kastell 2.0.0 → 2.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +85 -0
- package/README.md +1 -1
- package/README.tr.md +1 -1
- package/dist/commands/audit.d.ts +3 -0
- package/dist/commands/audit.d.ts.map +1 -1
- package/dist/commands/audit.js +61 -32
- package/dist/commands/audit.js.map +1 -1
- package/dist/commands/config.js +1 -1
- package/dist/commands/config.js.map +1 -1
- package/dist/commands/doctor.d.ts +1 -0
- package/dist/commands/doctor.d.ts.map +1 -1
- package/dist/commands/doctor.js +25 -7
- package/dist/commands/doctor.js.map +1 -1
- package/dist/commands/explain.d.ts +6 -0
- package/dist/commands/explain.d.ts.map +1 -0
- package/dist/commands/explain.js +28 -0
- package/dist/commands/explain.js.map +1 -0
- package/dist/commands/fix.d.ts +2 -0
- package/dist/commands/fix.d.ts.map +1 -1
- package/dist/commands/fix.js +54 -15
- package/dist/commands/fix.js.map +1 -1
- package/dist/commands/fleet.d.ts.map +1 -1
- package/dist/commands/fleet.js +1 -0
- package/dist/commands/fleet.js.map +1 -1
- package/dist/commands/init.d.ts.map +1 -1
- package/dist/commands/init.js +175 -1
- package/dist/commands/init.js.map +1 -1
- package/dist/commands/interactive.d.ts.map +1 -1
- package/dist/commands/interactive.js +59 -1
- package/dist/commands/interactive.js.map +1 -1
- package/dist/commands/plugin.d.ts +8 -0
- package/dist/commands/plugin.d.ts.map +1 -0
- package/dist/commands/plugin.js +87 -0
- package/dist/commands/plugin.js.map +1 -0
- package/dist/commands/regression.d.ts +5 -0
- package/dist/commands/regression.d.ts.map +1 -0
- package/dist/commands/regression.js +40 -0
- package/dist/commands/regression.js.map +1 -0
- package/dist/core/audit/checkIds.d.ts +516 -0
- package/dist/core/audit/checkIds.d.ts.map +1 -0
- package/dist/core/audit/checkIds.js +515 -0
- package/dist/core/audit/checkIds.js.map +1 -0
- package/dist/core/audit/checks/accounts.d.ts.map +1 -1
- package/dist/core/audit/checks/accounts.js +23 -22
- package/dist/core/audit/checks/accounts.js.map +1 -1
- package/dist/core/audit/checks/auth.d.ts.map +1 -1
- package/dist/core/audit/checks/auth.js +23 -22
- package/dist/core/audit/checks/auth.js.map +1 -1
- package/dist/core/audit/checks/backup.d.ts.map +1 -1
- package/dist/core/audit/checks/backup.js +9 -8
- package/dist/core/audit/checks/backup.js.map +1 -1
- package/dist/core/audit/checks/banners.d.ts.map +1 -1
- package/dist/core/audit/checks/banners.js +7 -6
- package/dist/core/audit/checks/banners.js.map +1 -1
- package/dist/core/audit/checks/boot.d.ts.map +1 -1
- package/dist/core/audit/checks/boot.js +12 -11
- package/dist/core/audit/checks/boot.js.map +1 -1
- package/dist/core/audit/checks/cloudmeta.d.ts.map +1 -1
- package/dist/core/audit/checks/cloudmeta.js +7 -6
- package/dist/core/audit/checks/cloudmeta.js.map +1 -1
- package/dist/core/audit/checks/crypto.d.ts +0 -5
- package/dist/core/audit/checks/crypto.d.ts.map +1 -1
- package/dist/core/audit/checks/crypto.js +20 -19
- package/dist/core/audit/checks/crypto.js.map +1 -1
- package/dist/core/audit/checks/ddos.d.ts.map +1 -1
- package/dist/core/audit/checks/ddos.js +9 -8
- package/dist/core/audit/checks/ddos.js.map +1 -1
- package/dist/core/audit/checks/dns.d.ts.map +1 -1
- package/dist/core/audit/checks/dns.js +9 -8
- package/dist/core/audit/checks/dns.js.map +1 -1
- package/dist/core/audit/checks/docker.d.ts.map +1 -1
- package/dist/core/audit/checks/docker.js +65 -64
- package/dist/core/audit/checks/docker.js.map +1 -1
- package/dist/core/audit/checks/fileintegrity.d.ts.map +1 -1
- package/dist/core/audit/checks/fileintegrity.js +11 -10
- package/dist/core/audit/checks/fileintegrity.js.map +1 -1
- package/dist/core/audit/checks/filesystem.d.ts.map +1 -1
- package/dist/core/audit/checks/filesystem.js +21 -20
- package/dist/core/audit/checks/filesystem.js.map +1 -1
- package/dist/core/audit/checks/firewall.d.ts.map +1 -1
- package/dist/core/audit/checks/firewall.js +18 -17
- package/dist/core/audit/checks/firewall.js.map +1 -1
- package/dist/core/audit/checks/httpHeaders.d.ts.map +1 -1
- package/dist/core/audit/checks/httpHeaders.js +7 -6
- package/dist/core/audit/checks/httpHeaders.js.map +1 -1
- package/dist/core/audit/checks/incidentready.d.ts.map +1 -1
- package/dist/core/audit/checks/incidentready.js +13 -12
- package/dist/core/audit/checks/incidentready.js.map +1 -1
- package/dist/core/audit/checks/kernel.d.ts.map +1 -1
- package/dist/core/audit/checks/kernel.js +32 -31
- package/dist/core/audit/checks/kernel.js.map +1 -1
- package/dist/core/audit/checks/logging.d.ts.map +1 -1
- package/dist/core/audit/checks/logging.js +21 -20
- package/dist/core/audit/checks/logging.js.map +1 -1
- package/dist/core/audit/checks/mac.d.ts.map +1 -1
- package/dist/core/audit/checks/mac.js +11 -10
- package/dist/core/audit/checks/mac.js.map +1 -1
- package/dist/core/audit/checks/malware.d.ts.map +1 -1
- package/dist/core/audit/checks/malware.js +12 -11
- package/dist/core/audit/checks/malware.js.map +1 -1
- package/dist/core/audit/checks/memory.d.ts.map +1 -1
- package/dist/core/audit/checks/memory.js +12 -11
- package/dist/core/audit/checks/memory.js.map +1 -1
- package/dist/core/audit/checks/network.d.ts.map +1 -1
- package/dist/core/audit/checks/network.js +22 -21
- package/dist/core/audit/checks/network.js.map +1 -1
- package/dist/core/audit/checks/nginx.d.ts.map +1 -1
- package/dist/core/audit/checks/nginx.js +17 -16
- package/dist/core/audit/checks/nginx.js.map +1 -1
- package/dist/core/audit/checks/resourcelimits.d.ts.map +1 -1
- package/dist/core/audit/checks/resourcelimits.js +9 -8
- package/dist/core/audit/checks/resourcelimits.js.map +1 -1
- package/dist/core/audit/checks/scheduling.d.ts.map +1 -1
- package/dist/core/audit/checks/scheduling.js +13 -12
- package/dist/core/audit/checks/scheduling.js.map +1 -1
- package/dist/core/audit/checks/secrets.d.ts.map +1 -1
- package/dist/core/audit/checks/secrets.js +16 -15
- package/dist/core/audit/checks/secrets.js.map +1 -1
- package/dist/core/audit/checks/services.d.ts.map +1 -1
- package/dist/core/audit/checks/services.js +26 -25
- package/dist/core/audit/checks/services.js.map +1 -1
- package/dist/core/audit/checks/ssh.d.ts.map +1 -1
- package/dist/core/audit/checks/ssh.js +23 -22
- package/dist/core/audit/checks/ssh.js.map +1 -1
- package/dist/core/audit/checks/supplychain.d.ts.map +1 -1
- package/dist/core/audit/checks/supplychain.js +13 -12
- package/dist/core/audit/checks/supplychain.js.map +1 -1
- package/dist/core/audit/checks/time.d.ts.map +1 -1
- package/dist/core/audit/checks/time.js +10 -9
- package/dist/core/audit/checks/time.js.map +1 -1
- package/dist/core/audit/checks/tls.d.ts.map +1 -1
- package/dist/core/audit/checks/tls.js +9 -8
- package/dist/core/audit/checks/tls.js.map +1 -1
- package/dist/core/audit/checks/updates.d.ts.map +1 -1
- package/dist/core/audit/checks/updates.js +12 -11
- package/dist/core/audit/checks/updates.js.map +1 -1
- package/dist/core/audit/compliance/categories/index.d.ts +3 -0
- package/dist/core/audit/compliance/categories/index.d.ts.map +1 -0
- package/dist/core/audit/compliance/categories/index.js +737 -0
- package/dist/core/audit/compliance/categories/index.js.map +1 -0
- package/dist/core/audit/compliance/helpers.d.ts +17 -0
- package/dist/core/audit/compliance/helpers.d.ts.map +1 -0
- package/dist/core/audit/compliance/helpers.js +40 -0
- package/dist/core/audit/compliance/helpers.js.map +1 -0
- package/dist/core/audit/compliance/mapper.d.ts +4 -16
- package/dist/core/audit/compliance/mapper.d.ts.map +1 -1
- package/dist/core/audit/compliance/mapper.js +3 -776
- package/dist/core/audit/compliance/mapper.js.map +1 -1
- package/dist/core/audit/diff.d.ts +12 -1
- package/dist/core/audit/diff.d.ts.map +1 -1
- package/dist/core/audit/diff.js +121 -0
- package/dist/core/audit/diff.js.map +1 -1
- package/dist/core/audit/explainCheck.d.ts +26 -0
- package/dist/core/audit/explainCheck.d.ts.map +1 -0
- package/dist/core/audit/explainCheck.js +165 -0
