From 1edaba4d71346e0f09aa2d12657040e1b3eaaedf Mon Sep 17 00:00:00 2001
From: mboelen <michael@cisofy.com>
Date: Thu, 24 Sep 2015 20:29:05 +0200
Subject: Added new test [CONT-8108] to check file permissions of Docker files

---
 include/tests_containers | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

(limited to 'include')

diff --git a/include/tests_containers b/include/tests_containers
index c1ce3379..33c67a0b 100644
--- a/include/tests_containers
+++ b/include/tests_containers
@@ -21,6 +21,10 @@
     InsertSection "Containers"
 #
 #################################################################################
+#
+    DOCKER_FILE_PERMISSIONS_WARNINGS=0
+#
+#################################################################################
 #
     # Test        : CONT-8004
     # Description : Query running Solaris zones
@@ -160,6 +164,38 @@
     fi
 #
 #################################################################################
+#
+    # Test        : CONT-8108
+    # Description : Checking Docker file permissions
+    # Notes       : /var/run/docker.sock - Usually root as owner, docker as group - should not be world writable
+    if [ ! "${DOCKERBINARY}" = "" ]; then PREQS_MET="YES"; else PREQS_MET="NO"; fi
+    Register --test-no CONT-8108 --preqs-met ${PREQS_MET} --weight L --network NO --description "Check file permissions for Docker files"
+    if [ ${SKIPTEST} -eq 0 ]; then
+        NOT_WORLD_WRITABLE="/var/run/docker.sock"
+        for I in ${NOT_WORLD_WRITABLE}; do
+            logtext "Test: Check ${I}"
+            if [ -f ${I} ]; then
+                logtext "Result: file ${I} found, permissions will be tested"
+                IsWorldWritable ${I}
+                if [ $? -eq 1 ]; then
+                    logtext "Result: file is writable by others, which is a security risk (e.g. privilege escalation)"
+                    ReportWarning "${TEST_NO}" "Docker file is world writable" "${I}" "-"
+                    DOCKER_FILE_PERMISSIONS_WARNINGS=`expr ${DOCKER_FILE_PERMISSIONS_WARNINGS} + 1`
+                  else
+                    logtext "Result: file is not writable by others, which is fine"
+                fi
+            fi
+        done
+        if [ ${DOCKER_FILE_PERMISSIONS_WARNINGS} -gt 0 ]; then
+            Display --indent 4 --text "- File permissions" --result WARNINGS --color YELLOW
+            AddHP 0 5
+          else
+            Display --indent 4 --text "- File permissions" --result OK --color GREEN
+            AddHP 5 5
+        fi
+    fi
+#
+#################################################################################
 #
 
 wait_for_keypress
-- 
cgit v1.2.3