From 8a0852e17f99041d73b34801c88889a3bd455f48 Mon Sep 17 00:00:00 2001
From: rezroo <rroodsari@mirantis.com>
Date: Sun, 4 Aug 2019 01:17:04 +0000
Subject: [PATCH 1/2] exclude benchmark image when excluding benchmark
container
---
docker-bench-security.sh | 5 +++++
tests/4_container_images.sh | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/docker-bench-security.sh b/docker-bench-security.sh
index 2e7d0e6..71ff261 100755
--- a/docker-bench-security.sh
+++ b/docker-bench-security.sh
@@ -97,10 +97,15 @@ beginjson "$version" "$(date +%s)"
main () {
# If there is a container with label docker_bench_security, memorize it:
benchcont="nil"
+ # Also exclude the bench container image from analysis, because it's a privileged
for c in $(docker ps | sed '1d' | awk '{print $NF}'); do
if docker inspect --format '{{ .Config.Labels }}' "$c" | \
grep -e 'docker.bench.security' >/dev/null 2>&1; then
benchcont="$c"
+ benchcontimg="nil"
+ temp=$(docker inspect --format '{{.Config.Image}}' $benchcont)
+ benchcontimg=$(docker image ls -q $temp)
+ info "Excluding container $benchcont and image $temp : $benchcontimg"
fi
done
diff --git a/tests/4_container_images.sh b/tests/4_container_images.sh
index 0df2676..1562843 100644
--- a/tests/4_container_images.sh
+++ b/tests/4_container_images.sh
@@ -12,7 +12,7 @@ if [ -n "$imgList" ]; then
images="$images $sha256 "
done
else
- images=$(docker images -q)
+ images=$(docker images -q | grep -v $benchcontimg)
fi
check_4() {
From bd5d2e82bada90286c5578feffca242d6113ec29 Mon Sep 17 00:00:00 2001
From: rezroo <rroodsari@mirantis.com>
Date: Sun, 4 Aug 2019 01:27:38 +0000
Subject: [PATCH 2/2] fixes systemctl issue in get_systemd_service_file for
containerized scan which cannot run systemctl show -p FragmentPath. Includes
improvement when reporting Files not found.
---
helper_lib.sh | 2 +
tests/1_host_configuration.sh | 32 +++++------
tests/3_docker_daemon_configuration_files.sh | 56 ++++++++++----------
3 files changed, 46 insertions(+), 44 deletions(-)
diff --git a/helper_lib.sh b/helper_lib.sh
index 3756861..7d73ada 100644
--- a/helper_lib.sh
+++ b/helper_lib.sh
@@ -105,6 +105,8 @@ get_systemd_service_file() {
echo "/etc/systemd/system/$SERVICE"
elif systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then
systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
+ elif [ -f "/lib/systemd/system/$SERVICE" ]; then
+ echo "/lib/systemd/system/$SERVICE"
else
echo "/usr/lib/systemd/system/$SERVICE"
fi
diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh
index 3ecb844..e2b8604 100644
--- a/tests/1_host_configuration.sh
+++ b/tests/1_host_configuration.sh
@@ -147,8 +147,8 @@ check_1_6() {
fi
else
info "$check_1_6"
- info " * Directory not found"
- resulttestjson "INFO" "Directory not found"
+ info " * Directory $directory not found"
+ resulttestjson "INFO" "Directory $directory not found"
currentScore=$((currentScore + 0))
fi
}
@@ -184,8 +184,8 @@ check_1_7() {
fi
else
info "$check_1_7"
- info " * Directory not found"
- resulttestjson "INFO" "Directory not found"
+ info " * Directory $directory not found"
+ resulttestjson "INFO" "Directory $directory not found"
currentScore=$((currentScore + 0))
fi
}
@@ -221,8 +221,8 @@ check_1_8() {
fi
else
info "$check_1_8"
- info " * File not found"
- resulttestjson "INFO" "File not found"
+ info " * File $file not found"
+ resulttestjson "INFO" "File $file not found"
currentScore=$((currentScore + 0))
fi
}
@@ -258,8 +258,8 @@ check_1_9() {
fi
else
info "$check_1_9"
- info " * File not found"
- resulttestjson "INFO" "File not found"
+ info " * File $file not found"
+ resulttestjson "INFO" "File $file not found"
currentScore=$((currentScore + 0))
fi
}
@@ -295,8 +295,8 @@ check_1_10() {
fi
else
info "$check_1_10"
- info " * File not found"
- resulttestjson "INFO" "File not found"
+ info " * File $file not found"
+ resulttestjson "INFO" "File $file not found"
currentScore=$((currentScore + 0))
fi
}
@@ -332,8 +332,8 @@ check_1_11() {
fi
else
info "$check_1_11"
- info " * File not found"
- resulttestjson "INFO" "File not found"
+ info " * File $file not found"
+ resulttestjson "INFO" "File $file not found"
currentScore=$((currentScore + 0))
fi
}
@@ -369,8 +369,8 @@ check_1_12() {
fi
else
info "$check_1_12"
- info " * File not found"
