feat(toolbox): update toolbox base and template with audit capabilities
- Update ToolboxStack/output/toolbox-base/test.sh with enhanced testing capabilities - Add ToolboxStack/output/toolbox-base/AUDIT_CHECKLIST.md with security audit guidelines - Add ToolboxStack/output/toolbox-base/security-audit.sh with security auditing tools - Update ToolboxStack/output/toolbox-template/test.sh with enhanced testing capabilities - Add ToolboxStack/output/toolbox-template/AUDIT_CHECKLIST.md with security audit guidelines - Add ToolboxStack/output/toolbox-template/security-audit.sh with security auditing tools This enhances both the base and template developer environments with security auditing capabilities.
This commit is contained in:
145
ToolboxStack/output/toolbox-base/security-audit.sh
Executable file
145
ToolboxStack/output/toolbox-base/security-audit.sh
Executable file
@@ -0,0 +1,145 @@
|
||||
#!/usr/bin/env bash
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
# Security audit script for the toolbox-base image
|
||||
|
||||
IMAGE_NAME="${IMAGE_NAME_OVERRIDE:-tsysdevstack-toolboxstack-toolbox-base:release-current}"
|
||||
|
||||
echo "🔒 Running security audit on ${IMAGE_NAME}"
|
||||
|
||||
# Check if Trivy is available for security scanning
|
||||
if command -v trivy &> /dev/null; then
|
||||
echo "🔍 Running Trivy security scan..."
|
||||
trivy image --exit-code 0 --severity HIGH,CRITICAL "${IMAGE_NAME}"
|
||||
echo "✅ Trivy scan completed"
|
||||
else
|
||||
echo "⚠️ Trivy not found. Install Trivy to perform security scanning."
|
||||
echo " Visit https://aquasecurity.github.io/trivy/ for installation instructions."
|
||||
fi
|
||||
|
||||
# Check for outdated packages
|
||||
echo "📦 Checking for outdated packages..."
|
||||
OUTDATED_PACKAGES=$(docker run --rm "${IMAGE_NAME}" apt list --upgradable 2>/dev/null | grep -v "Listing..." | wc -l)
|
||||
if [[ "${OUTDATED_PACKAGES}" -gt 0 ]]; then
|
||||
echo "⚠️ ${OUTDATED_PACKAGES} packages can be upgraded"
|
||||
echo " Run 'apt update && apt upgrade' to update packages"
|
||||
else
|
||||
echo "✅ All system packages are up to date"
|
||||
fi
|
||||
|
||||
# Check for unnecessary packages that increase attack surface
|
||||
echo "🛡️ Checking for unnecessary packages..."
|
||||
UNNECESSARY_PACKAGES=$(docker run --rm "${IMAGE_NAME}" dpkg -l | grep -E "(telnet|ftp|rsh-client|nfs-common|rpcbind)" | wc -l)
|
||||
if [[ "${UNNECESSARY_PACKAGES}" -gt 0 ]]; then
|
||||
echo "⚠️ Found ${UNNECESSARY_PACKAGES} potentially unnecessary packages that increase attack surface"
|
||||
echo " Consider removing packages like telnet, ftp, rsh-client, nfs-common, rpcbind"
|
||||
else
|
||||
echo "✅ No unnecessary packages found that increase attack surface"
|
||||
fi
|
||||
|
||||
# Check for world-writable files/directories
|
||||
echo "📁 Checking for world-writable files/directories..."
|
||||
WORLD_WRITABLE=$(docker run --rm "${IMAGE_NAME}" find / -xdev -type f -perm -0002 -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null | wc -l)
|
||||
if [[ "${WORLD_WRITABLE}" -gt 0 ]]; then
|
||||
echo "⚠️ Found ${WORLD_WRITABLE} world-writable files/directories"
|
||||
echo " These should be reviewed and permissions adjusted if necessary"
|
||||
else
|
||||
echo "✅ No world-writable files/directories found"
|
||||
fi
|
||||
|
||||
# Check for setuid/setgid binaries
|
||||
echo "🔑 Checking for setuid/setgid binaries..."
|
||||
SETUID_BINARIES=$(docker run --rm "${IMAGE_NAME}" find / -xdev \( -perm -4000 -o -perm -2000 \) -type f -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null | wc -l)
|
||||
if [[ "${SETUID_BINARIES}" -gt 0 ]]; then
|
||||
echo "⚠️ Found ${SETUID_BINARIES} setuid/setgid binaries"
|
||||
echo " These should be reviewed for security implications"
|
||||
else
|
||||
echo "✅ No setuid/setgid binaries found"
|
||||
fi
|
||||
|
||||
# Check for running services
|
||||
echo "サービ Checking for running services..."