- package/dist/core/audit/explainCheck.js.map +1 -0
- package/dist/core/audit/fix-history.d.ts +16 -7
- package/dist/core/audit/fix-history.d.ts.map +1 -1
- package/dist/core/audit/fix-history.js +25 -2
- package/dist/core/audit/fix-history.js.map +1 -1
- package/dist/core/audit/fix.d.ts +21 -6
- package/dist/core/audit/fix.d.ts.map +1 -1
- package/dist/core/audit/fix.js +139 -49
- package/dist/core/audit/fix.js.map +1 -1
- package/dist/core/audit/history.d.ts.map +1 -1
- package/dist/core/audit/history.js +2 -1
- package/dist/core/audit/history.js.map +1 -1
- package/dist/core/audit/index.d.ts.map +1 -1
- package/dist/core/audit/index.js +3 -2
- package/dist/core/audit/index.js.map +1 -1
- package/dist/core/audit/listChecks.d.ts +7 -0
- package/dist/core/audit/listChecks.d.ts.map +1 -1
- package/dist/core/audit/listChecks.js +1 -1
- package/dist/core/audit/listChecks.js.map +1 -1
- package/dist/core/audit/regression.d.ts +15 -0
- package/dist/core/audit/regression.d.ts.map +1 -0
- package/dist/core/audit/regression.js +149 -0
- package/dist/core/audit/regression.js.map +1 -0
- package/dist/core/audit/snapshot.d.ts.map +1 -1
- package/dist/core/audit/snapshot.js +91 -29
- package/dist/core/audit/snapshot.js.map +1 -1
- package/dist/core/audit/types.d.ts +63 -1
- package/dist/core/audit/types.d.ts.map +1 -1
- package/dist/core/audit/watch.d.ts.map +1 -1
- package/dist/core/audit/watch.js +3 -2
- package/dist/core/audit/watch.js.map +1 -1
- package/dist/core/bot/handlers.d.ts.map +1 -1
- package/dist/core/bot/handlers.js +9 -18
- package/dist/core/bot/handlers.js.map +1 -1
- package/dist/core/completions.d.ts.map +1 -1
- package/dist/core/completions.js +24 -2
- package/dist/core/completions.js.map +1 -1
- package/dist/core/defaults.d.ts +4 -0
- package/dist/core/defaults.d.ts.map +1 -0
- package/dist/core/defaults.js +34 -0
- package/dist/core/defaults.js.map +1 -0
- package/dist/core/doctor-fix.d.ts +1 -1
- package/dist/core/doctor-fix.d.ts.map +1 -1
- package/dist/core/doctor-fix.js +17 -2
- package/dist/core/doctor-fix.js.map +1 -1
- package/dist/core/doctor.d.ts +4 -0
- package/dist/core/doctor.d.ts.map +1 -1
- package/dist/core/doctor.js +26 -2
- package/dist/core/doctor.js.map +1 -1
- package/dist/core/firewall.d.ts +1 -4
- package/dist/core/firewall.d.ts.map +1 -1
- package/dist/core/firewall.js +19 -25
- package/dist/core/firewall.js.map +1 -1
- package/dist/core/fleet.d.ts +8 -0
- package/dist/core/fleet.d.ts.map +1 -1
- package/dist/core/fleet.js +49 -5
- package/dist/core/fleet.js.map +1 -1
- package/dist/core/manage.d.ts +9 -6
- package/dist/core/manage.d.ts.map +1 -1
- package/dist/core/manage.js +2 -1
- package/dist/core/manage.js.map +1 -1
- package/dist/core/notify.d.ts.map +1 -1
- package/dist/core/notify.js +2 -1
- package/dist/core/notify.js.map +1 -1
- package/dist/core/plugin.d.ts +23 -0
- package/dist/core/plugin.d.ts.map +1 -0
- package/dist/core/plugin.js +107 -0
- package/dist/core/plugin.js.map +1 -0
- package/dist/core/scheduleManager.d.ts +2 -1
- package/dist/core/scheduleManager.d.ts.map +1 -1
- package/dist/core/scheduleManager.js +8 -5
- package/dist/core/scheduleManager.js.map +1 -1
- package/dist/core/status.d.ts +1 -0
- package/dist/core/status.d.ts.map +1 -1
- package/dist/core/status.js +20 -6
- package/dist/core/status.js.map +1 -1
- package/dist/index.js +65 -2
- package/dist/index.js.map +1 -1
- package/dist/mcp/index.js +5 -9
- package/dist/mcp/index.js.map +1 -1
- package/dist/mcp/server.d.ts.map +1 -1
- package/dist/mcp/server.js +44 -2
- package/dist/mcp/server.js.map +1 -1
- package/dist/mcp/tools/serverAudit.d.ts.map +1 -1
- package/dist/mcp/tools/serverAudit.js +15 -0
- package/dist/mcp/tools/serverAudit.js.map +1 -1
- package/dist/mcp/tools/serverCompare.d.ts +15 -0
- package/dist/mcp/tools/serverCompare.d.ts.map +1 -0
- package/dist/mcp/tools/serverCompare.js +43 -0
- package/dist/mcp/tools/serverCompare.js.map +1 -0
- package/dist/mcp/tools/serverDoctor.d.ts.map +1 -1
- package/dist/mcp/tools/serverDoctor.js +2 -1
- package/dist/mcp/tools/serverDoctor.js.map +1 -1
- package/dist/mcp/tools/serverExplain.d.ts +8 -0
- package/dist/mcp/tools/serverExplain.d.ts.map +1 -0
- package/dist/mcp/tools/serverExplain.js +14 -0
- package/dist/mcp/tools/serverExplain.js.map +1 -0
- package/dist/mcp/tools/serverFix.d.ts +2 -0
- package/dist/mcp/tools/serverFix.d.ts.map +1 -1
- package/dist/mcp/tools/serverFix.js +40 -2
- package/dist/mcp/tools/serverFix.js.map +1 -1
- package/dist/mcp/tools/serverFleet.d.ts +2 -0
- package/dist/mcp/tools/serverFleet.d.ts.map +1 -1
- package/dist/mcp/tools/serverFleet.js +10 -1
- package/dist/mcp/tools/serverFleet.js.map +1 -1
- package/dist/mcp/tools/serverManage.d.ts.map +1 -1
- package/dist/mcp/tools/serverManage.js +10 -9
- package/dist/mcp/tools/serverManage.js.map +1 -1
- package/dist/mcp/tools/serverPlugin.d.ts +12 -0
- package/dist/mcp/tools/serverPlugin.d.ts.map +1 -0
- package/dist/mcp/tools/serverPlugin.js +22 -0
- package/dist/mcp/tools/serverPlugin.js.map +1 -0
- package/dist/plugin/loader.d.ts +10 -0
- package/dist/plugin/loader.d.ts.map +1 -0
- package/dist/plugin/loader.js +88 -0
- package/dist/plugin/loader.js.map +1 -0
- package/dist/plugin/registry.d.ts +16 -0
- package/dist/plugin/registry.d.ts.map +1 -0
- package/dist/plugin/registry.js +99 -0
- package/dist/plugin/registry.js.map +1 -0
- package/dist/plugin/sdk/constants.d.ts +3 -0
- package/dist/plugin/sdk/constants.d.ts.map +1 -0
- package/dist/plugin/sdk/constants.js +3 -0
- package/dist/plugin/sdk/constants.js.map +1 -0
- package/dist/plugin/sdk/types.d.ts +29 -0
- package/dist/plugin/sdk/types.d.ts.map +1 -0
- package/dist/plugin/sdk/types.js +2 -0
- package/dist/plugin/sdk/types.js.map +1 -0
- package/dist/plugin/validate.d.ts +3 -0
- package/dist/plugin/validate.d.ts.map +1 -0
- package/dist/plugin/validate.js +31 -0
- package/dist/plugin/validate.js.map +1 -0
- package/dist/providers/base.d.ts.map +1 -1
- package/dist/providers/base.js +2 -1
- package/dist/providers/base.js.map +1 -1
- package/dist/types/index.d.ts +8 -1
- package/dist/types/index.d.ts.map +1 -1
- package/dist/types/index.js +1 -1
- package/dist/types/index.js.map +1 -1
- package/dist/utils/dates.d.ts +3 -0
- package/dist/utils/dates.d.ts.map +1 -0
- package/dist/utils/dates.js +10 -0
- package/dist/utils/dates.js.map +1 -0
- package/dist/utils/errorMapper.d.ts.map +1 -1
- package/dist/utils/errorMapper.js +2 -1
- package/dist/utils/errorMapper.js.map +1 -1
- package/dist/utils/errors.d.ts +1 -0
- package/dist/utils/errors.d.ts.map +1 -1
- package/dist/utils/errors.js +3 -0
- package/dist/utils/errors.js.map +1 -1
- package/dist/utils/migration.d.ts.map +1 -1
- package/dist/utils/migration.js +2 -1
- package/dist/utils/migration.js.map +1 -1
- package/dist/utils/paths.d.ts +4 -0
- package/dist/utils/paths.d.ts.map +1 -1
- package/dist/utils/paths.js +4 -0
- package/dist/utils/paths.js.map +1 -1
- package/dist/utils/prompts.d.ts +6 -0
- package/dist/utils/prompts.d.ts.map +1 -1
- package/dist/utils/prompts.js +11 -0
- package/dist/utils/prompts.js.map +1 -1
- package/dist/utils/{defaults.d.ts → providerConfig.d.ts} +1 -1
- package/dist/utils/providerConfig.d.ts.map +1 -0
- package/dist/utils/{defaults.js → providerConfig.js} +1 -1
- package/dist/utils/providerConfig.js.map +1 -0
- package/dist/utils/secureWrite.d.ts.map +1 -1
- package/dist/utils/secureWrite.js +2 -1
- package/dist/utils/secureWrite.js.map +1 -1
- package/dist/utils/version.d.ts +4 -0
- package/dist/utils/version.d.ts.map +1 -0
- package/dist/utils/version.js +22 -0
- package/dist/utils/version.js.map +1 -0
- package/dist/utils/yamlConfig.d.ts.map +1 -1
- package/dist/utils/yamlConfig.js +3 -2
- package/dist/utils/yamlConfig.js.map +1 -1
- package/package.json +3 -1
- package/dist/utils/defaults.d.ts.map +0 -1
- package/dist/utils/defaults.js.map +0 -1
|
@@ -3,6 +3,7 @@
|
|
|
3
3
|
* Parses sysctl output into 8 DDoS-specific audit checks.
