GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-19 08:42:33 +01:00
Code Issues Projects Releases Packages Wiki Activity

New Features

Browse source 
Signed-off-by: MikeRitter <mike.ritter@target.com>
Signed-off-by: Mike Ritter <mike.ritter@target.com>
This commit is contained in:
MikeRitter 2018-02-22 14:01:32 -06:00 committed by Mike Ritter
parent 44b82d53e2
commit 41a9e0d1f9
2 changed files with 27 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -50,7 +50,8 @@ version 1.13.0 or later.
```sh ```sh
-h optional Print this help message -h optional Print this help message
-l FILE optional Log output in FILE -l FILE optional Log output in FILE
-c CHECK optional Run specific check or group of checks -c CHECK optional Comma delimited list of specific check(s)
-x EXCLUDE optional Comma delimited list of patterns within a container to exclude from check
``` ```
By default the Docker Bench for Security script will run all available CIS tests By default the Docker Bench for Security script will run all available CIS tests

35
docker-bench-security.sh
View file

@ -37,19 +37,21 @@ usage () {
-h optional Print this help message -h optional Print this help message
-l FILE optional Log output in FILE -l FILE optional Log output in FILE
-c CHECK optional Run specific check -c CHECK optional Comma delimited list of specific check(s)
-x EXCLUDE optional Comma delimited list of patterns within a container to exclude from check
EOF EOF
} }
# Get the flags # Get the flags
# If you add an option here, please # If you add an option here, please
# remember to update usage() above. # remember to update usage() above.
while getopts hl:c: args while getopts hl:c:x: args
do do
case $args in case $args in
h) usage; exit 0 ;; h) usage; exit 0 ;;
l) logger="$OPTARG" ;; l) logger="$OPTARG" ;;
c) check="$OPTARG" ;; c) check="$OPTARG" ;;
x) exclude="$OPTARG" ;;
*) usage; exit 1 ;; *) usage; exit 1 ;;
esac esac
done done
@ -86,7 +88,12 @@ beginjson "1.3.4" "$(date +%s)"
# Load all the tests from tests/ and run them # Load all the tests from tests/ and run them
main () { main () {
# List all running containers # List all running containers
containers=$(docker ps | sed '1d' | awk '{print $NF}') if [ -z $exclude ]; then
containers=$(docker ps | sed '1d' | awk '{print $NF}')
else
pattern=$(echo $exclude | sed 's/,/|/g')
containers=$(docker ps | sed '1d' | grep -Ev '$pattern' | awk '{print $NF}')
fi
# If there is a container with label docker_bench_security, memorize it: # If there is a container with label docker_bench_security, memorize it:
benchcont="nil" benchcont="nil"
for c in $containers; do for c in $containers; do
@ -96,7 +103,12 @@ main () {
fi fi
done done
# List all running containers except docker-bench (use names to improve readability in logs) # List all running containers except docker-bench (use names to improve readability in logs)
containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont") if [ -z $exclude ]; then
containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -v "$benchcont")
else
pattern=$(echo $exclude | sed 's/,/|/g')
containers=$(docker ps | sed '1d' | grep -Ev "$pattern" | awk '{print $NF}' | grep -v "$benchcont")
fi
if [ -z "$containers" ]; then if [ -z "$containers" ]; then
running_containers=0 running_containers=0
@ -112,12 +124,15 @@ main () {
if [ -z "$check" ]; then if [ -z "$check" ]; then
cis cis
else else
if command -v "$check" 2>/dev/null 1>&2; then for i in $(echo $check | sed "s/,/ /g")
"$check" do
else if command -v "$i" 2>/dev/null 1>&2; then
echo "Check \"$check\" doesn't seem to exist." "$i"
exit 1 else
fi echo "Check \"$i\" doesn't seem to exist."
continue
fi
done
fi fi
printf "\n" printf "\n"