99 lines
2.6 KiB
Bash
99 lines
2.6 KiB
Bash
#!/bin/bash
|
|
|
|
set -euo pipefail
|
|
|
|
# ft_chatons audit script
|
|
# La Contre-Voie x 42
|
|
# Date: 2025-10-27
|
|
# Author: neil
|
|
|
|
# Move to the Core folder
|
|
cd core
|
|
|
|
# Computes tab width depending on the longest Core folder name length
|
|
audit_name_width() {
|
|
local width=0
|
|
for srv in $(find . -maxdepth 1 -type d); do
|
|
[ $width -lt ${#srv} ] && width=${#srv}
|
|
done
|
|
echo $width
|
|
}
|
|
|
|
# Used to switch colors on results screen
|
|
chkbool() {
|
|
if [[ -z "$1" ]]; then
|
|
c_red "NO"
|
|
else
|
|
c_green "$1"
|
|
fi
|
|
}
|
|
|
|
c_red() {
|
|
echo -ne '\033[0;31m'$1'\033[0m'
|
|
}
|
|
|
|
c_green() {
|
|
echo -ne '\033[0;32m'$1'\033[0m'
|
|
}
|
|
|
|
# Audits a single container given as parameter
|
|
# example: audit_single caddy
|
|
audit_single() {
|
|
local max_width=$([ $# -ge 3 ] && echo $3 || echo 14)
|
|
|
|
printf "%-*s " "$max_width" "$1"
|
|
|
|
RUNNING=$(docker ps -q -f name=^$1\$)
|
|
if [[ -z $RUNNING ]]; then
|
|
c_red "DOWN\t"
|
|
else
|
|
c_green "UP!\t"
|
|
fi
|
|
|
|
chkbool "$(grep "pids_limit" $1/compose.yml | xargs | sed 's/pids_limit: //g')"
|
|
echo -ne "\t\t"
|
|
|
|
chkbool "$(grep "cpu_shares" $1/compose.yml | xargs | sed 's/cpu_shares: //g')"
|
|
echo -ne "\t\t"
|
|
|
|
chkbool "$(grep "mem_limit" $1/compose.yml | xargs | sed 's/mem_limit: //g')"
|
|
|
|
if ! [[ -z $RUNNING ]]; then
|
|
echo -ne "\t\t"
|
|
|
|
chkbool "$(docker inspect --format '{{ .Id }}:ReadonlyRootfs={{ .HostConfig.ReadonlyRootfs }}' $1 | grep -o "true" | sed 's/true/YES/g')"
|
|
echo -ne "\t\t"
|
|
|
|
chkbool "$(ps -p $(docker inspect --format='{{ .State.Pid }}' $1) -o user | tail -n 1 | sed 's/root//g' | sed -E 's/.+/YES/g')"
|
|
echo -ne "\t\t"
|
|
|
|
chkbool "$(docker inspect --format '{{ .Id }}:SecurityOpt={{ .HostConfig.SecurityOpt }}' $1 | grep "no-new-privileges" | sed -E 's/.+/YES/g')"
|
|
|
|
echo -ne "\t\t"
|
|
chkbool "$($(docker run --rm -it --net container:$1 alpine:latest netstat -tnul | tail -n +3 | awk '$1=$1' | cut -d ' ' -f4 | grep -q -e '0.0.0.0' -e ":::") || echo "YES")"
|
|
fi
|
|
|
|
echo ""
|
|
}
|
|
|
|
# Displays the results header
|
|
audit_tabheader() {
|
|
local max_width=$([ $# -ge 1 ] && echo $1 || echo 14)
|
|
printf "%-*s " $max_width "NAME"
|
|
printf "STATUS\tPID LIMIT\tCPU SHARES\tRAM LIMIT\tREAD-ONLY\tUNPRIVILEGED\tRESTR.PRIV.\tFIXED ADDR."
|
|
printf "\n"
|
|
}
|
|
|
|
# Audit all running containers based on the Core folder content
|
|
audit_all() {
|
|
local max_width=$(audit_name_width)
|
|
audit_tabheader $max_width
|
|
for srv in $(find . -maxdepth 1 -type d ! -name '.' ! -name '.git' ! -name 'tools' -printf '%P\n'); do
|
|
audit_single $srv "" $max_width
|
|
done
|
|
}
|
|
|
|
|
|
# main #
|
|
audit_all
|