dockscan 0.1.0

data/lib/dockscan/modules/audit/container-filesystem-diff.rb

@@ -0,0 +1,41 @@
+class ContainerFilesystemDiff < Dockscan::Modules::AuditModule
+
+	def info
+		return 'This plugin checks for filesystem differences'
+	end
+
+	def check(dockercheck)
+
+		limit=5
+		sp=Dockscan::Scan::Plugin.new
+		si=Dockscan::Scan::Issue.new
+		si.title="Container have higher number of changed files"
+		si.description="Container have high number of changed files which is not recommended practice.\nThis is not recommended for production as data can be lost. It can also mean successful break in attempt."
+		si.solution="It is recommended to have minimal number of changed files inside container and do not store data inside container. It is recommended to use volumes."
+		si.severity=4 # Low
+		si.risk = { "cvss" => 3.2 } 
+		sp.vuln=si	
+		sp.output=""
+		if scandata.key?("GetContainers") and not scandata["GetContainers"].obj.empty?
+			sp.state="run"
+			scandata["GetContainers"].obj.each do |container|
+				begin
+					ps=container.changes
+					if ps.count > limit then
+						sp.state="vulnerable"
+						allch = ''
+						ps.each do |change|
+							allch << change["Path"] << "\n"
+						end
+						sp.output << idcontainer(container) << " has more than #{limit} file changes: #{ps.count}\n"
+						sp.output << allch
+						sp.output << "\n"
+					end
+				rescue
+				end
+			end
+		end
+		return sp
+	end
+end
+

data/lib/dockscan/modules/audit/container-filesystem-shadow.rb

@@ -0,0 +1,37 @@
+class ContainerFileSystemShadow < Dockscan::Modules::AuditModule
+
+	def info
+		return 'This plugin checks /etc/shadow for problems'
+	end
+
+	def check(dockercheck)
+		sp=Dockscan::Scan::Plugin.new
+		si=Dockscan::Scan::Issue.new
+		si.title="Container have passwordless users in shadow"
+		si.description="Container have vulnerable entries in /etc/shadow.\nIt allows attacker to login or switch to user without password."
+		si.solution="It is recommended to set password for user or to lock user account."
+		si.severity=6 # High
+		si.risk = { "cvss" => 7.5 } 
+		sp.vuln=si	
+		sp.output=""
+		if scandata.key?("GetContainers") and not scandata["GetContainers"].obj.empty?
+			sp.state="run"
+			scandata["GetContainers"].obj.each do |container|
+				content=''
+				container.copy('/etc/shadow') { |chunk| content=content+chunk }
+				shcontent=''
+				Gem::Package::TarReader.new(StringIO.new(content)) { |t| shcontent=t.first.read }
+				# shcontent.split("\n").each do |line|
+				shcontent.lines.map(&:chomp).each do |line|
+					shfield=line.split(":")
+					if shfield[1].to_s=='' then
+						sp.state="vulnerable"
+						sp.output << idcontainer(container) << " does not have password set for user: #{shfield[0]}\n"
+					end
+				end
+			end
+		end
+		return sp
+	end
+end
+

data/lib/dockscan/modules/audit/container-number-process.rb

@@ -0,0 +1,36 @@
+class ContainerNumberProcess < Dockscan::Modules::AuditModule
+
+	def info
+		return 'This plugin checks number of container processes'
+	end
+
+	def check(dockercheck)
+
+		limit=1
+		sp=Dockscan::Scan::Plugin.new
+		si=Dockscan::Scan::Issue.new
+		si.title="Container have higher number of processess"
+		si.description="Container have more than allowable number of processes.\nThis is not recommended for production as it does not provide intended isolation."
+		si.solution="It is recommended to have single process inside container. If you have more than one process, it is recommended to split them in separate containers."
+		si.severity=4 # Low
+		si.risk = { "cvss" => 3.2 } 
+		sp.vuln=si	
+		sp.output=""
+		if scandata.key?("GetContainersRunning") and not scandata["GetContainersRunning"].obj.empty?
+			sp.state="run"
+			scandata["GetContainersRunning"].obj.each do |container|
+				ps=container.top
+				if ps.count > limit then
+					sp.state="vulnerable"
+					sp.output << idcontainer(container) << " has more than #{limit} process(es): #{ps.count}\n"
+					ps.each do |process|
+						sp.output << process["CMD"] << "\n"
+					end
+					sp.output << "\n"
+				end
+			end
+		end
+		return sp
+	end
+end
+

