add: dedicated podman rules

deoktr · deoktr · commit d1c1f28898b9 · 2026-01-24T22:35:22.000+01:00
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "raudit"
-version = "0.22.0"
+version = "0.23.0"
 edition = "2024"
 authors = ["deoktr"]
 license = "GPLv3"
diff --git a/Containerfile b/Containerfile
@@ -1,13 +1,12 @@
 FROM docker.io/library/rust:1.89
 
-RUN rustup target add x86_64-unknown-linux-gnu && \
-	rustup toolchain install stable-x86_64-unknown-linux-gnu
+RUN rustup target add x86_64-unknown-linux-gnu \
+	&& rustup toolchain install stable-x86_64-unknown-linux-gnu
 
 WORKDIR /src
 
-COPY Cargo.toml .
-COPY Cargo.lock .
+COPY Cargo.toml Cargo.lock ./
 COPY src src
 RUN cargo fetch
 
-CMD [ "cargo", "build", "--release", "--target=x86_64-unknown-linux-gnu", "--offline" ]
+CMD ["cargo", "build", "--release", "--target=x86_64-unknown-linux-gnu", "--offline"]
diff --git a/LICENSE b/LICENSE
@@ -632,7 +632,7 @@ state the exclusion of warranty; and each file should have at least
 the "copyright" line and a pointer to where the full notice is found.
 
     rAudit, a Linux security audit tool
-    Copyright (C) 2024 - 2025  deoktr
+    Copyright (C) 2024 - 2026  deoktr
 
     This program is free software: you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -652,7 +652,7 @@ Also add information on how to contact you by electronic and paper mail.
   If the program does terminal interaction, make it output a short
 notice like this when it starts in an interactive mode:
 
-    rAudit  Copyright (C) 2024 - 2025  deoktr
+    rAudit  Copyright (C) 2024 - 2026  deoktr
     This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
     This is free software, and you are welcome to redistribute it
     under certain conditions; type `show c' for details.
diff --git a/README.md b/README.md
@@ -4,14 +4,9 @@ rAudit is a security audit tool to help you create your own security audit check
 
 Goals:
 
-- Fast and reliable audits
-- Easy to extend and create your own checks
-- JSON output
-
-What it is NOT:
-
-- A configuration tool, no change is ever applied, just checks
-- A vulnerability checker, no attempts to find vulnerable versions of applications are made
+- Fast and reliable audits.
+- Easy to extend and create your own checks.
+- JSON output.
 
 ## Usage
 
@@ -108,7 +103,7 @@ What is supported:
 - Kenel params.
 - Kernel compilation params.
 - Sysctl params.
-- Docker/Podman containers.
+- Docker and Podman.
 - Login.defs configuration.
 - Modprobe including blacklisted and disabled modules.
 - PAM rules.
@@ -220,6 +215,7 @@ Benchmark 1: ./target/release/raudit
 - Add documentation, both user and dev
 - Add option to only have `id`, `message` and `state` in JSON output of checks
 - Add check timeout, if they take too long just stop them, maybe even with ctrl+c?
+- Build in CI on release
 
 ## License
 
diff --git a/src/check.rs b/src/check.rs
@@ -36,10 +36,8 @@ static REPORT: Lazy<Mutex<Report>> = Lazy::new(|| Mutex::new(Report::default()))
 pub struct Report {
     /// List of checks
     checks: Vec<Check>,
-
     /// Check stats
     stats: ReportStats,
-
     /// Raudit version
     version: String,
 }
@@ -48,13 +46,10 @@ pub struct Report {
 pub enum CheckState {
     /// Check passed
     Passed,
-
     /// Check failed
     Failed,
-
     /// Check function execution error
     Error,
-
     /// Check is yet to execute
     Waiting,
 }
diff --git a/src/cli.rs b/src/cli.rs
@@ -152,6 +152,7 @@ fn add_all_checks() {
     rules::modprobe::add_checks();
     rules::mount::add_checks();
     rules::pam::add_checks();
+    rules::podman::add_checks();
     rules::shell::add_checks();
     rules::sshd::add_checks();
     rules::sudo::add_checks();
diff --git a/src/docker.rs b/src/docker.rs
@@ -17,10 +17,8 @@
  */
 
 // TODO: cache containers JSON config instead of query for all checks
-// TODO: check if Docker or Podman is used, to know which command we should use
 // TODO: check: <https://github.com/docker/docker-bench-security>
-// TODO: ensure all docker/podman apps inside containers are running as user
-// podman container inspect -l --format '{{.Id}}={{.Config.User}}'
+// docker container inspect -l --format '{{.Id}}={{.Config.User}}'
 // each line are id=user
 // the user should also define the group, ex: `999:999`
 // with uid and gid > 0 and < 1000
@@ -37,15 +35,14 @@
 use std::process;
 use std::process::Stdio;
 
