 0 5 + else + Display --indent 4 --text "- File permissions" --result OK --color GREEN + AddHP 5 5 + fi + fi +# +################################################################################# +# wait_for_keypress |