Skip to content
Permalink
Browse files

feat: all mixes of include and excludes are now supported

Signed-off-by: wilmardo <info@wilmardenouden.nl>
  • Loading branch information
wilmardo committed Dec 9, 2019
1 parent f1c4dc4 commit 155c739fc9afbf96abfa8c0841f7d7a534cc273f
Showing with 43 additions and 21 deletions.
  1. +7 −0 README.md
  2. +36 −21 docker-bench-security.sh
@@ -71,6 +71,13 @@ will only run check `2.2 Ensure the logging level is set to 'info'`.
`sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -e check_2_2`
will run all available checks except `2.2 Ensure the logging level is set to 'info'`.

`sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -e docker_enterprise_configuration`
will run all available checks except the docker_enterprise_configuration group

`sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -e docker_enterprise_configuration,check_2_2`
will run all available checks except the docker_enterprise_configuration group
and `2.2 Ensure the logging level is set to 'info'`

`sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -c container_images -e check_4_5`
will run just the container_images checks except `4.5 Ensure Content trust for Docker is Enabled`

@@ -21,7 +21,7 @@ readonly version
readonly this_path
readonly myname

export PATH="$PATH:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/"
# export PATH="$PATH:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/"

# Check for required program(s)
req_progs='awk docker grep ss stat'
@@ -102,7 +102,7 @@ main () {
fi
done

# get the image id of the docker_bench_security_image, memorize it:
# Get the image id of the docker_bench_security_image, memorize it:
benchimagecont="nil"
for c in $(docker images | sed '1d' | awk '{print $3}'); do
if docker inspect --format '{{ .Config.Labels }}' "$c" | \
@@ -135,29 +135,44 @@ main () {
done

if [ -z "$check" ] && [ ! "$checkexclude" ]; then
# No options just run
cis
elif [ -z "$check" ] && [ "$checkexclude" ]; then
checkexcluded="$(echo ",$checkexclude" | sed -e 's/^/\^/g' -e 's/,/\$|/g' -e 's/$/\$/g')"
for c in $(grep -E 'check_[0-9]|check_[a-z]' functions_lib.sh | grep -vE "$checkexcluded"); do
elif [ -z "$check" ]; then
# No check defined but excludes defined set to calls in cis() function
check=$(sed -ne "/cis() {/,/}/{/{/d; /}/d; p}" functions_lib.sh)
fi

for c in $(echo "$check" | sed "s/,/ /g"); do
if ! command -v "$c" 2>/dev/null 1>&2; then
echo "Check \"$c\" doesn't seem to exist."
continue
fi
if [ -z "$checkexclude" ]; then
# No excludes just run the checks specified
"$c"
done
else
for i in $(echo "$check" | sed "s/,/ /g"); do
if command -v "$i" 2>/dev/null 1>&2; then
if [ "$checkexclude" ]; then
checkexcluded="$(echo ",$checkexclude" | sed -e 's/^/\^/g' -e 's/,/\$|/g' -e 's/$/\$/g')"
for check in $(sed -ne "/$i() {/,/}/{/{/d; /}/d; p}" functions_lib.sh | grep -vE "$checkexcluded"); do
"$check"
done
else
"$i"
fi
else
echo "Check \"$i\" doesn't seem to exist."
else
# Exludes specified and check exists
checkexcluded="$(echo ",$checkexclude" | sed -e 's/^/\^/g' -e 's/,/\$|/g' -e 's/$/\$/g')"

if echo "$c" | grep -E "$checkexcluded" 2>/dev/null 1>&2; then
# Excluded
continue
elif echo "$c" | grep -vE 'check_[0-9]|check_[a-z]' 2>/dev/null 1>&2; then
# Function not a check, fill loop_checks with all check from function
loop_checks="$(sed -ne "/$c() {/,/}/{/{/d; /}/d; p}" functions_lib.sh)"
else
# Just one check
loop_checks="$c"
fi
done
fi

for lc in $loop_checks; do
if echo "$lc" | grep -vE "$checkexcluded" 2>/dev/null 1>&2; then
# Not excluded
"$lc"
fi
done
fi
done

printf "\n"
info "Checks: $totalChecks"

0 comments on commit 155c739

Please sign in to comment.
You can’t perform that action at this time.