TSYSDevStack/ToolboxStack/output/toolbox-base/security-audit.sh

#!/usr/bin/env bash

set -euo pipefail

# Security audit script for the toolbox-base image

IMAGE_NAME="${IMAGE_NAME_OVERRIDE:-tsysdevstack-toolboxstack-toolbox-base:release-current}"

echo "🔒 Running security audit on ${IMAGE_NAME}"

# Check if Trivy is available for security scanning
if command -v trivy &> /dev/null; then
    echo "🔍 Running Trivy security scan..."
    trivy image --exit-code 0 --severity HIGH,CRITICAL "${IMAGE_NAME}"
    echo "✅ Trivy scan completed"
else
    echo "⚠️  Trivy not found. Install Trivy to perform security scanning."
    echo "   Visit https://aquasecurity.github.io/trivy/ for installation instructions."
fi

# Check for outdated packages
echo "📦 Checking for outdated packages..."
OUTDATED_PACKAGES=$(docker run --rm "${IMAGE_NAME}" apt list --upgradable 2>/dev/null | grep -v "Listing..." | wc -l)
if [[ "${OUTDATED_PACKAGES}" -gt 0 ]]; then
    echo "⚠️  ${OUTDATED_PACKAGES} packages can be upgraded"
    echo "   Run 'apt update && apt upgrade' to update packages"
else
    echo "✅ All system packages are up to date"
fi

# Check for unnecessary packages that increase attack surface
echo "🛡️  Checking for unnecessary packages..."
UNNECESSARY_PACKAGES=$(docker run --rm "${IMAGE_NAME}" dpkg -l | grep -E "(telnet|ftp|rsh-client|nfs-common|rpcbind)" | wc -l)
if [[ "${UNNECESSARY_PACKAGES}" -gt 0 ]]; then
    echo "⚠️  Found ${UNNECESSARY_PACKAGES} potentially unnecessary packages that increase attack surface"
    echo "   Consider removing packages like telnet, ftp, rsh-client, nfs-common, rpcbind"
else
    echo "✅ No unnecessary packages found that increase attack surface"
fi

# Check for world-writable files/directories
echo "📁 Checking for world-writable files/directories..."
WORLD_WRITABLE=$(docker run --rm "${IMAGE_NAME}" find / -xdev -type f -perm -0002 -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null | wc -l)
if [[ "${WORLD_WRITABLE}" -gt 0 ]]; then
    echo "⚠️  Found ${WORLD_WRITABLE} world-writable files/directories"
    echo "   These should be reviewed and permissions adjusted if necessary"
else
    echo "✅ No world-writable files/directories found"
fi

# Check for setuid/setgid binaries
echo "🔑 Checking for setuid/setgid binaries..."
SETUID_BINARIES=$(docker run --rm "${IMAGE_NAME}" find / -xdev \( -perm -4000 -o -perm -2000 \) -type f -not -path "/proc/*" -not -path "/sys/*" 2>/dev/null | wc -l)
if [[ "${SETUID_BINARIES}" -gt 0 ]]; then
    echo "⚠️  Found ${SETUID_BINARIES} setuid/setgid binaries"
    echo "   These should be reviewed for security implications"
else
    echo "✅ No setuid/setgid binaries found"
fi

# Check for running services
echo "サービ Checking for running services..."
RUNNING_SERVICES=$(docker run --rm "${IMAGE_NAME}" ps aux 2>/dev/null | grep -v "PID" | wc -l)
if [[ "${RUNNING_SERVICES}" -gt 1 ]]; then
    echo "⚠️  Found ${RUNNING_SERVICES} running processes"
    echo "   These should be reviewed for necessity"
else
    echo "✅ No unnecessary running services found"
fi

# Check for listening ports
echo "📡 Checking for listening ports..."
LISTENING_PORTS=$(docker run --rm "${IMAGE_NAME}" netstat -tuln 2>/dev/null | grep LISTEN | wc -l)
if [[ "${LISTENING_PORTS}" -gt 0 ]]; then
    echo "⚠️  Found ${LISTENING_PORTS} listening ports"
    echo "   These should be reviewed for security implications"
else
    echo "✅ No unnecessary listening ports found"
fi

# Check for sudo availability
echo "🛑 Checking for sudo availability..."
if docker run --rm "${IMAGE_NAME}" which sudo >/dev/null 2>&1; then
    echo "❌ Sudo is available in the image - this is a security risk"
    echo "   Sudo should be removed to prevent privilege escalation"
else
    echo "✅ Sudo is not available in the image"
fi

# Check for root login capability
echo "🔐 Checking for root login capability..."
ROOT_LOGIN_ENABLED=$(docker run --rm "${IMAGE_NAME}" cat /etc/passwd | grep root | grep -v "nologin" | wc -l)
if [[ "${ROOT_LOGIN_ENABLED}" -gt 0 ]]; then
    echo "⚠️  Root login might be enabled"
    echo "   Ensure root login is disabled for security"
else
    echo "✅ Root login is properly disabled"
fi

# Check user configuration
echo "👤 Checking user configuration..."
USER_ID=$(docker run --rm "${IMAGE_NAME}" id -u toolbox 2>/dev/null || echo "not_found")
if [[ "${USER_ID}" == "1000" ]]; then
    echo "✅ Non-root user 'toolbox' with UID 1000 is properly configured"
else
    echo "⚠️  Non-root user configuration might be incorrect"
fi

# Check for hardcoded passwords
echo "🔑 Checking for hardcoded passwords..."
HARDCODED_PASSWORDS=$(docker run --rm "${IMAGE_NAME}" grep -r "password\|passwd" /etc/ 2>/dev/null | grep -v "shadow" | wc -l)
if [[ "${HARDCODED_PASSWORDS}" -gt 0 ]]; then
    echo "⚠️  Found ${HARDCODED_PASSWORDS} potential hardcoded password references"
    echo "   These should be reviewed for security implications"
else
    echo "✅ No hardcoded password references found"
fi

# Check for exposed secrets
echo " секр Checking for exposed secrets..."
EXPOSED_SECRETS=$(docker run --rm "${IMAGE_NAME}" find / -xdev -type f -name "*.key" -o -name "*.pem" -o -name "*.cert" 2>/dev/null | wc -l)
if [[ "${EXPOSED_SECRETS}" -gt 0 ]]; then
    echo "⚠️  Found ${EXPOSED_SECRETS} potential secret files"
    echo "   These should be reviewed for security implications"
else
    echo "✅ No exposed secret files found"
fi

# Summary
echo ""
echo "🔒 Security Audit Summary:"
echo "   - Image: ${IMAGE_NAME}"
echo "   - Scan completed with recommendations above"
echo ""
echo "💡 Recommendations:"
echo "   1. Install Trivy for comprehensive security scanning"
echo "   2. Regularly update packages to address vulnerabilities"
echo "   3. Remove unnecessary packages to reduce attack surface"
echo "   4. Review world-writable files/directories"
echo "   5. Review setuid/setgid binaries"
echo "   6. Remove sudo to prevent privilege escalation"
echo "   7. Ensure root login is disabled"
echo "   8. Verify non-root user configuration"
echo "   9. Review hardcoded password references"
echo "   10. Check for exposed secrets"