data/lib/dockscan/modules/audit/container-sshd-process.rb

@@ -0,0 +1,33 @@
+class ContainerSSHProcess < Dockscan::Modules::AuditModule
+
+	def info
+		return 'This plugin checks if SSH is running inside container'
+	end
+
+	def check(dockercheck)
+		sp=Dockscan::Scan::Plugin.new
+		si=Dockscan::Scan::Issue.new
+		si.title="Container have SSH server process"
+		si.description="Docker daemon reports it is running SSH daemon inside container.\nThis is not recommended practice as it provides yet another attack surface for attackers and wastes computer resources."
+		si.solution="It is recommended to remove SSH daemon/client from container. It is recommended to use docker exec command to execute commands inside container."
+		si.severity=4 # Low
+		si.risk = { "cvss" => 3.2 } 
+		sp.vuln=si	
+		sp.output=""
+		if scandata.key?("GetContainersRunning") and not scandata["GetContainersRunning"].obj.empty?
+			sp.state="run"
+			scandata["GetContainersRunning"].obj.each do |container|
+				ps=container.top
+				ps.each do |process|
+					if process["CMD"].include?("ssh") then
+						sp.output << idcontainer(container) << " has SSH process running: " << process["CMD"] << "\n"
+						sp.state="vulnerable"
+						break
+					end
+				end
+			end
+		end
+		return sp
+	end
+end
+

data/lib/dockscan/modules/audit/docker-experimental-build.rb

@@ -0,0 +1,27 @@
+class DockerExperimentalBuild < Dockscan::Modules::AuditModule
+
+	def info
+		return 'This plugin checks if docker is running Experimental Build'
+	end
+
+	def check(dockercheck)
+		sp=Dockscan::Scan::Plugin.new
+		si=Dockscan::Scan::Issue.new
+		si.title="Running Experimental version of Docker."
+		si.description="Docker daemon reports it is running ExperimentalBuild.\nThis is not recommended for production as it might have problems and security issues."
+		si.solution="It is recommended to replace Docker version with stable and production ready one."
+		si.severity=6 # High
+		si.risk = { "cvss" => 7.0 } 
+		si.reflinks = {"Docker's Experimental Binary" => "https://blog.docker.com/2015/06/experimental-binary/"}
+		sp.vuln=si	
+		if scandata.key?("GetDockerInfo") and scandata["GetDockerInfo"].obj.key?("ExperimentalBuild")
+			sp.state="run"
+			if scandata["GetDockerInfo"].obj["ExperimentalBuild"] == true then
+				sp.output = "Docker daemon reports it is running ExperimentalBuild."
+				sp.state="vulnerable"
+			end
+		end
+		return sp
+	end
+end
+