-use crate::{check, log_debug};
+use crate::{check, log_debug, log_trace};
 
 /// Ensure containers are not started with `--privileged` flag.
 ///
 /// Don't start containers with `--privileged`.
 /// Check manually with:
 /// docker container inspect -l --format '{{.Id}}={{.Config.CreateCommand}}'
 pub fn docker_not_privileged() -> check::CheckReturn {
-    // can be docker or podman
     let mut cmd = process::Command::new("docker");
     cmd.stdin(Stdio::null());
     cmd.args(vec![
@@ -69,8 +66,7 @@ pub fn docker_not_privileged() -> check::CheckReturn {
                 // remove []
                 let cmd: Vec<&str> = create_cmd[1..create_cmd.len() - 1].split(" ").collect();
 
-                // debug
-                log_debug!("{} {:?}", id, cmd);
+                log_trace!("docker privileged {} {:?}", id, cmd);
 
                 if cmd.contains(&"--privileged") {
                     Some(id.to_string())
@@ -98,7 +94,6 @@ pub fn docker_not_privileged() -> check::CheckReturn {
 /// check manually with:
 /// docker container inspect -l --format '{{.Id}}={{.Config.CreateCommand}}'
 pub fn docker_cap_drop() -> check::CheckReturn {
-    // can be docker or podman
     let mut cmd = process::Command::new("docker");
     cmd.stdin(Stdio::null());
     cmd.args(vec![
@@ -122,8 +117,7 @@ pub fn docker_cap_drop() -> check::CheckReturn {
                 // remove []
                 let cap_list: Vec<&str> = cap_drop[1..cap_drop.len() - 1].split(" ").collect();
 
-                // debug
-                log_debug!("{} {:?}", id, cap_list);
+                log_trace!("docker cap {} {:?}", id, cap_list);
 
                 if cap_list.len() < 11 {
                     Some(id.to_string())
diff --git a/src/group.rs b/src/group.rs
@@ -23,7 +23,6 @@ use crate::base::empty_or_missing_file;
 use crate::{check, log_debug, log_error};
 
 const GROUP_PATH: &str = "/etc/group";
-
 const SHADOW_PATH: &str = "/etc/gshadow";
 
