Merge pull request #436 from konstruktoid/macnetstat

more flexible binary usage, better support for mac os

docker-bench-security.sh

@@ -24,11 +24,20 @@ readonly myname
 export PATH="$PATH:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/"
 
 # Check for required program(s)
-req_progs='awk docker grep ss stat'
+req_progs='awk docker grep stat'
 for p in $req_progs; do
   command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; }
 done
 
+if command -v ss >/dev/null 2>&1; then
+  netbin=ss
+elif command -v netstat >/dev/null 2>&1; then
+  netbin=netstat
+else
+  echo "ss or netstat command not found."
+  exit 1
+fi
+
 # Ensure we can connect to docker daemon
 if ! docker ps -q >/dev/null 2>&1; then
   printf "Error connecting to docker daemon (does docker ps work?)\n"

tests/1_host_configuration.sh

@@ -93,7 +93,11 @@ check_1_2_2() {
   starttestjson "$id_1_2_2" "$desc_1_2_2"
 
   totalChecks=$((totalChecks + 1))
-  docker_users=$(getent group docker)
+  if command -v getent >/dev/null 2>&1; then
+    docker_users=$(getent group docker)
+  else
+    docker_users=$(grep 'docker' /etc/group)
+  fi
   info "$check_1_2_2"
   for u in $docker_users; do
     info "       * $u"

tests/7_docker_swarm_configuration.sh

@@ -63,7 +63,7 @@ check_7_3() {
 
   totalChecks=$((totalChecks + 1))
   if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
-    ss -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1
+    $netbin -lnt | grep -e '\[::]:2377 ' -e ':::2377' -e '*:2377 ' -e ' 0\.0\.0\.0:2377 ' >/dev/null 2>&1
     if [ $? -eq 1 ]; then
       pass "$check_7_3"
       resulttestjson "PASS"