|
|
4
4
|
* Handles Docker/Coolify platform guard for DDOS-TW-REUSE.
|
|
5
5
|
*/
|
|
6
|
+
import { CHECK_IDS } from "../checkIds.js";
|
|
6
7
|
import { extractSysctlValue } from "./shared/sysctl.js";
|
|
7
8
|
const CATEGORY = "DDoS Hardening";
|
|
8
9
|
export const parseDdosChecks = (sectionOutput, platform) => {
|
|
@@ -12,7 +13,7 @@ export const parseDdosChecks = (sectionOutput, platform) => {
|
|
|
12
13
|
// DDOS-SYN-BACKLOG: net.ipv4.tcp_max_syn_backlog >= 2048
|
|
13
14
|
const synBacklog = extractSysctlValue(output, "net.ipv4.tcp_max_syn_backlog");
|
|
14
15
|
const ddosSynBacklog = {
|
|
15
|
-
id:
|
|
16
|
+
id: CHECK_IDS.DDOS.DDOS_SYN_BACKLOG,
|
|
16
17
|
category: CATEGORY,
|
|
17
18
|
name: "TCP SYN Backlog Queue Size",
|
|
18
19
|
severity: "warning",
|
|
@@ -30,7 +31,7 @@ export const parseDdosChecks = (sectionOutput, platform) => {
|
|
|
30
31
|
// DDOS-SYNACK-RETRIES: net.ipv4.tcp_synack_retries <= 3
|
|
31
32
|
const synackRetries = extractSysctlValue(output, "net.ipv4.tcp_synack_retries");
|
|
32
33
|
const ddosSynackRetries = {
|
|
33
|
-
id:
|
|
34
|
+
id: CHECK_IDS.DDOS.DDOS_SYNACK_RETRIES,
|
|
34
35
|
category: CATEGORY,
|
|
35
36
|
name: "TCP SYNACK Retry Count Limited",
|
|
36
37
|
severity: "warning",
|
|
@@ -48,7 +49,7 @@ export const parseDdosChecks = (sectionOutput, platform) => {
|
|
|
48
49
|
// DDOS-FIN-TIMEOUT: net.ipv4.tcp_fin_timeout <= 30
|
|
49
50
|
const finTimeout = extractSysctlValue(output, "net.ipv4.tcp_fin_timeout");
|
|
50
51
|
const ddosFinTimeout = {
|
|
51
|
-
id:
|
|
52
|
+
id: CHECK_IDS.DDOS.DDOS_FIN_TIMEOUT,
|
|
52
53
|
category: CATEGORY,
|
|
53
54
|
name: "TCP FIN Timeout Reduced",
|
|
54
55
|
severity: "warning",
|
|
@@ -66,7 +67,7 @@ export const parseDdosChecks = (sectionOutput, platform) => {
|
|
|
66
67
|
// DDOS-TW-REUSE: net.ipv4.tcp_tw_reuse = 1 (but Docker platforms are exempt)
|
|
67
68
|
const twReuse = extractSysctlValue(output, "net.ipv4.tcp_tw_reuse");
|
|
68
69
|
const ddosTwReuse = {
|
|
69
|
-
id:
|
|
70
|
+
id: CHECK_IDS.DDOS.DDOS_TW_REUSE,
|
|
70
71
|
category: CATEGORY,
|
|
71
72
|
name: "TCP TIME_WAIT Reuse Enabled",
|
|
72
73
|
severity: "info",
|
|
@@ -88,7 +89,7 @@ export const parseDdosChecks = (sectionOutput, platform) => {
|
|
|
88
89
|
// DDOS-ICMP-RATELIMIT: net.ipv4.icmp_ratelimit <= 1000
|
|
89
90
|
const icmpRatelimit = extractSysctlValue(output, "net.ipv4.icmp_ratelimit");
|
|
90
91
|
const ddosIcmpRatelimit = {
|
|
91
|
-
id:
|
|
92
|
+
id: CHECK_IDS.DDOS.DDOS_ICMP_RATELIMIT,
|
|
92
93
|
category: CATEGORY,
|
|
93
94
|
name: "ICMP Rate Limiting Configured",
|
|
94
95
|
severity: "info",
|
|
@@ -106,7 +107,7 @@ export const parseDdosChecks = (sectionOutput, platform) => {
|
|
|
106
107
|
// DDOS-ICMP-BOGUS: net.ipv4.icmp_ignore_bogus_error_responses = 1
|
|
107
108
|
const icmpBogus = extractSysctlValue(output, "net.ipv4.icmp_ignore_bogus_error_responses");
|
|
108
109
|
const ddosIcmpBogus = {
|
|
109
|
-
id:
|
|
110
|
+
id: CHECK_IDS.DDOS.DDOS_ICMP_BOGUS,
|
|
110
111
|
category: CATEGORY,
|
|
111
112
|
name: "Bogus ICMP Error Responses Ignored",
|
|
112
113
|
severity: "info",
|
|
@@ -124,7 +125,7 @@ export const parseDdosChecks = (sectionOutput, platform) => {
|
|
|
124
125
|
// DDOS-SOMAXCONN: net.core.somaxconn >= 1024
|
|
125
126
|
const somaxconn = extractSysctlValue(output, "net.core.somaxconn");
|
|
126
127
|
const ddosSomaxconn = {
|
|
127
|
-
id:
|
|
128
|
+
id: CHECK_IDS.DDOS.DDOS_SOMAXCONN,
|
|
128
129
|
category: CATEGORY,
|
|
129
130
|
name: "Socket Listen Backlog (somaxconn) Size",
|
|
130
131
|
severity: "warning",
|
|
@@ -142,7 +143,7 @@ export const parseDdosChecks = (sectionOutput, platform) => {
|
|
|
142
143
|
// DDOS-SYN-RETRIES: net.ipv4.tcp_syn_retries <= 3
|
|
143
144
|
const synRetries = extractSysctlValue(output, "net.ipv4.tcp_syn_retries");
|
|
144
145
|
const ddosSynRetries = {
|
|
145
|
-
id:
|
|
146
|
+
id: CHECK_IDS.DDOS.DDOS_SYN_RETRIES,
|
|
146
147
|
category: CATEGORY,
|
|
147
148
|
name: "TCP SYN Retry Count Limited",
|
|
148
149
|
severity: "info",
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ddos.js","sourceRoot":"","sources":["../../../../src/core/audit/checks/ddos.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAExD,MAAM,QAAQ,GAAG,gBAAgB,CAAC;AAElC,MAAM,CAAC,MAAM,eAAe,GAAgB,CAAC,aAAqB,EAAE,QAAgB,EAAgB,EAAE;IACpG,MAAM,IAAI,GAAG,CAAC,aAAa,IAAI,aAAa,CAAC,IAAI,EAAE,KAAK,KAAK,IAAI,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC;IAC7F,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC;IACzC,MAAM,UAAU,GAAG,QAAQ,KAAK,SAAS,IAAI,QAAQ,KAAK,SAAS,CAAC;IAEpE,yDAAyD;IACzD,MAAM,UAAU,GAAG,kBAAkB,CAAC,MAAM,EAAE,8BAA8B,CAAC,CAAC;IAC9E,MAAM,cAAc,GAAe;QACjC,EAAE,EAAE,
|
|
1
|
+