- resulttestjson "INFO" "File not found"
+ info " * File $file not found"
+ resulttestjson "INFO" "File $file not found"
currentScore=$((currentScore + 0))
fi
}
@@ -406,8 +406,8 @@ check_1_13() {
fi
else
info "$check_1_13"
- info " * File not found"
- resulttestjson "INFO" "File not found"
+ info " * File $file not found"
+ resulttestjson "INFO" "File $file not found"
currentScore=$((currentScore + 0))
fi
}
diff --git a/tests/3_docker_daemon_configuration_files.sh b/tests/3_docker_daemon_configuration_files.sh
index 74831a6..9b4c848 100644
--- a/tests/3_docker_daemon_configuration_files.sh
+++ b/tests/3_docker_daemon_configuration_files.sh
@@ -31,8 +31,8 @@ check_3_1() {
fi
else
info "$check_3_1"
- info " * File not found"
- resulttestjson "INFO" "File not found"
+ info " * File $file not found"
+ resulttestjson "INFO" "File $file not found"
currentScore=$((currentScore + 0))
fi
}
@@ -59,8 +59,8 @@ check_3_2() {
fi
else
info "$check_3_2"
- info " * File not found"
- resulttestjson "INFO" "File not found"
+ info " * File $file not found"
+ resulttestjson "INFO" "File $file not found"
currentScore=$((currentScore + 0))
fi
}
@@ -87,8 +87,8 @@ check_3_3() {
fi
else
info "$check_3_3"
- info " * File not found"
- resulttestjson "INFO" "File not found"
+ info " * File $file not found"
+ resulttestjson "INFO" "File $file not found"
currentScore=$((currentScore + 0))
fi
}
@@ -115,8 +115,8 @@ check_3_4() {
fi
else
info "$check_3_4"
- info " * File not found"
- resulttestjson "INFO" "File not found"
+ info " * File $file not found"
+ resulttestjson "INFO" "File $file not found"
currentScore=$((currentScore + 0))
fi
}
@@ -143,8 +143,8 @@ check_3_5() {
fi
else
info "$check_3_5"
- info " * Directory not found"
- resulttestjson "INFO" "Directory not found"
+ info " * Directory $directory not found"
+ resulttestjson "INFO" "Directory $directory not found"
currentScore=$((currentScore + 0))
fi
}
@@ -171,8 +171,8 @@ check_3_6() {
fi
else
info "$check_3_6"
- info " * Directory not found"
- resulttestjson "INFO" "Directory not found"
+ info " * Directory $directory not found"
+ resulttestjson "INFO" "Directory $directory not found"
currentScore=$((currentScore + 0))
fi
}
@@ -206,8 +206,8 @@ check_3_7() {
fi
else
info "$check_3_7"
- info " * Directory not found"
- resulttestjson "INFO" "Directory not found"
+ info " * Directory $directory not found"
+ resulttestjson "INFO" "Directory $directory not found"
currentScore=$((currentScore + 0))
fi
}
@@ -241,8 +241,8 @@ check_3_8() {
fi
else
info "$check_3_8"
- info " * Directory not found"
- resulttestjson "INFO" "Directory not found"
+ info " * Directory $directory not found"
+ resulttestjson "INFO" "Directory $directory not found"
currentScore=$((currentScore + 0))
fi
}
@@ -461,8 +461,8 @@ check_3_15() {
fi
else
info "$check_3_15"
- info " * File not found"
- resulttestjson "INFO" "File not found"
+ info " * File $file not found"
+ resulttestjson "INFO" "File $file not found"
currentScore=$((currentScore + 0))
fi
}
@@ -489,8 +489,8 @@ check_3_16() {
fi
else
info "$check_3_16"
- info " * File not found"
- resulttestjson "INFO" "File not found"
+ info " * File $file not found"
+ resulttestjson "INFO" "File $file not found"
currentScore=$((currentScore + 0))
fi
}
@@ -517,8 +517,8 @@ check_3_17() {
fi
else
info "$check_3_17"
- info " * File not found"
- resulttestjson "INFO" "File not found"
+ info " * File $file not found"
+ resulttestjson "INFO" "File $file not found"
currentScore=$((currentScore + 0))
fi
}
@@ -545,8 +545,8 @@ check_3_18() {
fi
else
info "$check_3_18"
- info " * File not found"
- resulttestjson "INFO" "File not found"
+ info " * File $file not found"
+ resulttestjson "INFO" "File $file not found"
currentScore=$((currentScore + 0))
fi
}
@@ -573,8 +573,8 @@ check_3_19() {
fi
else
info "$check_3_19"
- info " * File not found"
- resulttestjson "INFO" "File not found"
+ info " * File $file not found"
+ resulttestjson "INFO" "File $file not found"
currentScore=$((currentScore + 0))
fi
}
@@ -601,8 +601,8 @@ check_3_20() {
fi
else
info "$check_3_20"
- info " * File not found"
- resulttestjson "INFO" "File not found"
+ info " * File $file not found"
+ resulttestjson "INFO" "File $file not found"
currentScore=$((currentScore + 0))
fi
}