protected void VerifyCommonEnvironmentVariables( ProductImageData imageData, IEnumerable <EnvironmentVariableInfo> customVariables = null) { List <EnvironmentVariableInfo> variables = new List <EnvironmentVariableInfo>(); variables.AddRange(GetCommonEnvironmentVariables()); variables.Add(new EnvironmentVariableInfo("ASPNETCORE_URLS", "http://+:80")); if (customVariables != null) { variables.AddRange(customVariables); } if (imageData.OS.StartsWith(OS.AlpinePrefix)) { variables.Add(new EnvironmentVariableInfo("DOTNET_SYSTEM_GLOBALIZATION_INVARIANT", "true")); } string imageTag; if (imageData.IsDistroless) { imageTag = DockerHelper.BuildDistrolessHelper(ImageType, imageData, "bash"); } else { imageTag = imageData.GetImage(ImageType, DockerHelper); } EnvironmentVariableInfo.Validate(variables, imageTag, imageData, DockerHelper); }
public void VerifyDistrolessRunsAsNonRootUser(ProductImageData imageData) { if (!imageData.IsDistroless) { return; } string command = $"bash -c \"echo $EUID\""; string imageTag = DockerHelper.BuildDistrolessHelper(ImageType, imageData, "bash"); string userId = DockerHelper.Run( image: imageTag, command: command, name: imageData.GetIdentifier("NonRootUser")); Assert.NotEqual("0", userId); }
protected void VerifyCommonInsecureFiles(ProductImageData imageData) { if (imageData.Version < new Version("3.1") || (imageData.OS.Contains("alpine") && imageData.IsArm)) { return; } string worldWritableDirectoriesWithoutStickyBitCmd = @"find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \)"; string worldWritableFilesCmd = "find / -xdev -type f -perm -o+w"; string noUserOrGroupFilesCmd; if (imageData.OS.Contains("alpine")) { // BusyBox in Alpine doesn't support the more convenient -nouser and -nogroup options for the find command noUserOrGroupFilesCmd = @"find / -xdev -exec stat -c %U-%n {} \+ | { grep ^UNKNOWN || true; }"; } else { noUserOrGroupFilesCmd = @"find / -xdev \( -nouser -o -nogroup \)"; } string command = $"/bin/sh -c \"{worldWritableDirectoriesWithoutStickyBitCmd} && {worldWritableFilesCmd} && {noUserOrGroupFilesCmd}\""; string imageTag; if (imageData.IsDistroless) { imageTag = DockerHelper.BuildDistrolessHelper(ImageType, imageData, "bash", "findutils"); } else { imageTag = imageData.GetImage(ImageType, DockerHelper); } string output = DockerHelper.Run( image: imageTag, name: imageData.GetIdentifier($"InsecureFiles-{ImageType}"), command: command, runAsUser: "******" ); Assert.Empty(output); }
private IEnumerable <string> GetInstalledRpmPackages(ProductImageData imageData) { // Get list of installed RPM packages string command = $"bash -c \"rpm -qa | sort\""; string imageTag; if (imageData.IsDistroless) { imageTag = DockerHelper.BuildDistrolessHelper(ImageType, imageData, "bash", "rpm"); } else { imageTag = imageData.GetImage(ImageType, DockerHelper); } string installedPackages = DockerHelper.Run( image: imageTag, command: command, name: imageData.GetIdentifier("PackageInstallation")); return(installedPackages.Split(Environment.NewLine)); }