{"version":3,"file":"ddos.js","sourceRoot":"","sources":["../../../../src/core/audit/checks/ddos.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAC;AAExD,MAAM,QAAQ,GAAG,gBAAgB,CAAC;AAElC,MAAM,CAAC,MAAM,eAAe,GAAgB,CAAC,aAAqB,EAAE,QAAgB,EAAgB,EAAE;IACpG,MAAM,IAAI,GAAG,CAAC,aAAa,IAAI,aAAa,CAAC,IAAI,EAAE,KAAK,KAAK,IAAI,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC;IAC7F,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC;IACzC,MAAM,UAAU,GAAG,QAAQ,KAAK,SAAS,IAAI,QAAQ,KAAK,SAAS,CAAC;IAEpE,yDAAyD;IACzD,MAAM,UAAU,GAAG,kBAAkB,CAAC,MAAM,EAAE,8BAA8B,CAAC,CAAC;IAC9E,MAAM,cAAc,GAAe;QACjC,EAAE,EAAE,SAAS,CAAC,IAAI,CAAC,gBAAgB;QACnC,QAAQ,EAAE,QAAQ;QAClB,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,SAAS;QACnB,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,KAAK,IAAI,IAAI,QAAQ,CAAC,UAAU,EAAE,EAAE,CAAC,IAAI,IAAI;QAC9E,YAAY,EAAE,IAAI;YAChB,CAAC,CAAC,qBAAqB;YACvB,CAAC,CAAC,UAAU,KAAK,IAAI;gBACnB,CAAC,CAAC,kCAAkC,UAAU,EAAE;gBAChD,CAAC,CAAC,qBAAqB;QAC3B,aAAa,EAAE,sCAAsC;QACrD,UAAU,EACR,0HAA0H;QAC5H,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,uPAAuP;KAC1P,CAAC;IAEF,wDAAwD;IACxD,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,EAAE,6BAA6B,CAAC,CAAC;IAChF,MAAM,iBAAiB,GAAe;QACpC,EAAE,EAAE,SAAS,CAAC,IAAI,CAAC,mBAAmB;QACtC,QAAQ,EAAE,QAAQ;QAClB,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,SAAS;QACnB,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,aAAa,KAAK,IAAI,IAAI,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC,IAAI,CAAC;QACjF,YAAY,EAAE,IAAI;YAChB,CAAC,CAAC,qBAAqB;YACvB,CAAC,CAAC,aAAa,KAAK,IAAI;gBACtB,CAAC,CAAC,iCAAiC,aAAa,EAAE;gBAClD,CAAC,CAAC,qBAAqB;QAC3B,aAAa,EAAE,kCAAkC;QACjD,UAAU,EACR,kHAAkH;QACpH,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,yOAAyO;KAC5O,CAAC;IAEF,mDAAmD;IACnD,MAAM,UAAU,GAAG,kBAAkB,CAAC,MAAM,EAAE,0BAA0B,CAAC,CAAC;IAC1E,MAAM,cAAc,GAAe;QACjC,EAAE,EAAE,SAAS,CAAC,IAAI,CAAC,gBAAgB;QACnC,QAAQ,EAAE,QAAQ;QAClB,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,SAAS;QACnB,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,KAAK,IAAI,IAAI,QAAQ,CAAC,UAAU,EAAE,EAAE,CAAC,IAAI,EAAE;QAC5E,YAAY,EAAE,IAAI;YAChB,CAAC,CAAC,qBAAqB;YACvB,CAAC,CAAC,UAAU,KAAK,IAAI;gBACnB,CAAC,CAAC,8BAA8B,UAAU,EAAE;gBAC5C,CAAC,CAAC,qBAAqB;QAC3B,aAAa,EAAE,gCAAgC;QAC/C,UAAU,EACR,8GAA8G;QAChH,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,uPAAuP;KAC1P,CAAC;IAEF,6EAA6E;IAC7E,MAAM,OAAO,GAAG,kBAAkB,CAAC,MAAM,EAAE,uBAAuB,CAAC,CAAC;IACpE,MAAM,WAAW,GAAe;QAC9B,EAAE,EAAE,SAAS,CAAC,IAAI,CAAC,aAAa;QAChC,QAAQ,EAAE,QAAQ;QAClB,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,KAAK,GAAG;QAC1D,YAAY,EAAE,IAAI;YAChB,CAAC,CAAC,qBAAqB;YACvB,CAAC,CAAC,OAAO,KAAK,IAAI;gBAChB,CAAC,CAAC,2BAA2B,OAAO,EAAE;gBACtC,CAAC,CAAC,qBAAqB;QAC3B,aAAa,EAAE,UAAU;YACvB,CAAC,CAAC,sCAAsC;YACxC,CAAC,CAAC,2BAA2B;QAC/B,UAAU,EACR,sGAAsG;QACxG,aAAa,EAAE,MAAM;QACrB,OAAO,EAAE,UAAU;YACjB,CAAC,CAAC,+IAA+I;YACjJ,CAAC,CAAC,wMAAwM;KAC7M,CAAC;IAEF,uDAAuD;IACvD,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,EAAE,yBAAyB,CAAC,CAAC;IAC5E,MAAM,iBAAiB,GAAe;QACpC,EAAE,EAAE,SAAS,CAAC,IAAI,CAAC,mBAAmB;QACtC,QAAQ,EAAE,QAAQ;QAClB,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,aAAa,KAAK,IAAI,IAAI,QAAQ,CAAC,aAAa,EAAE,EAAE,CAAC,IAAI,IAAI;QACpF,YAAY,EAAE,IAAI;YAChB,CAAC,CAAC,qBAAqB;YACvB,CAAC,CAAC,aAAa,KAAK,IAAI;gBACtB,CAAC,CAAC,6BAA6B,aAAa,EAAE;gBAC9C,CAAC,CAAC,qBAAqB;QAC3B,aAAa,EAAE,iCAAiC;QAChD,UAAU,EACR,gHAAgH;QAClH,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,gOAAgO;KACnO,CAAC;IAEF,kEAAkE;IAClE,MAAM,SAAS,GAAG,kBAAkB,CAAC,MAAM,EAAE,4CAA4C,CAAC,CAAC;IAC3F,MAAM,aAAa,GAAe;QAChC,EAAE,EAAE,SAAS,CAAC,IAAI,CAAC,eAAe;QAClC,QAAQ,EAAE,QAAQ;QAClB,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,KAAK,GAAG;QACxC,YAAY,EAAE,IAAI;YAChB,CAAC,CAAC,qBAAqB;YACvB,CAAC,CAAC,SAAS,KAAK,IAAI;gBAClB,CAAC,CAAC,gDAAgD,SAAS,EAAE;gBAC7D,CAAC,CAAC,qBAAqB;QAC3B,aAAa,EAAE,gDAAgD;QAC/D,UAAU,EACR,gJAAgJ;QAClJ,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,0LAA0L;KAC7L,CAAC;IAEF,6CAA6C;IAC7C,MAAM,SAAS,GAAG,kBAAkB,CAAC,MAAM,EAAE,oBAAoB,CAAC,CAAC;IACnE,MAAM,aAAa,GAAe;QAChC,EAAE,EAAE,SAAS,CAAC,IAAI,CAAC,cAAc;QACjC,QAAQ,EAAE,QAAQ;QAClB,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,SAAS;QACnB,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,KAAK,IAAI,IAAI,QAAQ,CAAC,SAAS,EAAE,EAAE,CAAC,IAAI,IAAI;QAC5E,YAAY,EAAE,IAAI;YAChB,CAAC,CAAC,qBAAqB;YACvB,CAAC,CAAC,SAAS,KAAK,IAAI;gBAClB,CAAC,CAAC,wBAAwB,SAAS,EAAE;gBACrC,CAAC,CAAC,qBAAqB;QAC3B,aAAa,EAAE,4BAA4B;QAC3C,UAAU,EACR,wGAAwG;QAC1G,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,2PAA2P;KAC9P,CAAC;IAEF,kDAAkD;IAClD,MAAM,UAAU,GAAG,kBAAkB,CAAC,MAAM,EAAE,0BAA0B,CAAC,CAAC;IAC1E,MAAM,cAAc,GAAe;QACjC,EAAE,EAAE,SAAS,CAAC,IAAI,CAAC,gBAAgB;QACnC,QAAQ,EAAE,QAAQ;QAClB,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,MAAM,EAAE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,UAAU,KAAK,IAAI,IAAI,QAAQ,CAAC,UAAU,EAAE,EAAE,CAAC,IAAI,CAAC;QAC3E,YAAY,EAAE,IAAI;YAChB,CAAC,CAAC,qBAAqB;YACvB,CAAC,CAAC,UAAU,KAAK,IAAI;gBACnB,CAAC,CAAC,8BAA8B,UAAU,EAAE;gBAC5C,CAAC,CAAC,qBAAqB;QAC3B,aAAa,EAAE,+BAA+B;QAC9C,UAAU,EACR,4GAA4G;QAC9G,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,mKAAmK;KACtK,CAAC;IAEF,OAAO;QACL,cAAc;QACd,iBAAiB;QACjB,cAAc;QACd,WAAW;QACX,iBAAiB;QACjB,aAAa;QACb,aAAa;QACb,cAAc;KACf,CAAC;AACJ,CAAC,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"dns.d.ts","sourceRoot":"","sources":["../../../../src/core/audit/checks/dns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAa,WAAW,EAAoB,MAAM,aAAa,CAAC;AA+L5E,eAAO,MAAM,cAAc,EAAE,
|
|
1
|
+
{"version":3,"file":"dns.d.ts","sourceRoot":"","sources":["../../../../src/core/audit/checks/dns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAa,WAAW,EAAoB,MAAM,aAAa,CAAC;AA+L5E,eAAO,MAAM,cAAc,EAAE,WAuC5B,CAAC"}
|
|
@@ -3,9 +3,10 @@
|
|
|
3
3
|
* Parses DNSSEC status, DoH/DoT tool presence, resolv.conf protection,
|
|
4
4
|
* and nameserver configuration into 4 security checks.
