/
dockerapi.go
49 lines (43 loc) · 1.27 KB
/
dockerapi.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
package pkg
import (
"bufio"
"github.com/chaitin/veinmind-common-go/service/report/event"
"os"
"strings"
api "github.com/chaitin/libveinmind/go"
"github.com/chaitin/libveinmind/go/plugin/log"
)
func ContainerDockerAPiCheck(fs api.FileSystem) ([]*event.EscapeDetail, error) {
var res = make([]*event.EscapeDetail, 0)
var file string
if _, err := os.Open("/.dockerenv"); os.IsNotExist(err) {
env := os.Getenv("LIBVEINMIND_HOST_ROOTFS") //读取环境变量获取宿主机根目录挂载在容器内的哪个目录下,读取该目录下的/lib/systemd/system/docker.service获取docker的配置
file = env + "/lib/systemd/system/docker.service"
} else {
file = "/host/lib/systemd/system/docker.service"
}
content, err := os.Open(file)
if err != nil {
log.Error(err)
return res, err
}
defer content.Close()
scanner := bufio.NewScanner(content)
for scanner.Scan() {
if strings.HasPrefix(scanner.Text(), "#") {
continue
} else {
if strings.Contains(scanner.Text(), "-H tcp://") {
res = append(res, &event.EscapeDetail{
Target: file,
Reason: DOCKERAPIREASON,
Detail: "Unsafe setting for Docker API :" + scanner.Text(),
})
}
}
}
return res, nil
}
func init() {
ContainerCheckList = append(ContainerCheckList, ContainerDockerAPiCheck)
}