#!/usr/bin/env bash set -euo pipefail # Security audit script for the toolbox-template IMAGE_NAME="${IMAGE_NAME_OVERRIDE:-tsysdevstack-toolboxstack-{{toolbox_name}}}" echo "πŸ”’ Running security audit on ${IMAGE_NAME}" # Check if Trivy is available for security scanning if command -v trivy &> /dev/null; then echo "πŸ” Running Trivy security scan..." trivy image --exit-code 0 --severity HIGH,CRITICAL "${IMAGE_NAME}" echo "βœ… Trivy scan completed" else echo "⚠️ Trivy not found. Install Trivy to perform security scanning." echo " Visit https://aquasecurity.github.io/trivy/ for installation instructions." fi # Check for outdated packages echo "πŸ“¦ Checking for outdated packages..." OUTDATED_PACKAGES=$(docker run --rm "${IMAGE_NAME}" apt list --upgradable 2>/dev/null | grep -v "Listing..." | wc -l) if [[ "${OUTDATED_PACKAGES}" -gt 0 ]]; then echo "⚠️ ${OUTDATED_PACKAGES} packages can be upgraded" echo " Run 'apt update && apt upgrade' to update packages" else echo "βœ… All system packages are up to date" fi # Check for unnecessary packages that increase attack surface echo "πŸ›‘οΈ Checking for unnecessary packages..." UNNECESSARY_PACKAGES=$(docker run --rm "${IMAGE_NAME}" dpkg -l | grep -E "(telnet|ftp|rsh-client|nfs-common|rpcbind)" | wc -l) if [[ "${UNNECESSARY_PACKAGES}" -gt 0 ]]; then echo "⚠️ Found ${UNNECESSARY_PACKAGES} potentially unnecessary packages that increase attack surface" echo " Consider removing packages like telnet, ftp, rsh-client, nfs-common, rpcbind" else echo "βœ… No unnecessary packages found that increase attack surface" fi # Check for world-writable files/directories echo "πŸ“ Checking for world-writable files/directories..." WORLD_WRITABLE=$(docker run --rm "${IMAGE_NAME}" find / -xdev -type f -perm -0002 -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null | wc -l) if [[ "${WORLD_WRITABLE}" -gt 0 ]]; then echo "⚠️ Found ${WORLD_WRITABLE} world-writable files/directories" echo " These should be reviewed and permissions adjusted if necessary" else echo "βœ… No world-writable files/directories found" fi # Check for setuid/setgid binaries echo "πŸ”‘ Checking for setuid/setgid binaries..." SETUID_BINARIES=$(docker run --rm "${IMAGE_NAME}" find / -xdev \( -perm -4000 -o -perm -2000 \) -type f -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null | wc -l) if [[ "${SETUID_BINARIES}" -gt 0 ]]; then echo "⚠️ Found ${SETUID_BINARIES} setuid/setgid binaries" echo " These should be reviewed for security implications" else echo "βœ… No setuid/setgid binaries found" fi # Check for running services echo "ァービ Checking for running services..." RUNNING_SERVICES=$(docker run --rm "${IMAGE_NAME}" ps aux 2>/dev/null | grep -v "PID" | wc -l) if [[ "${RUNNING_SERVICES}" -gt 1 ]]; then echo "⚠️ Found ${RUNNING_SERVICES} running processes" echo " These should be reviewed for necessity" else echo "βœ… No unnecessary running services found" fi # Check for listening ports echo "πŸ“‘ Checking for listening ports..." LISTENING_PORTS=$(docker run --rm "${IMAGE_NAME}" netstat -tuln 2>/dev/null | grep LISTEN | wc -l) if [[ "${LISTENING_PORTS}" -gt 0 ]]; then echo "⚠️ Found ${LISTENING_PORTS} listening ports" echo " These should be reviewed for security implications" else echo "βœ… No unnecessary listening ports found" fi # Check for sudo availability echo "πŸ›‘ Checking for sudo availability..." if docker run --rm "${IMAGE_NAME}" which sudo >/dev/null 2>&1; then echo "❌ Sudo is available in the image - this is a security risk" echo " Sudo should be removed to prevent privilege escalation" else echo "βœ… Sudo is not available in the image" fi # Check for root login capability echo "πŸ” Checking for root login capability..." ROOT_LOGIN_ENABLED=$(docker run --rm "${IMAGE_NAME}" cat /etc/passwd | grep root | grep -v "nologin" | wc -l) if [[ "${ROOT_LOGIN_ENABLED}" -gt 0 ]]; then echo "⚠️ Root login might be enabled" echo " Ensure root login is disabled for security" else echo "βœ… Root login is properly disabled" fi # Check user configuration echo "πŸ‘€ Checking user configuration..." USER_ID=$(docker run --rm "${IMAGE_NAME}" id -u toolbox 2>/dev/null || echo "not_found") if [[ "${USER_ID}" == "1000" ]]; then echo "βœ… Non-root user 'toolbox' with UID 1000 is properly configured" else echo "⚠️ Non-root user configuration might be incorrect" fi # Check for hardcoded passwords echo "πŸ”‘ Checking for hardcoded passwords..." HARDCODED_PASSWORDS=$(docker run --rm "${IMAGE_NAME}" grep -r "password\|passwd" /etc/ 2>/dev/null | grep -v "shadow" | wc -l) if [[ "${HARDCODED_PASSWORDS}" -gt 0 ]]; then echo "⚠️ Found ${HARDCODED_PASSWORDS} potential hardcoded password references" echo " These should be reviewed for security implications" else echo "βœ… No hardcoded password references found" fi # Check for exposed secrets echo " сСкр Checking for exposed secrets..." EXPOSED_SECRETS=$(docker run --rm "${IMAGE_NAME}" find / -xdev -type f -name "*.key" -o -name "*.pem" -o -name "*.cert" 2>/dev/null | wc -l) if [[ "${EXPOSED_SECRETS}" -gt 0 ]]; then echo "⚠️ Found ${EXPOSED_SECRETS} potential secret files" echo " These should be reviewed for security implications" else echo "βœ… No exposed secret files found" fi # Check that this template properly extends from the base image echo "πŸ”— Checking inheritance from base image..." BASE_INHERITANCE=$(docker history "${IMAGE_NAME}" 2>/dev/null | grep "FROM tsysdevstack-toolboxstack-toolbox-base:release-current" | wc -l) if [[ "${BASE_INHERITANCE}" -gt 0 ]]; then echo "βœ… Template properly extends from toolbox-base:release-current" else echo "⚠️ Template might not properly extend from toolbox-base:release-current" fi # Summary echo "" echo "πŸ”’ Security Audit Summary:" echo " - Image: ${IMAGE_NAME}" echo " - Scan completed with recommendations above" echo "" echo "πŸ’‘ Recommendations:" echo " 1. Install Trivy for comprehensive security scanning" echo " 2. Regularly update packages to address vulnerabilities" echo " 3. Remove unnecessary packages to reduce attack surface" echo " 4. Review world-writable files/directories" echo " 5. Review setuid/setgid binaries" echo " 6. Remove sudo to prevent privilege escalation" echo " 7. Ensure root login is disabled" echo " 8. Verify non-root user configuration" echo " 9. Review hardcoded password references" echo " 10. Check for exposed secrets" echo " 11. Ensure proper inheritance from base image"