From d42fedc37009f56ecc384c063077c7077d71ff64 Mon Sep 17 00:00:00 2001
From: Ilya Dus <dus@targetprocess.com>
Date: Fri, 10 Apr 2020 16:26:25 +0300
Subject: [PATCH 1/2] fix(sh): check default ubuntu locations of docker.service
 and docker.socket files

Signed-off-by: Ilya Dus <ilyadoos@gmail.com>
---
 helper_lib.sh                                | 4 +++-
 tests/1_host_configuration.sh                | 4 ++--
 tests/3_docker_daemon_configuration_files.sh | 8 ++++----
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/helper_lib.sh b/helper_lib.sh
index 9a84f8f..bb89aee 100644
--- a/helper_lib.sh
+++ b/helper_lib.sh
@@ -103,11 +103,13 @@ get_docker_configuration_file_args() {
   grep "$OPTION" "$CONFIG_FILE" | sed 's/.*://g' | tr -d '" ',
 }
 
-get_systemd_service_file() {
+get_service_file() {
   SERVICE="$1"
 
   if [ -f "/etc/systemd/system/$SERVICE" ]; then
     echo "/etc/systemd/system/$SERVICE"
+  elif [ -f "/lib/systemd/system/$SERVICE" ]; then
+    echo "/lib/systemd/system/$SERVICE"
   elif systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then
     systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
   else
diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh
index 045b968..fb8260b 100644
--- a/tests/1_host_configuration.sh
+++ b/tests/1_host_configuration.sh
@@ -214,7 +214,7 @@ check_1_2_6() {
   starttestjson "$id_1_2_6" "$desc_1_2_6"
 
   totalChecks=$((totalChecks + 1))
-  file="$(get_systemd_service_file docker.service)"
+  file="$(get_service_file docker.service)"
   if [ -f "$file" ]; then
     if command -v auditctl >/dev/null 2>&1; then
       if auditctl -l | grep "$file" >/dev/null 2>&1; then
@@ -251,7 +251,7 @@ check_1_2_7() {
   starttestjson "$id_1_2_7" "$desc_1_2_7"
 
   totalChecks=$((totalChecks + 1))
-  file="$(get_systemd_service_file docker.socket)"
+  file="$(get_service_file docker.socket)"
   if [ -e "$file" ]; then
     if command -v auditctl >/dev/null 2>&1; then
       if auditctl -l | grep "$file" >/dev/null 2>&1; then
diff --git a/tests/3_docker_daemon_configuration_files.sh b/tests/3_docker_daemon_configuration_files.sh
index ed9d418..9a91f93 100644
--- a/tests/3_docker_daemon_configuration_files.sh
+++ b/tests/3_docker_daemon_configuration_files.sh
@@ -17,7 +17,7 @@ check_3_1() {
   starttestjson "$id_3_1" "$desc_3_1"
 
   totalChecks=$((totalChecks + 1))
-  file="$(get_systemd_service_file docker.service)"
+  file="$(get_service_file docker.service)"
   if [ -f "$file" ]; then
     if [ "$(stat -c %u%g $file)" -eq 00 ]; then
       pass "$check_3_1"
@@ -45,7 +45,7 @@ check_3_2() {
   starttestjson "$id_3_2" "$desc_3_2"
 
   totalChecks=$((totalChecks + 1))
-  file="$(get_systemd_service_file docker.service)"
+  file="$(get_service_file docker.service)"
   if [ -f "$file" ]; then
     if [ "$(stat -c %a $file)" -eq 644 ] || [ "$(stat -c %a $file)" -eq 600 ]; then
       pass "$check_3_2"
@@ -73,7 +73,7 @@ check_3_3() {
   starttestjson "$id_3_3" "$desc_3_3"
 
   totalChecks=$((totalChecks + 1))
-  file="$(get_systemd_service_file docker.socket)"
+  file="$(get_service_file docker.socket)"
   if [ -f "$file" ]; then
     if [ "$(stat -c %u%g $file)" -eq 00 ]; then
       pass "$check_3_3"
@@ -101,7 +101,7 @@ check_3_4() {
   starttestjson "$id_3_4" "$desc_3_4"
 
   totalChecks=$((totalChecks + 1))
-  file="$(get_systemd_service_file docker.socket)"
+  file="$(get_service_file docker.socket)"
   if [ -f "$file" ]; then
     if [ "$(stat -c %a $file)" -eq 644 ] || [ "$(stat -c %a $file)" -eq 600 ]; then
       pass "$check_3_4"

From 51bc75eb55b2df0d94a9f607ad6a2d32eb87d83d Mon Sep 17 00:00:00 2001
From: Ilya Dus <dus@targetprocess.com>
Date: Fri, 10 Apr 2020 16:27:32 +0300
Subject: [PATCH 2/2] fix(docs): explain the need of mounting
 `/lib/systemd/system` folder for Ubuntu

Signed-off-by: Ilya Dus <ilyadoos@gmail.com>
---
 README.md | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 68835a0..4d74645 100644
--- a/README.md
+++ b/README.md
@@ -33,9 +33,8 @@ docker run -it --net host --pid host --userns host --cap-add audit_control \
     docker/docker-bench-security
 ```
 
-Don't forget to adjust the shared volumes according to your operating system,
-for example `Docker Desktop` on macOS don't have `/usr/lib/systemd` or the above
-Docker binaries.
+Don't forget to adjust the shared volumes according to your operating system. Some examples are:
+1. `Docker Desktop` on macOS don't have `/usr/lib/systemd` or the above Docker binaries.
 
 ```sh
 docker run -it --net host --pid host --userns host --cap-add audit_control \
@@ -48,6 +47,22 @@ docker run -it --net host --pid host --userns host --cap-add audit_control \
     docker/docker-bench-security
 ```
 
+2. On Ubuntu the `docker.service` and `docker.secret` files are located in `/lib/systemd/system` folder by default.
+
+```sh
+docker run -it --net host --pid host --userns host --cap-add audit_control \
+    -e DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST \
+    -v /etc:/etc:ro \
+    -v /lib/systemd/system:/lib/systemd/system:ro \
+    -v /usr/bin/docker-containerd:/usr/bin/docker-containerd:ro \
+    -v /usr/bin/docker-runc:/usr/bin/docker-runc:ro \
+    -v /usr/lib/systemd:/usr/lib/systemd:ro \
+    -v /var/lib:/var/lib:ro \
+    -v /var/run/docker.sock:/var/run/docker.sock:ro \
+    --label docker_bench_security \
+    docker/docker-bench-security
+```
+
 Docker bench requires Docker 1.13.0 or later in order to run.
 
 Note that when distributions doesn't contain `auditctl`, the audit tests will