|
|
5
5
|
*/
|
|
6
|
+
import { CHECK_IDS } from "../checkIds.js";
|
|
6
7
|
const DNS_CHECKS = [
|
|
7
8
|
{
|
|
8
|
-
id:
|
|
9
|
+
id: CHECK_IDS.DNS.DNS_DNSSEC_ENABLED,
|
|
9
10
|
name: "DNSSEC Validation Enabled",
|
|
10
11
|
severity: "warning",
|
|
11
12
|
check: (output) => {
|
|
@@ -23,7 +24,7 @@ const DNS_CHECKS = [
|
|
|
23
24
|
explain: "DNSSEC validation prevents DNS cache poisoning and man-in-the-middle attacks by verifying cryptographic signatures on DNS responses. Without it, DNS responses can be spoofed to redirect traffic to malicious servers.",
|
|
24
25
|
},
|
|
25
26
|
{
|
|
26
|
-
id:
|
|
27
|
+
id: CHECK_IDS.DNS.DNS_DOH_DOT_AVAILABLE,
|
|
27
28
|
name: "DNS over HTTPS/TLS Tool Installed",
|
|
28
29
|
severity: "info",
|
|
29
30
|
check: (output) => {
|
|
@@ -43,7 +44,7 @@ const DNS_CHECKS = [
|
|
|
43
44
|
explain: "DNS over HTTPS (DoH) and DNS over TLS (DoT) encrypt DNS queries preventing network-level DNS interception and manipulation. Installing a DoH/DoT resolver protects DNS traffic from passive surveillance and active tampering.",
|
|
44
45
|
},
|
|
45
46
|
{
|
|
46
|
-
id:
|
|
47
|
+
id: CHECK_IDS.DNS.DNS_RESOLV_IMMUTABLE,
|
|
47
48
|
name: "/etc/resolv.conf Protected from Modification",
|
|
48
49
|
severity: "warning",
|
|
49
50
|
check: (output) => {
|
|
@@ -61,7 +62,7 @@ const DNS_CHECKS = [
|
|
|
61
62
|
explain: "An unprotected /etc/resolv.conf can be overwritten by DHCP clients, network managers, or malicious processes to redirect all DNS queries to an attacker-controlled resolver, enabling DNS hijacking without any kernel compromise.",
|
|
62
63
|
},
|
|
63
64
|
{
|
|
64
|
-
id:
|
|
65
|
+
id: CHECK_IDS.DNS.DNS_NAMESERVER_CONFIGURED,
|
|
65
66
|
name: "Nameserver Configured in resolv.conf",
|
|
66
67
|
severity: "warning",
|
|
67
68
|
check: (output) => {
|
|
@@ -81,7 +82,7 @@ const DNS_CHECKS = [
|
|
|
81
82
|
explain: "A nameserver must be configured in /etc/resolv.conf for the system to perform DNS lookups. Without it, domain name resolution fails entirely, breaking all network services that rely on hostnames rather than IP addresses.",
|
|
82
83
|
},
|
|
83
84
|
{
|
|
84
|
-
id:
|
|
85
|
+
id: CHECK_IDS.DNS.DNS_MULTIPLE_NAMESERVERS,
|
|
85
86
|
name: "Multiple DNS Nameservers Configured",
|
|
86
87
|
severity: "info",
|
|
87
88
|
check: (output) => {
|
|
@@ -105,7 +106,7 @@ const DNS_CHECKS = [
|
|
|
105
106
|
explain: "A single DNS nameserver creates a single point of failure; multiple servers ensure DNS resolution survives outages.",
|
|
106
107
|
},
|
|
107
108
|
{
|
|
108
|
-
id:
|
|
109
|
+
id: CHECK_IDS.DNS.DNS_RESOLV_NOT_LOCALHOST_ONLY,
|
|
109
110
|
name: "DNS Resolution Not Limited to Localhost Only",
|
|
110
111
|
severity: "info",
|
|
111
112
|
check: (output) => {
|
|
@@ -135,7 +136,7 @@ const DNS_CHECKS = [
|
|
|
135
136
|
explain: "DNS resolution relying solely on localhost without a running resolver causes total DNS failure.",
|
|
136
137
|
},
|
|
137
138
|
{
|
|
138
|
-
id:
|
|
139
|
+
id: CHECK_IDS.DNS.DNS_LOCAL_RESOLVER_ACTIVE,
|
|
139
140
|
name: "systemd-resolved Local Resolver Active",
|
|
140
141
|
severity: "info",
|
|
141
142
|
check: (output) => {
|
|
@@ -152,7 +153,7 @@ const DNS_CHECKS = [
|
|
|
152
153
|
explain: "A local DNS resolver provides caching, DNSSEC validation, and protection against DNS cache poisoning from upstream resolvers.",
|
|
153
154
|
},
|
|
154
155
|
{
|
|
155
|
-
id:
|
|
156
|
+
id: CHECK_IDS.DNS.DNS_SEARCH_DOMAIN_SET,
|
|
156
157
|
name: "DNS Search Domain Configured",
|
|
157
158
|
severity: "info",
|
|
158
159
|
check: (output) => {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"dns.js","sourceRoot":"","sources":["../../../../src/core/audit/checks/dns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;
|
|
1
|
+
{"version":3,"file":"dns.js","sourceRoot":"","sources":["../../../../src/core/audit/checks/dns.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAGH,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAa3C,MAAM,UAAU,GAAkB;IAChC;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,kBAAkB;QACpC,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,IAAI,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;gBACtC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,8BAA8B,EAAE,CAAC;YACxE,CAAC;YACD,IAAI,MAAM,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;gBACvC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,+BAA+B,EAAE,CAAC;YAC1E,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,uCAAuC,EAAE,CAAC;QAClF,CAAC;QACD,aAAa,EAAE,yEAAyE;QACxF,UAAU,EAAE,8GAA8G;QAC1H,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,yNAAyN;KAC5N;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,qBAAqB;QACvC,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,gCAAgC;YAChC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;YAC3D,IAAI,KAAK,EAAE,CAAC;gBACV,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,2BAA2B,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;YAC/E,CAAC;YACD,IAAI,MAAM,CAAC,QAAQ,CAAC,4BAA4B,CAAC,EAAE,CAAC;gBAClD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,oDAAoD,EAAE,CAAC;YAC/F,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,+CAA+C,EAAE,CAAC;QAC1F,CAAC;QACD,aAAa,EAAE,qDAAqD;QACpE,UAAU,EAAE,gEAAgE;QAC5E,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,gOAAgO;KACnO;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,oBAAoB;QACtC,IAAI,EAAE,8CAA8C;QACpD,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,IAAI,MAAM,CAAC,QAAQ,CAAC,uBAAuB,CAAC,EAAE,CAAC;gBAC7C,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,qDAAqD,EAAE,CAAC;YAC/F,CAAC;YACD,IAAI,MAAM,CAAC,QAAQ,CAAC,qBAAqB,CAAC,EAAE,CAAC;gBAC3C,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,wDAAwD,EAAE,CAAC;YACnG,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,4DAA4D,EAAE,CAAC;QACvG,CAAC;QACD,aAAa,EAAE,8FAA8F;QAC7G,UAAU,EAAE,uHAAuH;QACnI,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,oOAAoO;KACvO;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,yBAAyB;QAC3C,IAAI,EAAE,sCAAsC;QAC5C,QAAQ,EAAE,SAAS;QACnB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,6BAA6B;YAC7B,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,6BAA6B,CAAC,CAAC;YAC1D,IAAI,KAAK,EAAE,CAAC;gBACV,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,YAAY,EAAE,0BAA0B,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;YAC9E,CAAC;YACD,IAAI,MAAM,CAAC,QAAQ,CAAC,2BAA2B,CAAC,EAAE,CAAC;gBACjD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,+CAA+C,EAAE,CAAC;YAC1F,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,kDAAkD,EAAE,CAAC;QAC7F,CAAC;QACD,aAAa,EAAE,0DAA0D;QACzE,UAAU,EAAE,+CAA+C;QAC3D,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,8NAA8N;KACjO;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,wBAAwB;QAC1C,IAAI,EAAE,qCAAqC;QAC3C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,wDAAwD;YACxD,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;YAC7C,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,sCAAsC,EAAE,CAAC;YACjF,CAAC;YACD,MAAM,KAAK,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YAC1C,MAAM,MAAM,GAAG,KAAK,IAAI,CAAC,CAAC;YAC1B,OAAO;gBACL,MAAM;gBACN,YAAY,EAAE,MAAM;oBAClB,CAAC,CAAC,GAAG,KAAK,+CAA+C;oBACzD,CAAC,CAAC,QAAQ,KAAK,kDAAkD;aACpE,