search

docker / docker-bench-security

The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
Apache License 2.0
9.17k stars 1.02k forks source link

fix style and false warning in check_5_3 #491

Closed SericaLaw closed 2 years ago

SericaLaw commented 2 years ago

Hi @konstruktoid , I'm testing a container created with the command:

docker run --rm -it --cap-add CAP_SYS_CHROOT --name ubuntu  ubuntu bash

, where CAP_SYS_CHROOT is a default capability for containers.

In this case, running check_5_3 should not give warnings ( also I noticed that the default capabilities are trimmed ), but in fact, it gives output like:

[WARN] 5.3 - Ensure that Linux kernel capabilities are restricted within containers (Automated)
[WARN      * Capabilities added: CapAdd=[CAP_] to ubuntu

( If then adding some other extra caps, the output will be like: CapAdd=[CAP_CAP_SYS_ADMIN] )

This is because users may give cap args in the long form of CAP_*.

This commit will deal with this scenario and fix the false warning ( already tested with input args CAP_SYS_CHROOT/SYS_CHROOT, CAP_SYS_ADMIN ).

Also, it fixed the code style ( {{ .HostConfig.CapAdd}} -> {{ .HostConfig.CapAdd }} )

konstruktoid commented 2 years ago

Hi @SericaLaw and thanks for your contribution!