data/lib/dockscan/modules/audit/docker-insecure-registries.rb

@@ -0,0 +1,53 @@
+class DockerInsecureRegistries < Dockscan::Modules::AuditModule
+
+	def info
+		return 'This plugin checks if insecure registries in use'
+	end
+
+	def check(dockercheck)
+		sp=Dockscan::Scan::Plugin.new
+		si=Dockscan::Scan::Issue.new
+		si.title="Insecure registries in use"
+		si.description="Docker daemon reports it is running configuration with insecure registries.\nThis is not recommended as attacker is able to deploy malicious images to registries."
+		si.solution="It is recommended to use secure registries and configuration without insecure registries."
+		si.severity=4 # Low
+		si.risk = { "cvss" => 3.2 } 
+		si.references = {"CIS" => "2.5 Do not use insecure registries" }
+		sp.vuln=si	
+		if scandata.key?("GetDockerInfo") and scandata["GetDockerInfo"].obj.key?("RegistryConfig")
+			sp.state="run"
+			vulnerable = false
+			outputregs = ""
+			outputindexs = ""
+			# ["RegistryConfig"]["InsecureRegistryCIDRs"].each do |item| puts item end
+			scandata["GetDockerInfo"].obj["RegistryConfig"]["InsecureRegistryCIDRs"].each do |item|
+				if item != "127.0.0.0/8" then
+					vulnerable=true
+					outputregs = item << "\n"
+				end
+			end
+			# Docker.info["RegistryConfig"]["IndexConfigs"].each do |item,value| puts item,value,value["Secure"] end
+			scandata["GetDockerInfo"].obj["RegistryConfig"]["IndexConfigs"].each do |item, value|
+				if value["Secure"] != true
+					vulnerable=true
+					outputindexs = item value["Name"] << "\n"
+				end
+			end
+
+			if vulnerable then
+				sp.state="vulnerable"
+				sp.output = "Docker daemon reports it is using insecure registries. Offending issues below.\n "
+				if outputregs != "" then
+					sp.output << "Insecure CIDRs offending configuration:\n"
+					sp.output << outputregs << "\n"
+				end
+				if outputindexs != "" then
+					sp.output << "Offending registry indexes:\n"
+					sp.output << outputindexs << "\n"
+				end
+			end
+		end
+		return sp
+	end
+end
+

data/lib/dockscan/modules/audit/docker-limits.rb

@@ -0,0 +1,34 @@
+class DockerLimits < Dockscan::Modules::AuditModule
+
+	def info
+		return 'This plugin checks if docker is running with defined limits'
+	end
+
+	def check(dockercheck)
+		sp=Dockscan::Scan::Plugin.new
+		si=Dockscan::Scan::Issue.new
+		si.title="Docker running without defined limits"
+		si.description="Docker daemon reports it is running daemon without defined limits.\nThis is not recommended as offending containers could use up all resources."
+		si.solution="It is recommended to define docker limits."
+		si.severity=5 # Medium
+		si.risk = { "cvss" => 4.4 } 
+		si.references = {"CIS" => "2.10 Set default ulimit as appropriate" }
+		sp.output=""
+		sp.vuln=si	
+		if scandata.key?("GetDockerInfo") and scandata["GetDockerInfo"].obj.key?("MemoryLimit")
+			sp.state="run"
+			if scandata["GetDockerInfo"].obj["MemoryLimit"] == false then
+				sp.output << "Docker daemon reports it is running without memory limit.\n"
+				sp.state="vulnerable"
+			end
+		end
+		if scandata.key?("GetDockerInfo") and scandata["GetDockerInfo"].obj.key?("SwapLimit")
+			if scandata["GetDockerInfo"].obj["SwapLimit"] == false then
+				sp.output << "Docker daemon reports it is running without swap limit.\n"
+				sp.state="vulnerable"
+			end
+		end
+		return sp
+	end
+end
+

data/lib/dockscan/modules/audit/docker-networking-forwarding.rb

@@ -0,0 +1,27 @@
+class DockerIPV4Forwarding < Dockscan::Modules::AuditModule
+
+	def info
+		return 'This plugin checks if docker is running with ipv4 forwarding enabled'
+	end
+
+	def check(dockercheck)
+		sp=Dockscan::Scan::Plugin.new
+		si=Dockscan::Scan::Issue.new
+		si.title="Docker running with IPv4 forwarding enabled"
+		si.description="Docker daemon reports it is running daemon with IPv4 forwarding enabled.\nThis is not recommended for production as it forwards network packets without rules."
+		si.solution="It is recommended to disable IPv4 forwarding by default."
+		si.severity=5 # Medium
+		si.risk = { "cvss" => 5.0 } 
+		si.reflinks = {"ip_forward to expose containers to the public internet" => "https://github.com/docker/docker/issues/11508"}
+		sp.vuln=si	
+		if scandata.key?("GetDockerInfo") and scandata["GetDockerInfo"].obj.key?("IPv4Forwarding")
+			sp.state="run"
+			if scandata["GetDockerInfo"].obj["IPv4Forwarding"] == true then
+				sp.output = "Docker daemon reports it is running with automatic IPv4 forwarding."
+				sp.state="vulnerable"
+			end
+		end
+		return sp
+	end
+end
+