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,2DAA2D;QAC1E,UAAU,EAAE,oEAAoE;QAChF,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,qHAAqH;KACxH;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,6BAA6B;QAC/C,IAAI,EAAE,8CAA8C;QACpD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,iDAAiD;YACjD,MAAM,eAAe,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YACvF,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACjC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,YAAY,EAAE,iDAAiD,EAAE,CAAC;YAC5F,CAAC;YACD,2CAA2C;YAC3C,MAAM,eAAe,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;gBACjD,MAAM,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,oBAAoB,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;gBACtD,OAAO,EAAE,KAAK,WAAW,IAAI,EAAE,KAAK,KAAK,IAAI,EAAE,KAAK,YAAY,CAAC;YACnE,CAAC,CAAC,CAAC;YACH,mFAAmF;YACnF,MAAM,gBAAgB,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC;YAC/E,MAAM,MAAM,GAAG,eAAe,IAAI,gBAAgB,CAAC;YACnD,OAAO;gBACL,MAAM;gBACN,YAAY,EAAE,MAAM;oBAClB,CAAC,CAAC,wDAAwD;oBAC1D,CAAC,CAAC,sFAAsF;aAC3F,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,2EAA2E;QAC1F,UAAU,EAAE,+CAA+C;QAC3D,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,iGAAiG;KACpG;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,yBAAyB;QAC3C,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,uEAAuE;YACvE,MAAM,QAAQ,GAAG,YAAY,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YAC3C,OAAO;gBACL,MAAM,EAAE,QAAQ;gBAChB,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC,4BAA4B,CAAC,CAAC,CAAC,8BAA8B;aACvF,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,oCAAoC;QACnD,UAAU,EAAE,yCAAyC;QACrD,aAAa,EAAE,SAAS;QACxB,OAAO,EACL,+HAA+H;KAClI;IACD;QACE,EAAE,EAAE,SAAS,CAAC,GAAG,CAAC,qBAAqB;QACvC,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,CAAC,MAAM,EAAE,EAAE;YAChB,sEAAsE;YACtE,MAAM,SAAS,GAAG,oBAAoB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;YAChF,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,YAAY,EAAE,SAAS;oBACrB,CAAC,CAAC,qDAAqD;oBACvD,CAAC,CAAC,iDAAiD;aACtD,CAAC;QACJ,CAAC;QACD,aAAa,EAAE,mDAAmD;QAClE,UAAU,EAAE,+CAA+C;QAC3D,aAAa,EAAE,MAAM;QACrB,OAAO,EACL,wGAAwG;KAC3G;CACF,CAAC;AAEF,MAAM,CAAC,MAAM,cAAc,GAAgB,CACzC,aAAqB,EACrB,SAAiB,EACH,EAAE;IAChB,MAAM,IAAI,GACR,CAAC,aAAa;QACd,aAAa,CAAC,IAAI,EAAE,KAAK,KAAK;QAC9B,aAAa,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,aAAa,CAAC;IAEzC,OAAO,UAAU,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;QAC5B,IAAI,IAAI,EAAE,CAAC;YACT,OAAO;gBACL,EAAE,EAAE,GAAG,CAAC,EAAE;gBACV,QAAQ,EAAE,cAAc;gBACxB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,MAAM,EAAE,KAAK;gBACb,YAAY,EAAE,qBAAqB;gBACnC,aAAa,EAAE,GAAG,CAAC,aAAa;gBAChC,UAAU,EAAE,GAAG,CAAC,UAAU;gBAC1B,aAAa,EAAE,GAAG,CAAC,aAAa;gBAChC,OAAO,EAAE,GAAG,CAAC,OAAO;aACrB,CAAC;QACJ,CAAC;QACD,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QACnD,OAAO;YACL,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,QAAQ,EAAE,cAAc;YACxB,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,MAAM;YACN,YAAY;YACZ,aAAa,EAAE,GAAG,CAAC,aAAa;YAChC,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,aAAa,EAAE,GAAG,CAAC,aAAa;YAChC,OAAO,EAAE,GAAG,CAAC,OAAO;SACrB,CAAC;IACJ,CAAC,CAAC,CAAC;AACL,CAAC,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"docker.d.ts","sourceRoot":"","sources":["../../../../src/core/audit/checks/docker.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAc,WAAW,EAAE,MAAM,aAAa,CAAC;
|
|
1
|
+
{"version":3,"file":"docker.d.ts","sourceRoot":"","sources":["../../../../src/core/audit/checks/docker.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAc,WAAW,EAAE,MAAM,aAAa,CAAC;AA+D3D,eAAO,MAAM,iBAAiB,EAAE,WA6qB/B,CAAC"}
|
|
@@ -3,6 +3,7 @@
|
|
|
3
3
|
* Parses docker info/ps output into 6 security checks with semantic IDs.
|
|
4
4
|
* Platform-aware: Docker checks adjust for coolify/dokploy vs bare.
|
|
5
5
|
*/
|
|
6
|
+
import { CHECK_IDS } from "../checkIds.js";
|
|
6
7
|
/** Check if Docker is installed based on output */
|
|
7
8
|
function isDockerAvailable(output) {
|
|
8
9
|
if (!output || output.trim() === "N/A" || output.trim() === "")
|
|
@@ -13,38 +14,38 @@ function isDockerAvailable(output) {
|
|
|
13
14
|
function makeDockerSkippedChecks(severity) {
|
|
14
15
|
const message = "Docker not installed";
|
|
15
16
|
const ids = [
|
|
16
|
-
{ id:
|
|
17
|
-
{ id:
|
|
18
|
-
{ id:
|
|
19
|
-
{ id:
|
|
20
|
-
{ id:
|
|
21
|
-
{ id:
|
|
22
|
-
{ id:
|
|
23
|
-
{ id:
|
|
24
|
-
{ id:
|
|
25
|
-
{ id:
|
|
26
|
-
{ id:
|
|
27
|
-
{ id:
|
|
28
|
-
{ id:
|
|
29
|
-
{ id:
|
|
30
|
-
{ id:
|
|
31
|
-
{ id:
|
|
32
|
-
{ id:
|
|
33
|
-
{ id:
|
|
34
|
-
{ id:
|
|
35
|
-
{ id:
|
|
36
|
-
{ id:
|
|
37
|
-
{ id:
|
|
38
|
-
{ id:
|
|
39
|
-
{ id:
|
|
40
|
-
{ id:
|
|
41
|
-
{ id:
|
|
42
|
-
{ id:
|
|
43
|
-
{ id:
|
|
44
|
-
{ id:
|
|
45
|
-
{ id:
|
|
46
|
-
{ id:
|
|
47
|
-
{ id:
|
|
17
|
+
{ id: CHECK_IDS.DOCKER.DCK_NO_TCP_SOCKET, name: "No TCP Socket Exposed" },
|
|
18
|
+
{ id: CHECK_IDS.DOCKER.DCK_NO_PRIVILEGED, name: "No Privileged Containers" },
|
|
19
|
+
{ id: CHECK_IDS.DOCKER.DCK_VERSION_CURRENT, name: "Docker Version Current" },
|
|
20
|
+
{ id: CHECK_IDS.DOCKER.DCK_USER_NAMESPACE, name: "User Namespace Enabled" },
|
|
21
|
+
{ id: CHECK_IDS.DOCKER.DCK_NO_HOST_NETWORK, name: "No Host Network Containers" },
|
|
22
|
+
{ id: CHECK_IDS.DOCKER.DCK_LOGGING_DRIVER, name: "Logging Driver Configured" },
|
|
23
|
+
{ id: CHECK_IDS.DOCKER.DCK_LIVE_RESTORE, name: "Live Restore Enabled" },
|
|
24
|
+
{ id: CHECK_IDS.DOCKER.DCK_NO_NEW_PRIVILEGES, name: "No New Privileges Default" },
|
|
25
|
+
{ id: CHECK_IDS.DOCKER.DCK_ICC_DISABLED, name: "Inter-Container Communication Disabled" },
|
|
26
|
+
{ id: CHECK_IDS.DOCKER.DCK_TLS_VERIFY, name: "TLS Verification Enabled" },
|
|
27
|
+
{ id: CHECK_IDS.DOCKER.DCK_SOCKET_PERMS, name: "Docker Socket Permissions" },
|
|
28
|
+
{ id: CHECK_IDS.DOCKER.DCK_NO_ROOT_CONTAINERS, name: "No Root Containers" },
|
|
29
|
+
{ id: CHECK_IDS.DOCKER.DCK_READ_ONLY_ROOTFS, name: "Read-Only Root Filesystem" },
|
|
30
|
+
{ id: CHECK_IDS.DOCKER.DCK_LOG_MAX_SIZE, name: "Log Max Size Configured" },
|
|
31
|
+
{ id: CHECK_IDS.DOCKER.DCK_DEFAULT_ULIMITS, name: "Default Ulimits Configured" },
|
|
32
|
+
{ id: CHECK_IDS.DOCKER.DCK_SECCOMP_ENABLED, name: "Seccomp Profile Applied" },
|
|
33
|
+
{ id: CHECK_IDS.DOCKER.DCK_CONTENT_TRUST, name: "Docker Content Trust Enabled" },
|
|
34
|
+
{ id: CHECK_IDS.DOCKER.DCK_NO_SENSITIVE_MOUNTS, name: "No Sensitive Mounts" },
|
|
35
|
+
{ id: CHECK_IDS.DOCKER.DCK_APPARMOR_PROFILE, name: "AppArmor Profile Applied" },
|
|
36
|
+
{ id: CHECK_IDS.DOCKER.DCK_NO_PRIVILEGED_PORTS, name: "No Privileged Port Bindings" },
|
|
37
|
+
{ id: CHECK_IDS.DOCKER.DCK_NETWORK_DISABLED, name: "Custom Network Configured" },
|
|
38
|
+
{ id: CHECK_IDS.DOCKER.DCK_LOG_DRIVER_CONFIGURED, name: "Log Driver Not None" },
|
|
39
|
+
{ id: CHECK_IDS.DOCKER.DCK_ROOTLESS_MODE, name: "Rootless Docker Mode" },
|
|
40
|
+
{ id: CHECK_IDS.DOCKER.DCK_NO_HOST_NETWORK_INSPECT, name: "No Host Network Mode (Inspect)" },
|
|
41
|
+
{ id: CHECK_IDS.DOCKER.DCK_HEALTH_CHECK, name: "Container Health Checks Configured" },
|
|
42
|
+
{ id: CHECK_IDS.DOCKER.DCK_BRIDGE_NFCALL, name: "Bridge ICC Disabled" },
|
|
43
|
+
{ id: CHECK_IDS.DOCKER.DCK_NO_INSECURE_REGISTRY, name: "No Insecure Registries Configured" },
