#!/bin/bash # Lab 05 - Database & RDS # Test 04: Security Compliance (INF-01, INF-02, INF-03) # Verifica conformità sicurezza: non-root, no host ports, resource limits set -euo pipefail # Colori per output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' # Contatori pass_count=0 fail_count=0 skip_count=0 # Funzioni helper inc_pass() { ((pass_count++)) || true; } inc_fail() { ((fail_count++)) || true; } inc_skip() { ((skip_count++)) || true; } echo "==========================================" echo "Lab 05 - Test 04: Security Compliance" echo "==========================================" echo "" # Verifica che docker-compose.yml esista echo -n "[TEST] Verifica docker-compose.yml esista... " if [ -f "docker-compose.yml" ]; then echo -e "${GREEN}PASS${NC}" inc_pass else echo -e "${YELLOW}SKIP${NC} (docker-compose.yml non trovato)" inc_skip echo "" echo "Risultato: $pass_count PASS, $fail_count FAIL, $skip_count SKIP" exit 0 fi echo "" echo "=== INF-01: Nessun container gira come root ===" # PostgreSQL official image runs as postgres user, not root echo -n "[TEST] Verifica immagine PostgreSQL (ufficiale gira come postgres)... " if grep -q "image: postgres" docker-compose.yml; then echo -e "${GREEN}PASS${NC} (PostgreSQL ufficiale non gira come root)" inc_pass else echo -e "${YELLOW}WARN${NC} (immagine diversa da PostgreSQL ufficiale)" inc_skip fi echo "" echo "=== INF-02: Reti private non espongono porte sull'host ===" # Verifica che il database NON esponga porte echo -n "[TEST] Verifica database NON espone porte (INF-02)... " if grep -A 30 "database:" docker-compose.yml | grep -q "ports:"; then # Se ci sono porte, devono essere 127.0.0.1 solo if grep -A 30 "database:" docker-compose.yml | grep -A 5 "ports:" | grep -q "127.0.0.1"; then echo -e "${YELLOW}WARN${NC} (porta su 127.0.0.1 - RDS reale non espone porte)" inc_skip else echo -e "${RED}FAIL${NC} (porta esposta su host)" inc_fail echo "INF-02 VIOLATION: database in rete privata non deve esporre porte" fi else echo -e "${GREEN}PASS${NC} (nessuna porta esposta)" inc_pass fi # Verifica che il database sia in rete privata echo -n "[TEST] Verifica database in rete privata... " if grep -A 20 "database:" docker-compose.yml | grep -q "vpc-private"; then echo -e "${GREEN}PASS${NC}" inc_pass else echo -e "${RED}FAIL${NC} (database non in rete privata)" inc_fail fi echo "" echo "=== INF-03: Tutti i container hanno limiti risorse ===" # Verifica limiti CPU echo -n "[TEST] Verifica limiti CPU configurati... " if grep -A 30 "database:" docker-compose.yml | grep -q "cpus:"; then echo -e "${GREEN}PASS${NC}" inc_pass else echo -e "${RED}FAIL${NC} (nessun limite CPU)" inc_fail echo "INF-03 VIOLATION: database deve avere limiti risorse" fi # Verifica limiti memoria echo -n "[TEST] Verifica limiti memoria configurati... " if grep -A 30 "database:" docker-compose.yml | grep -q "memory:"; then echo -e "${GREEN}PASS${NC}" inc_pass else echo -e "${RED}FAIL${NC} (nessun limite memoria)" inc_fail echo "INF-03 VIOLATION: database deve avere limiti memoria" fi echo "" echo "=== Validazione limiti risorse ===" # Se i container non sono in esecuzione, skip i test dinamici echo -n "[TEST] Verifica container database in esecuzione... " if ! docker ps --format '{{{{Names}}}}' | grep -q "^lab05-db$"; then echo -e "${YELLOW}SKIP${NC} (container non in esecuzione)" inc_skip echo -e "${YELLOW}Avviare i container con: docker-compose up -d${NC}" echo "" echo "Risultato: $pass_count PASS, $fail_count FAIL, $skip_count SKIP" exit 0 fi echo -e "${GREEN}PASS${NC}" inc_pass # Verifica limiti con docker stats echo -n "[TEST] Verifica limiti con docker stats... " if docker stats lab05-db --no-stream --format "{{.CPUPerc}},{{.MemUsage}}" &>/dev/null; then echo -e "${GREEN}PASS${NC}" inc_pass # Mostra utilizzo attuale cpu_usage=$(docker stats lab05-db --no-stream --format "{{.CPUPerc}}") mem_usage=$(docker stats lab05-db --no-stream --format "{{.MemUsage}}") echo " CPU: $cpu_usage, Memoria: $mem_usage" else echo -e "${YELLOW}WARN${NC} (impossibile ottenere statistiche)" inc_skip fi echo "" echo "=== Verifica utente container ===" # Verifica che il container NON giri come root echo -n "[TEST] Verifica container NON gira come root... " container_user=$(docker exec lab05-db whoami 2>/dev/null || echo "unknown") if [ "$container_user" = "postgres" ] || [ "$container_user" != "root" ]; then echo -e "${GREEN}PASS${NC} (utente: $container_user)" inc_pass else echo -e "${RED}FAIL${NC} (container gira come root)" inc_fail echo "INF-01 VIOLATION: nessun container deve girare come root" fi # Verifica UID del container echo -n "[TEST] Verifica container UID != 0... " container_uid=$(docker exec lab05-db id -u 2>/dev/null || echo "0") if [ "$container_uid" != "0" ]; then echo -e "${GREEN}PASS${NC} (UID: $container_uid)" inc_pass else echo -e "${RED}FAIL${NC} (UID: 0 = root)" inc_fail fi echo "" echo "==========================================" echo "Risultato: $pass_count PASS, $fail_count FAIL, $skip_count SKIP" echo "==========================================" if [ $fail_count -gt 0 ]; then exit 1 fi exit 0