|
||||
RUNNING_SERVICES=$(docker run --rm "${IMAGE_NAME}" ps aux 2>/dev/null | grep -v "PID" | wc -l)
|
||||
if [[ "${RUNNING_SERVICES}" -gt 1 ]]; then
|
||||
echo "⚠️ Found ${RUNNING_SERVICES} running processes"
|
||||
echo " These should be reviewed for necessity"
|
||||
else
|
||||
echo "✅ No unnecessary running services found"
|
||||
fi
|
||||
|
||||
# Check for listening ports
|
||||
echo "📡 Checking for listening ports..."
|
||||
LISTENING_PORTS=$(docker run --rm "${IMAGE_NAME}" netstat -tuln 2>/dev/null | grep LISTEN | wc -l)
|
||||
if [[ "${LISTENING_PORTS}" -gt 0 ]]; then
|
||||
echo "⚠️ Found ${LISTENING_PORTS} listening ports"
|
||||
echo " These should be reviewed for security implications"
|
||||
else
|
||||
echo "✅ No unnecessary listening ports found"
|
||||
fi
|
||||
|
||||
# Check for sudo availability
|
||||
echo "🛑 Checking for sudo availability..."
|
||||
if docker run --rm "${IMAGE_NAME}" which sudo >/dev/null 2>&1; then
|
||||
echo "❌ Sudo is available in the image - this is a security risk"
|
||||
echo " Sudo should be removed to prevent privilege escalation"
|
||||
else
|
||||
echo "✅ Sudo is not available in the image"
|
||||
fi
|
||||
|
||||
# Check for root login capability
|
||||
echo "🔐 Checking for root login capability..."
|
||||
ROOT_LOGIN_ENABLED=$(docker run --rm "${IMAGE_NAME}" cat /etc/passwd | grep root | grep -v "nologin" | wc -l)
|
||||
if [[ "${ROOT_LOGIN_ENABLED}" -gt 0 ]]; then
|
||||
echo "⚠️ Root login might be enabled"
|
||||
echo " Ensure root login is disabled for security"
|
||||
else
|
||||
echo "✅ Root login is properly disabled"
|
||||
fi
|
||||
|
||||
# Check user configuration
|
||||
echo "👤 Checking user configuration..."
|
||||
USER_ID=$(docker run --rm "${IMAGE_NAME}" id -u toolbox 2>/dev/null || echo "not_found")
|
||||
if [[ "${USER_ID}" == "1000" ]]; then
|
||||
echo "✅ Non-root user 'toolbox' with UID 1000 is properly configured"
|
||||
else
|
||||
echo "⚠️ Non-root user configuration might be incorrect"
|
||||
fi
|
||||
|
||||
# Check for hardcoded passwords
|
||||
echo "🔑 Checking for hardcoded passwords..."
|
||||
HARDCODED_PASSWORDS=$(docker run --rm "${IMAGE_NAME}" grep -r "password\|passwd" /etc/ 2>/dev/null | grep -v "shadow" | wc -l)
|
||||
if [[ "${HARDCODED_PASSWORDS}" -gt 0 ]]; then
|
||||
echo "⚠️ Found ${HARDCODED_PASSWORDS} potential hardcoded password references"
|
||||
echo " These should be reviewed for security implications"
|
||||
else
|
||||
echo "✅ No hardcoded password references found"
|
||||
fi
|
||||
|
||||
# Check for exposed secrets
|
||||
echo " секр Checking for exposed secrets..."
|
||||
EXPOSED_SECRETS=$(docker run --rm "${IMAGE_NAME}" find / -xdev -type f -name "*.key" -o -name "*.pem" -o -name "*.cert" 2>/dev/null | wc -l)
|
||||
if [[ "${EXPOSED_SECRETS}" -gt 0 ]]; then
|
||||
echo "⚠️ Found ${EXPOSED_SECRETS} potential secret files"
|
||||
echo " These should be reviewed for security implications"
|
||||
else
|
||||
echo "✅ No exposed secret files found"
|
||||
fi
|
||||
|
||||
# Summary
|
||||
echo ""
|
||||
echo "🔒 Security Audit Summary:"
|
||||
echo " - Image: ${IMAGE_NAME}"
|
||||
echo " - Scan completed with recommendations above"
|
||||
echo ""
|
||||
echo "💡 Recommendations:"
|
||||
echo " 1. Install Trivy for comprehensive security scanning"
|
||||
echo " 2. Regularly update packages to address vulnerabilities"
|
||||
echo " 3. Remove unnecessary packages to reduce attack surface"
|
||||
echo " 4. Review world-writable files/directories"
|
||||
echo " 5. Review setuid/setgid binaries"
|
||||
echo " 6. Remove sudo to prevent privilege escalation"
|
||||
echo " 7. Ensure root login is disabled"
|
||||
echo " 8. Verify non-root user configuration"
|
||||
echo " 9. Review hardcoded password references"
|
||||
echo " 10. Check for exposed secrets"
|
||||
Reference in New Issue
Block a user