data/lib/dockscan/modules/audit/docker-registry-mirror.rb

@@ -0,0 +1,41 @@
+class DockerRegistryMirror < Dockscan::Modules::AuditModule
+
+	def info
+		return 'This plugin checks if mirror registries are in use'
+	end
+
+	def check(dockercheck)
+		sp=Dockscan::Scan::Plugin.new
+		si=Dockscan::Scan::Issue.new
+		si.title="Docker registries are not mirrored"
+		si.description="Docker daemon reports it is running configuration without registry mirrors.\nIf you set up local mirror, your docker host does not have to go directly to internet if not needed."
+		si.solution="It is recommended to setup mirror registry."
+		si.severity=4 # Low
+		si.risk = { "cvss" => 3.0 } 
+		si.references = {"CIS" => "2.6 Setup a local registry mirror" }
+		sp.vuln=si	
+		if scandata.key?("GetDockerInfo") and scandata["GetDockerInfo"].obj.key?("RegistryConfig")
+			sp.state="run"
+			vulnerable=true
+			outputindexs = ""
+			scandata["GetDockerInfo"].obj["RegistryConfig"]["IndexConfigs"].each do |item, value|
+				if value["Mirrors"] != nil
+					vulnerable = false
+				else
+					outputindexs << value["Name"] << "\n"
+				end
+			end
+
+			if vulnerable then
+				sp.state="vulnerable"
+				sp.output = "Docker daemon reports it does not have mirror registries.\n"
+				if outputindexs != "" then
+					sp.output << "Offending registry indexes:\n"
+					sp.output << outputindexs << "\n"
+				end
+			end
+		end
+		return sp
+	end
+end
+

data/lib/dockscan/modules/audit/docker-storage-driver-aufs.rb

@@ -0,0 +1,28 @@
+class DockerStorageDriverAufs < Dockscan::Modules::AuditModule
+
+	def info
+		return 'This plugin checks if storage driver is aufs'
+	end
+
+	def check(dockercheck)
+		sp=Dockscan::Scan::Plugin.new
+		si=Dockscan::Scan::Issue.new
+		si.title="Running aufs as storage driver"
+		si.description="Docker daemon reports it is running aufs as storage driver.\nThis is not recommended for production as it might have problems and security issues."
+		si.solution="It is recommended to use devicemapper instead of aufs storage driver. Actually, you should use the storage driver that is best supported by your vendor."
+		si.severity=4 # Low
+		si.risk = { "cvss" => 3.2 } 
+		si.reflinks = {"Switching Docker from aufs to devicemapper" => "http://muehe.org/posts/switching-docker-from-aufs-to-devicemapper/"}
+		si.references = {"CIS" => "2.7 Do not use the aufs storage driver" }
+		sp.vuln=si	
+		if scandata.key?("GetDockerInfo") and scandata["GetDockerInfo"].obj.key?("Driver")
+			sp.state="run"
+			if scandata["GetDockerInfo"].obj["Driver"] == true then
+				sp.output = "Docker daemon reports it is running aufs as storage driver."
+				sp.state="vulnerable"
+			end
+		end
+		return sp
+	end
+end
+