|
|
44
|
+
{ id: CHECK_IDS.DOCKER.DCK_NO_EXPERIMENTAL, name: "Experimental Features Disabled" },
|
|
45
|
+
{ id: CHECK_IDS.DOCKER.DCK_AUTH_PLUGIN, name: "Docker Authorization Plugin Configured" },
|
|
46
|
+
{ id: CHECK_IDS.DOCKER.DCK_REGISTRY_CERTS, name: "Registry TLS Certificates Configured" },
|
|
47
|
+
{ id: CHECK_IDS.DOCKER.DCK_SWARM_INACTIVE, name: "Docker Swarm Mode Inactive" },
|
|
48
|
+
{ id: CHECK_IDS.DOCKER.DCK_PID_MODE, name: "No Host PID Namespace Containers" },
|
|
48
49
|
];
|
|
49
50
|
return ids.map((def) => ({
|
|
50
51
|
id: def.id,
|
|
@@ -97,7 +98,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
97
98
|
const hosts = dockerInfo.Hosts ?? [];
|
|
98
99
|
const hasTcpSocket = hosts.some((h) => h.startsWith("tcp://"));
|
|
99
100
|
const dck01 = {
|
|
100
|
-
id:
|
|
101
|
+
id: CHECK_IDS.DOCKER.DCK_NO_TCP_SOCKET,
|
|
101
102
|
category: "Docker",
|
|
102
103
|
name: "No TCP Socket Exposed",
|
|
103
104
|
severity: "critical",
|
|
@@ -111,7 +112,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
111
112
|
// DCK-NO-PRIVILEGED: No privileged containers
|
|
112
113
|
const hasPrivileged = /--privileged/i.test(sectionOutput) || /"Privileged":\s*true/i.test(sectionOutput);
|
|
113
114
|
const dck02 = {
|
|
114
|
-
id:
|
|
115
|
+
id: CHECK_IDS.DOCKER.DCK_NO_PRIVILEGED,
|
|
115
116
|
category: "Docker",
|
|
116
117
|
name: "No Privileged Containers",
|
|
117
118
|
severity: "critical",
|
|
@@ -127,7 +128,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
127
128
|
const versionMajor = parseInt(version.split(".")[0], 10);
|
|
128
129
|
const isCurrentVersion = !isNaN(versionMajor) && versionMajor >= 24;
|
|
129
130
|
const dck03 = {
|
|
130
|
-
id:
|
|
131
|
+
id: CHECK_IDS.DOCKER.DCK_VERSION_CURRENT,
|
|
131
132
|
category: "Docker",
|
|
132
133
|
name: "Docker Version Current",
|
|
133
134
|
severity: "warning",
|
|
@@ -143,7 +144,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
143
144
|
const hasUserns = securityOpts.some((opt) => opt.includes("userns")) ||
|
|
144
145
|
sectionOutput.includes("userns-remap");
|
|
145
146
|
const dck04 = {
|
|
146
|
-
id:
|
|
147
|
+
id: CHECK_IDS.DOCKER.DCK_USER_NAMESPACE,
|
|
147
148
|
category: "Docker",
|
|
148
149
|
name: "User Namespace Enabled",
|
|
149
150
|
severity: "warning",
|
|
@@ -157,7 +158,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
157
158
|
// DCK-NO-HOST-NETWORK: No host network containers
|
|
158
159
|
const hasHostNetwork = /--network\s*host/i.test(sectionOutput) || /"NetworkMode":\s*"host"/i.test(sectionOutput);
|
|
159
160
|
const dck05 = {
|
|
160
|
-
id:
|
|
161
|
+
id: CHECK_IDS.DOCKER.DCK_NO_HOST_NETWORK,
|
|
161
162
|
category: "Docker",
|
|
162
163
|
name: "No Host Network Containers",
|
|
163
164
|
severity: "warning",
|
|
@@ -172,7 +173,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
172
173
|
const loggingDriver = dockerInfo.LoggingDriver ?? "unknown";
|
|
173
174
|
const hasLogging = loggingDriver !== "none" && loggingDriver !== "unknown";
|
|
174
175
|
const dck06 = {
|
|
175
|
-
id:
|
|
176
|
+
id: CHECK_IDS.DOCKER.DCK_LOGGING_DRIVER,
|
|
176
177
|
category: "Docker",
|
|
177
178
|
name: "Logging Driver Configured",
|
|
178
179
|
severity: "info",
|
|
@@ -202,7 +203,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
202
203
|
// DCK-07: live-restore enabled
|
|
203
204
|
const liveRestoreEnabled = daemonJson["live-restore"] === true || dockerInfo.LiveRestoreEnabled === true;
|
|
204
205
|
const dck07 = {
|
|
205
|
-
id:
|
|
206
|
+
id: CHECK_IDS.DOCKER.DCK_LIVE_RESTORE,
|
|
206
207
|
category: "Docker",
|
|
207
208
|
name: "Live Restore Enabled",
|
|
208
209
|
severity: "warning",
|
|
@@ -218,7 +219,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
218
219
|
const noNewPrivilegesDefault = securityOpts2.some((o) => o.includes("no-new-privileges")) ||
|
|
219
220
|
daemonJson["no-new-privileges"] === true;
|
|
220
221
|
const dck08 = {
|
|
221
|
-
id:
|
|
222
|
+
id: CHECK_IDS.DOCKER.DCK_NO_NEW_PRIVILEGES,
|
|
222
223
|
category: "Docker",
|
|
223
224
|
name: "No New Privileges Default",
|
|
224
225
|
severity: "warning",
|
|
@@ -234,7 +235,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
234
235
|
sectionOutput.includes('"BridgeNfIcc":false') ||
|
|
235
236
|
sectionOutput.includes('"BridgeNfIcc": false');
|
|
236
237
|
const dck09 = {
|
|
237
|
-
id:
|
|
238
|
+
id: CHECK_IDS.DOCKER.DCK_ICC_DISABLED,
|
|
238
239
|
category: "Docker",
|
|
239
240
|
name: "Inter-Container Communication Disabled",
|
|
240
241
|
severity: "warning",
|
|
@@ -250,7 +251,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
250
251
|
const hasTcpExposed = tcpHosts.length > 0;
|
|
251
252
|
const tlsVerifyEnabled = sectionOutput.includes('"tls":true') || sectionOutput.includes('"tlsverify":true');
|
|
252
253
|
const dck10 = {
|
|
253
|
-
id:
|
|
254
|
+
id: CHECK_IDS.DOCKER.DCK_TLS_VERIFY,
|
|
254
255
|
category: "Docker",
|
|
255
256
|
name: "TLS Verification Enabled",
|
|
256
257
|
severity: "critical",
|
|
@@ -267,7 +268,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
267
268
|
const sockStatLine = allLines.find((l) => /^\d{3}\s+\w+\s+\w+/.test(l.trim())) ?? "";
|
|
268
269
|
const sockPermOk = /^660\s+root\s+docker/.test(sockStatLine.trim());
|
|
269
270
|
const dck11 = {
|
|
270
|
-
id:
|
|
271
|
+
id: CHECK_IDS.DOCKER.DCK_SOCKET_PERMS,
|
|
271
272
|
category: "Docker",
|
|
272
273
|
name: "Docker Socket Permissions",
|
|
273
274
|
severity: "warning",
|
|
@@ -283,7 +284,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
283
284
|
const hasRootContainers = hasRunningContainers &&
|
|
284
285
|
containerUserLines.some((l) => /User=$/.test(l.trim()) || /User=""/.test(l));
|
|
285
286
|
const dck12 = {
|
|
286
|
-
id:
|
|
287
|
+
id: CHECK_IDS.DOCKER.DCK_NO_ROOT_CONTAINERS,
|
|
287
288
|
category: "Docker",
|
|
288
289
|
name: "No Root Containers",
|
|
289
290
|
severity: "warning",
|
|
@@ -303,7 +304,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
303
304
|
const allReadOnly = hasRunningContainers && readonlyLines.length > 0 &&
|
|
304
305
|
readonlyLines.every((l) => l.includes("ReadonlyRootfs=true"));
|
|
305
306
|
const dck13 = {
|
|
306
|
-
id:
|
|
307
|
+
id: CHECK_IDS.DOCKER.DCK_READ_ONLY_ROOTFS,
|
|
307
308
|
category: "Docker",
|
|
308
309
|
name: "Read-Only Root Filesystem",
|
|
309
310
|
severity: "info",
|
|
@@ -323,7 +324,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
323
324
|
const logMaxSize = sectionOutput.includes("max-size") ||
|
|
324
325
|
(typeof logOpts === "object" && logOpts !== null && "max-size" in logOpts);
|
|
325
326
|
const dck14 = {
|
|
326
|
-
id:
|
|
327
|
+
id: CHECK_IDS.DOCKER.DCK_LOG_MAX_SIZE,
|
|
327
328
|
category: "Docker",
|
|
328
329
|
name: "Log Max Size Configured",
|
|
329
330
|
severity: "info",
|
|
@@ -337,7 +338,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
337
338
|
// DCK-15: Default ulimits configured
|
|
338
339
|
const hasDefaultUlimits = "default-ulimits" in daemonJson;
|
|
339
340
|
const dck15 = {
|
|
340
|
-
id:
|
|
341
|
+
id: CHECK_IDS.DOCKER.DCK_DEFAULT_ULIMITS,
|
|
341
342
|
category: "Docker",
|
|
342
343
|
name: "Default Ulimits Configured",
|
|
343
344
|
severity: "info",