 static GROUPS: OnceLock<Groups> = OnceLock::new();
diff --git a/src/main.rs b/src/main.rs
@@ -38,6 +38,7 @@ mod malloc;
 mod modprobe;
 mod mount;
 mod pam;
+mod podman;
 mod ps;
 mod shell;
 mod sshd;
@@ -65,6 +66,7 @@ mod rules {
     pub mod modprobe;
     pub mod mount;
     pub mod pam;
+    pub mod podman;
     pub mod shell;
     pub mod sshd;
     pub mod sudo;
diff --git a/src/podman.rs b/src/podman.rs
@@ -0,0 +1,185 @@
+/*
+ * rAudit, a Linux security auditing toolkit
+ * Copyright (C) 2024 - 2025  deoktr
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ */
+
+// TODO: cache containers JSON config instead of query for all checks
+// TODO: check: <https://github.com/docker/docker-bench-security>
+// TODO: ensure that ports are only exposed on loopback/localhost (if they are
+// not 80/443)
+// TODO: ensure docker is running rootless
+// https://docs.docker.com/engine/security/rootless/
+// TODO: ensure no containers has the docker socket mounted to it (`/var/run/docker.sock`), capabilities or is unconfined
+// https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/index.html#automatic-enumeration-and-escape
+// TODO: ensure an apparmor profile is enabled for containers
+// TODO: ensure containers are isolated with user namespaces <https://docs.docker.com/engine/security/userns-remap/>
+// TODO: ensure resources are limited to avoid container DOS the host
+
+use std::process;
+use std::process::Stdio;
+
+use crate::{check, log_debug, log_trace};
+
+/// Ensure containers are not started with `--privileged` flag.
+///
+/// Don't start containers with `--privileged`.
+/// Check manually with:
+/// podman container inspect -l --format '{{.Id}}\t{{.Config.CreateCommand}}'
+pub fn podman_not_privileged() -> check::CheckReturn {
+    let mut cmd = process::Command::new("podman");
+    cmd.stdin(Stdio::null());
+    cmd.args(vec![
+        "container",
+        "inspect",
+        "-l",
+        "--format",
+        "{{.Id}}\t{{.Config.CreateCommand}}",
+    ]);
+
+    let output = match cmd.output() {
+        Ok(output) => output,
+        Err(err) => return (check::CheckState::Failed, Some(err.to_string())),
+    };
+
+    let ids: Vec<String> = String::from_utf8_lossy(&output.stdout)
+        .lines()
+        .map(|x| x.to_string())
+        .filter_map(|line| match line.split_once("\t") {
+            Some((id, create_cmd)) => {
+                // remove []
+                let cmd: Vec<&str> = create_cmd[1..create_cmd.len() - 1].split(" ").collect();
+
+                log_trace!("podman privileged {} {:?}", id, cmd);
+
+                if cmd.contains(&"--privileged") {
+                    Some(id.to_string())
+                } else {
+                    None
+                }
+            }
+            // should never happen, don't even log it
+            None => None,
+        })
+        .collect();
+
+    log_debug!("containers running with `--privileged`: {:?}", ids);
+
+    if ids.len() == 0 {
+        (check::CheckState::Passed, None)
+    } else {
+        (check::CheckState::Failed, Some(ids.join(", ")))
+    }
+}
+
+/// Ensure containers capabilities are dopped.
+///
+/// Start containers with `--cap-drop=all` to remove all capabilities.
+/// check manually with:
+/// podman container inspect -l --format '{{.Id}}={{.Config.CreateCommand}}'
+pub fn podman_cap_drop() -> check::CheckReturn {
+    let mut cmd = process::Command::new("podman");
+    cmd.stdin(Stdio::null());
+    cmd.args(vec![
+        "container",
+        "inspect",
+        "-l",
+        "--format",
+        "{{.Id}}\t{{.HostConfig.CapDrop}}",
+    ]);
+
+    let output = match cmd.output() {
+        Ok(output) => output,
+        Err(err) => return (check::CheckState::Failed, Some(err.to_string())),
+    };
+
+    let ids: Vec<String> = String::from_utf8_lossy(&output.stdout)
+        .lines()
+        .map(|x| x.to_string())
+        .filter_map(|line| match line.split_once("\t") {
+            Some((id, cap_drop)) => {
+                // remove []
+                let cap_list: Vec<&str> = cap_drop[1..cap_drop.len() - 1].split(" ").collect();
+
+                log_trace!("cap list for podman container {} {:?}", id, cap_list);
+
+                if cap_list.len() < 11 {
+                    Some(id.to_string())
+                } else {
+                    None
+                }
+            }
+            // should never happen, don't even log it
+            None => None,
+        })
+        .collect();
+
+    log_debug!("Missing cap drop on containers: {:?}", ids);
+
+    if ids.len() == 0 {
+        (check::CheckState::Passed, None)
+    } else {
+        (check::CheckState::Failed, Some(ids.join(", ")))
+    }
+}
+
+/// Ensure containers services are running as user.
+///
+/// Start containers and run process as a user inside it.
+/// check manually with:
+/// podman container inspect -l --format '{{.Id}}\t{{.Config.User}}'
+pub fn podman_user() -> check::CheckReturn {
+    let mut cmd = process::Command::new("podman");
+    cmd.stdin(Stdio::null());
+    cmd.args(vec![
+        "container",
+        "inspect",
+        "-l",
+        "--format",
+        "{{.Id}}\t{{.Config.User}}",
+    ]);
+
+    let output = match cmd.output() {
+        Ok(output) => output,
+        Err(err) => return (check::CheckState::Failed, Some(err.to_string())),
+    };
+
+    let ids: Vec<String> = String::from_utf8_lossy(&output.stdout)
+        .lines()
+        .map(|x| x.to_string())
+        .filter_map(|line| match line.split_once("\t") {
+            Some((id, uid)) => {
+                // debug
+                log_trace!("podman container user {} {:?}", id, uid);
+
+                if uid == "0" {
+                    Some(id.to_string())
+                } else {
+                    None
+                }
+            }
+            // should never happen, don't even log it
+            None => None,
+        })
+        .collect();
+
+    log_debug!("Running as root on containers: {:?}", ids);
+
+    if ids.len() == 0 {
+        (check::CheckState::Passed, None)
+    } else {
+        (check::CheckState::Failed, Some(ids.join(", ")))
+    }
+}
diff --git a/src/rules/podman.rs b/src/rules/podman.rs
diff --git a/src/rules/user.rs b/src/rules/user.rs
diff --git a/src/users.rs b/src/users.rs
diff --git a/src/utils.rs b/src/utils.rs