data/lib/dockscan/modules/audit.rb

@@ -0,0 +1,32 @@
+module Dockscan
+module Modules
+
+class AuditModule < GenericModule
+	attr_accessor :scandata
+
+	def info
+		raise "#{self.class.name} doesn't implement `handle_command`!"
+	end
+
+	def idcontainer(container)
+		str=''
+		str << container.id
+		str << " ("
+		names = ''
+		container.info["Names"].each do |name|
+			names << name << " "
+		end
+		str << names
+		str << ")"
+		str << " with IP: "
+		str << container.json["NetworkSettings"]["IPAddress"]
+		return str
+	end
+
+	def check(dockercheck)
+		raise "#{self.class.name} doesn't implement `handle_command`!"
+	end
+end # class
+
+end # Module
+end # Dockscan

data/lib/dockscan/modules/discover/get-containers.rb

@@ -0,0 +1,14 @@
+class GetContainers < Dockscan::Modules::DiscoverModule
+
+	def info
+		return 'Container discovery module'
+	end
+
+	def run
+		sp=Dockscan::Scan::Plugin.new
+		sp.obj = Docker::Container.all(:all => true)
+		sp.output = sp.obj.map{|k,v| "#{k}=#{v}"}.join("\n")
+		return sp
+	end
+end
+

data/lib/dockscan/modules/discover/get-docker-info.rb

@@ -0,0 +1,17 @@
+require 'docker'
+
+class GetDockerInfo < Dockscan::Modules::DiscoverModule
+
+	def info
+		return 'Info discovery module'
+	end
+
+	def run
+		sp=Dockscan::Scan::Plugin.new
+		sp.obj = Docker.info
+		sp.output = sp.obj.map{|k,v| "#{k}=#{v}"}.join("\n")
+		sp.state = "run"
+		return sp
+	end
+end
+

data/lib/dockscan/modules/discover/get-docker-version.rb

@@ -0,0 +1,14 @@
+class GetDockerVersion < Dockscan::Modules::DiscoverModule
+
+	def info
+		return 'Info discovery module'
+	end
+
+	def run
+		sp=Dockscan::Scan::Plugin.new
+		sp.obj = Docker.version
+		sp.output = sp.obj.map{|k,v| "#{k}=#{v}"}.join("\n")
+		return sp
+	end
+end
+

data/lib/dockscan/modules/discover/get-images.rb

@@ -0,0 +1,16 @@
+require 'docker'
+
+class GetImages < Dockscan::Modules::DiscoverModule
+
+	def info
+		return 'Image discovery module'
+	end
+
+	def run
+		sp=Dockscan::Scan::Plugin.new
+		sp.obj = Docker::Image.all
+		sp.output = sp.obj.map{|k,v| "#{k}=#{v}"}.join("\n")
+		return sp
+	end
+end
+

data/lib/dockscan/modules/discover/get-run-containers.rb

@@ -0,0 +1,14 @@
+class GetContainersRunning < Dockscan::Modules::DiscoverModule
+
+	def info
+		return 'Running Container discovery module'
+	end
+
+	def run
+		sp=Dockscan::Scan::Plugin.new
+		sp.obj = Docker::Container.all
+		sp.output = sp.obj.map{|k,v| "#{k}=#{v}"}.join("\n")
+		return sp
+	end
+end
+

data/lib/dockscan/modules/discover.rb

@@ -0,0 +1,16 @@
+module Dockscan
+module Modules
+
+class DiscoverModule < GenericModule
+	attr_accessor :scandata
+	def info
+		raise "#{self.class.name} doesn't implement `handle_command`!"
+	end
+
+	def run
+		raise "#{self.class.name} doesn't implement `handle_command`!"
+	end
+end # class
+
+end # Module
+end # Dockscan

data/lib/dockscan/modules/genmodule.rb

@@ -0,0 +1,17 @@
+module Dockscan
+module Modules
+
+class GenericModule
+  def self.modules
+    @modules ||= []
+  end
+  
+  def self.inherited(klass)
+    @modules ||= []
+    
+    @modules << klass
+  end
+end # Class
+
+end # Module
+end # Dockscan