|
|
@@ -353,7 +354,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
353
354
|
const hasSeccomp = !hasRunningContainers ||
|
|
354
355
|
(seccompLines.length > 0 && seccompLines.some((l) => l.includes("seccomp")));
|
|
355
356
|
const dck16 = {
|
|
356
|
-
id:
|
|
357
|
+
id: CHECK_IDS.DOCKER.DCK_SECCOMP_ENABLED,
|
|
357
358
|
category: "Docker",
|
|
358
359
|
name: "Seccomp Profile Applied",
|
|
359
360
|
severity: "warning",
|
|
@@ -371,7 +372,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
371
372
|
// DCK-17: Docker content trust
|
|
372
373
|
const contentTrustEnabled = sectionOutput.includes("DOCKER_CONTENT_TRUST=1");
|
|
373
374
|
const dck17 = {
|
|
374
|
-
id:
|
|
375
|
+
id: CHECK_IDS.DOCKER.DCK_CONTENT_TRUST,
|
|
375
376
|
category: "Docker",
|
|
376
377
|
name: "Docker Content Trust Enabled",
|
|
377
378
|
severity: "info",
|
|
@@ -387,7 +388,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
387
388
|
const hasPrivilegedFromInspect = hasRunningContainers &&
|
|
388
389
|
privilegedInspectLines.some((l) => l.includes("Privileged=true"));
|
|
389
390
|
const dck18 = {
|
|
390
|
-
id:
|
|
391
|
+
id: CHECK_IDS.DOCKER.DCK_NO_SENSITIVE_MOUNTS,
|
|
391
392
|
category: "Docker",
|
|
392
393
|
name: "No Sensitive Mounts",
|
|
393
394
|
severity: "warning",
|
|
@@ -406,7 +407,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
406
407
|
const hasApparmor = !hasRunningContainers ||
|
|
407
408
|
(seccompLines.length > 0 && seccompLines.some((l) => l.includes("apparmor")));
|
|
408
409
|
const dck19 = {
|
|
409
|
-
id:
|
|
410
|
+
id: CHECK_IDS.DOCKER.DCK_APPARMOR_PROFILE,
|
|
410
411
|
category: "Docker",
|
|
411
412
|
name: "AppArmor Profile Applied",
|
|
412
413
|
severity: "warning",
|
|
@@ -430,7 +431,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
430
431
|
})
|
|
431
432
|
.filter((p) => !isNaN(p) && p < 1024 && p !== 80 && p !== 443);
|
|
432
433
|
const dck20 = {
|
|
433
|
-
id:
|
|
434
|
+
id: CHECK_IDS.DOCKER.DCK_NO_PRIVILEGED_PORTS,
|
|
434
435
|
category: "Docker",
|
|
435
436
|
name: "No Privileged Port Bindings",
|
|
436
437
|
severity: "info",
|
|
@@ -457,7 +458,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
457
458
|
return !defaultNetworks.has(norm) && !l.includes("NETWORK") && !l.includes("NAME");
|
|
458
459
|
});
|
|
459
460
|
const dck21 = {
|
|
460
|
-
id:
|
|
461
|
+
id: CHECK_IDS.DOCKER.DCK_NETWORK_DISABLED,
|
|
461
462
|
category: "Docker",
|
|
462
463
|
name: "Custom Docker Network Configured",
|
|
463
464
|
severity: "info",
|
|
@@ -475,7 +476,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
475
476
|
// DCK-22: Log driver not 'none'
|
|
476
477
|
const dck22LogDriver = dockerInfo.LoggingDriver ?? "unknown";
|
|
477
478
|
const dck22 = {
|
|
478
|
-
id:
|
|
479
|
+
id: CHECK_IDS.DOCKER.DCK_LOG_DRIVER_CONFIGURED,
|
|
479
480
|
category: "Docker",
|
|
480
481
|
name: "Logging Driver Not None",
|
|
481
482
|
severity: "warning",
|
|
@@ -492,7 +493,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
492
493
|
const dck23SecOpts = dockerInfo.SecurityOptions ?? [];
|
|
493
494
|
const isRootless = dck23SecOpts.some((o) => o.toLowerCase().includes("rootless"));
|
|
494
495
|
const dck23 = {
|
|
495
|
-
id:
|
|
496
|
+
id: CHECK_IDS.DOCKER.DCK_ROOTLESS_MODE,
|
|
496
497
|
category: "Docker",
|
|
497
498
|
name: "Docker Rootless Mode",
|
|
498
499
|
severity: "info",
|
|
@@ -510,7 +511,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
510
511
|
// DCK-24: No containers using host network mode (inspect JSON path)
|
|
511
512
|
const hasHostNetworkMode = /"NetworkMode":\s*"host"/i.test(sectionOutput);
|
|
512
513
|
const dck24 = {
|
|
513
|
-
id:
|
|
514
|
+
id: CHECK_IDS.DOCKER.DCK_NO_HOST_NETWORK_INSPECT,
|
|
514
515
|
category: "Docker",
|
|
515
516
|
name: "No Host Network Mode (Inspect)",
|
|
516
517
|
severity: "warning",
|
|
@@ -531,7 +532,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
531
532
|
const healthCheckLines = allLines.filter((l) => l.includes("Health") || l.includes("healthy") || l.includes("unhealthy"));
|
|
532
533
|
const hasHealthChecks = !hasRunningContainers || healthCheckLines.length > 0;
|
|
533
534
|
const dck25 = {
|
|
534
|
-
id:
|
|
535
|
+
id: CHECK_IDS.DOCKER.DCK_HEALTH_CHECK,
|
|
535
536
|
category: "Docker",
|
|
536
537
|
name: "Container Health Checks Configured",
|
|
537
538
|
severity: "info",
|
|
@@ -563,7 +564,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
563
564
|
}
|
|
564
565
|
}
|
|
565
566
|
const dck26 = {
|
|
566
|
-
id:
|
|
567
|
+
id: CHECK_IDS.DOCKER.DCK_BRIDGE_NFCALL,
|
|
567
568
|
category: "Docker",
|
|
568
569
|
name: "Bridge ICC Disabled",
|
|
569
570
|
severity: "warning",
|
|
@@ -587,7 +588,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
587
588
|
&& !/^\[127\.0\.0\.0\/8\]$/.test(insecureRegistryValue.replace(/\s/g, ""))
|
|
588
589
|
&& !insecureRegistryValue.includes("[]");
|
|
589
590
|
const dck27 = {
|
|
590
|
-
id:
|
|
591
|
+
id: CHECK_IDS.DOCKER.DCK_NO_INSECURE_REGISTRY,
|
|
591
592
|
category: "Docker",
|
|
592
593
|
name: "No Insecure Registries Configured",
|
|
593
594
|
severity: "warning",
|
|
@@ -611,7 +612,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
611
612
|
const isExperimental = (experimentalLine !== undefined && experimentalLine.trim() === "true")
|
|
612
613
|
|| (lastBoolLine?.trim() === "true");
|
|
613
614
|
const dck28 = {
|
|
614
|
-
id:
|
|
615
|
+
id: CHECK_IDS.DOCKER.DCK_NO_EXPERIMENTAL,
|
|
615
616
|
category: "Docker",
|
|
616
617
|
name: "Experimental Features Disabled",
|
|
617
618
|
severity: "info",
|
|
@@ -635,7 +636,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
635
636
|
&& authPluginValue !== "[]"
|
|
636
637
|
&& authPluginValue !== "[ ]";
|
|
637
638
|
const dck29 = {
|
|
638
|
-
id:
|
|
639
|
+
id: CHECK_IDS.DOCKER.DCK_AUTH_PLUGIN,
|
|
639
640
|
category: "Docker",
|
|
640
641
|
name: "Docker Authorization Plugin Configured",
|
|
641
642
|
severity: "info",
|
|
@@ -655,7 +656,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
655
656
|
&& sectionOutput.includes("/etc/docker/certs.d/")
|
|
656
657
|
&& !sectionOutput.includes("total 0");
|
|
657
658
|
const dck30 = {
|
|
658
|
-
id:
|
|
659
|
+
id: CHECK_IDS.DOCKER.DCK_REGISTRY_CERTS,
|
|
659
660
|
category: "Docker",
|
|
660
661
|
name: "Registry TLS Certificates Configured",
|
|
661
662
|
severity: "info",
|
|
@@ -676,7 +677,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
676
677
|
const swarmState = swarmStateLine?.trim() ?? "inactive";
|
|
677
678
|
const swarmActive = swarmState === "active";
|
|
678
679
|
const dck31 = {
|
|
679
|
-
id:
|
|
680
|
+
id: CHECK_IDS.DOCKER.DCK_SWARM_INACTIVE,
|
|
680
681
|
category: "Docker",
|
|
681
682
|
name: "Docker Swarm Mode Inactive",
|
|
682
683
|
severity: "info",
|
|
@@ -695,7 +696,7 @@ export const parseDockerChecks = (sectionOutput, platform) => {
|
|
|
695
696
|
const hasHostPid = /"PidMode":\s*"host"/i.test(sectionOutput)
|
|
696
697
|
|| /PidMode=host/.test(sectionOutput);
|
|
697
698
|
const dck32 = {
|
|
698
|
-
id:
|
|
699
|
+
id: CHECK_IDS.DOCKER.DCK_PID_MODE,
|
|
699
700
|
category: "Docker",
|
|
700
701
|
name: "No Host PID Namespace Containers",
|
|
701
702
|
severity: "warning",
|