From 1b37a1e6bcdc20018a5dcc7820eac2ce1e94c3ac Mon Sep 17 00:00:00 2001 From: wilmardo Date: Wed, 4 Dec 2019 15:21:37 +0100 Subject: [PATCH 1/6] fix: allow combining include and exclude Signed-off-by: wilmardo --- docker-bench-security.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docker-bench-security.sh b/docker-bench-security.sh index 8d9a602..2d52a82 100755 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -144,7 +144,15 @@ main () { else for i in $(echo "$check" | sed "s/,/ /g"); do if command -v "$i" 2>/dev/null 1>&2; then - "$i" + if [ "$checkexclude" ]; then + checkexcluded="$(echo ",$checkexclude" | sed -e 's/^/\^/g' -e 's/,/\$|/g' -e 's/$/\$/g')" + included_checks=$(sed -ne "/$i() {/,/}/{/check/p}" functions_lib.sh | grep -vE "$checkexcluded") + for check in $included_checks; do + "$check" + done + else + "$i" + fi else echo "Check \"$i\" doesn't seem to exist." continue From cf9baa76ae4eefa9583adb4639b9cedd11c0265b Mon Sep 17 00:00:00 2001 From: wilmardo Date: Thu, 5 Dec 2019 15:51:14 +0100 Subject: [PATCH 2/6] feat: improve sed match Signed-off-by: wilmardo --- docker-bench-security.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-bench-security.sh b/docker-bench-security.sh index 2d52a82..ac50a89 100755 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -146,7 +146,7 @@ main () { if command -v "$i" 2>/dev/null 1>&2; then if [ "$checkexclude" ]; then checkexcluded="$(echo ",$checkexclude" | sed -e 's/^/\^/g' -e 's/,/\$|/g' -e 's/$/\$/g')" - included_checks=$(sed -ne "/$i() {/,/}/{/check/p}" functions_lib.sh | grep -vE "$checkexcluded") + included_checks=$(sed -ne "/$i() {/,/}/{/{/d; /}/d; p}" functions_lib.sh | grep -vE "$checkexcluded") for check in $included_checks; do "$check" done From 91d36b62f9081f5f812aa1d939a72cbc43091dd2 Mon Sep 17 00:00:00 2001 From: wilmardo Date: Thu, 5 Dec 2019 16:20:47 +0100 Subject: [PATCH 3/6] refact: removes variable, use result directly in loop Signed-off-by: wilmardo --- docker-bench-security.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docker-bench-security.sh b/docker-bench-security.sh index ac50a89..03dd144 100755 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -146,8 +146,7 @@ main () { if command -v "$i" 2>/dev/null 1>&2; then if [ "$checkexclude" ]; then checkexcluded="$(echo ",$checkexclude" | sed -e 's/^/\^/g' -e 's/,/\$|/g' -e 's/$/\$/g')" - included_checks=$(sed -ne "/$i() {/,/}/{/{/d; /}/d; p}" functions_lib.sh | grep -vE "$checkexcluded") - for check in $included_checks; do + for check in $(sed -ne "/$i() {/,/}/{/{/d; /}/d; p}" functions_lib.sh | grep -vE "$checkexcluded"); do "$check" done else From f1c4dc4cd6168c28ab9ae08e18964000bae72038 Mon Sep 17 00:00:00 2001 From: wilmardo Date: Thu, 5 Dec 2019 16:21:46 +0100 Subject: [PATCH 4/6] docs: Adds example of combining include and exclude Signed-off-by: wilmardo --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 3568088..9e4973e 100644 --- a/README.md +++ b/README.md @@ -71,6 +71,9 @@ will only run check `2.2 Ensure the logging level is set to 'info'`. `sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -e check_2_2` will run all available checks except `2.2 Ensure the logging level is set to 'info'`. +`sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -c container_images -e check_4_5` +will run just the container_images checks except `4.5 Ensure Content trust for Docker is Enabled` + Note that when submitting checks, provide information why it is a reasonable test to add and please include some kind of official documentation verifying that information. From 155c739fc9afbf96abfa8c0841f7d7a534cc273f Mon Sep 17 00:00:00 2001 From: wilmardo Date: Mon, 9 Dec 2019 15:19:17 +0100 Subject: [PATCH 5/6] feat: all mixes of include and excludes are now supported Signed-off-by: wilmardo --- README.md | 7 +++++ docker-bench-security.sh | 61 +++++++++++++++++++++++++--------------- 2 files changed, 45 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 9e4973e..0c4f6f8 100644 --- a/README.md +++ b/README.md @@ -71,6 +71,13 @@ will only run check `2.2 Ensure the logging level is set to 'info'`. `sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -e check_2_2` will run all available checks except `2.2 Ensure the logging level is set to 'info'`. +`sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -e docker_enterprise_configuration` +will run all available checks except the docker_enterprise_configuration group + +`sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -e docker_enterprise_configuration,check_2_2` +will run all available checks except the docker_enterprise_configuration group +and `2.2 Ensure the logging level is set to 'info'` + `sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -c container_images -e check_4_5` will run just the container_images checks except `4.5 Ensure Content trust for Docker is Enabled` diff --git a/docker-bench-security.sh b/docker-bench-security.sh index 03dd144..8cbbb7a 100755 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -21,7 +21,7 @@ readonly version readonly this_path readonly myname -export PATH="$PATH:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/" +# export PATH="$PATH:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/" # Check for required program(s) req_progs='awk docker grep ss stat' @@ -102,7 +102,7 @@ main () { fi done - # get the image id of the docker_bench_security_image, memorize it: + # Get the image id of the docker_bench_security_image, memorize it: benchimagecont="nil" for c in $(docker images | sed '1d' | awk '{print $3}'); do if docker inspect --format '{{ .Config.Labels }}' "$c" | \ @@ -135,30 +135,45 @@ main () { done if [ -z "$check" ] && [ ! "$checkexclude" ]; then + # No options just run cis - elif [ -z "$check" ] && [ "$checkexclude" ]; then - checkexcluded="$(echo ",$checkexclude" | sed -e 's/^/\^/g' -e 's/,/\$|/g' -e 's/$/\$/g')" - for c in $(grep -E 'check_[0-9]|check_[a-z]' functions_lib.sh | grep -vE "$checkexcluded"); do - "$c" - done - else - for i in $(echo "$check" | sed "s/,/ /g"); do - if command -v "$i" 2>/dev/null 1>&2; then - if [ "$checkexclude" ]; then - checkexcluded="$(echo ",$checkexclude" | sed -e 's/^/\^/g' -e 's/,/\$|/g' -e 's/$/\$/g')" - for check in $(sed -ne "/$i() {/,/}/{/{/d; /}/d; p}" functions_lib.sh | grep -vE "$checkexcluded"); do - "$check" - done - else - "$i" - fi - else - echo "Check \"$i\" doesn't seem to exist." - continue - fi - done + elif [ -z "$check" ]; then + # No check defined but excludes defined set to calls in cis() function + check=$(sed -ne "/cis() {/,/}/{/{/d; /}/d; p}" functions_lib.sh) fi + for c in $(echo "$check" | sed "s/,/ /g"); do + if ! command -v "$c" 2>/dev/null 1>&2; then + echo "Check \"$c\" doesn't seem to exist." + continue + fi + if [ -z "$checkexclude" ]; then + # No excludes just run the checks specified + "$c" + else + # Exludes specified and check exists + checkexcluded="$(echo ",$checkexclude" | sed -e 's/^/\^/g' -e 's/,/\$|/g' -e 's/$/\$/g')" + + if echo "$c" | grep -E "$checkexcluded" 2>/dev/null 1>&2; then + # Excluded + continue + elif echo "$c" | grep -vE 'check_[0-9]|check_[a-z]' 2>/dev/null 1>&2; then + # Function not a check, fill loop_checks with all check from function + loop_checks="$(sed -ne "/$c() {/,/}/{/{/d; /}/d; p}" functions_lib.sh)" + else + # Just one check + loop_checks="$c" + fi + + for lc in $loop_checks; do + if echo "$lc" | grep -vE "$checkexcluded" 2>/dev/null 1>&2; then + # Not excluded + "$lc" + fi + done + fi + done + printf "\n" info "Checks: $totalChecks" info "Score: $currentScore" From 4054055546f077d83188126526e894bcc7693572 Mon Sep 17 00:00:00 2001 From: wilmardo Date: Wed, 29 Jan 2020 10:31:15 +0100 Subject: [PATCH 6/6] fix: uncomment PATH variable Signed-off-by: wilmardo --- docker-bench-security.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-bench-security.sh b/docker-bench-security.sh index 8cbbb7a..ba2a9c8 100755 --- a/docker-bench-security.sh +++ b/docker-bench-security.sh @@ -21,7 +21,7 @@ readonly version readonly this_path readonly myname -# export PATH="$PATH:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/" +export PATH="$PATH:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/" # Check for required program(s) req_progs='awk docker grep ss stat'