From 6c0dce7b198c0c7f49f4fdcd227e9ce4c5aff26c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
 <konstruktoid@users.noreply.github.com>
Date: Thu, 10 May 2018 15:19:10 +0200
Subject: [PATCH 1/2] yell function and version varible
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
 docker-bench-security.sh | 16 +++++-----------
 helper_lib.sh            | 11 +++++++++++
 2 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/docker-bench-security.sh b/docker-bench-security.sh
index 89e53a5..0a8b0dc 100755
--- a/docker-bench-security.sh
+++ b/docker-bench-security.sh
@@ -1,13 +1,14 @@
 #!/bin/sh
 # ------------------------------------------------------------------------------
-# Docker Bench for Security v1.3.4
+# Docker Bench for Security
 #
 # Docker, Inc. (c) 2015-
 #
 # Checks for dozens of common best-practices around deploying Docker containers in production.
-# Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
 # ------------------------------------------------------------------------------
 
+version='1.3.4'
+
 # Load dependencies
 . ./functions_lib.sh
 . ./helper_lib.sh
@@ -62,14 +63,7 @@ if [ -z "$logger" ]; then
   logger="${myname}.log"
 fi
 
-yell "# ------------------------------------------------------------------------------
-# Docker Bench for Security v1.3.4
-#
-# Docker, Inc. (c) 2015-
-#
-# Checks for dozens of common best-practices around deploying Docker containers in production.
-# Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
-# ------------------------------------------------------------------------------"
+yell_info
 
 # Warn if not root
 ID=$(id -u)
@@ -85,7 +79,7 @@ totalChecks=0
 currentScore=0
 
 logit "Initializing $(date)\n"
-beginjson "1.3.4" "$(date +%s)"
+beginjson "$version" "$(date +%s)"
 
 # Load all the tests from tests/ and run them
 main () {
diff --git a/helper_lib.sh b/helper_lib.sh
index 6e675b4..6333d6a 100644
--- a/helper_lib.sh
+++ b/helper_lib.sh
@@ -110,3 +110,14 @@ get_systemd_service_file(){
       echo "/usr/lib/systemd/system/$SERVICE"
     fi
 }
+
+yell_info() {
+  yell "# ------------------------------------------------------------------------------
+  # Docker Bench for Security v$version
+  #
+  # Docker, Inc. (c) 2015-
+  #
+  # Checks for dozens of common best-practices around deploying Docker containers in production.
+  # Inspired by the CIS Docker Community Edition Benchmark v1.1.0.
+  # ------------------------------------------------------------------------------"
+}

From 11230d052efe55334afaeef998abea023b75a95c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
 <konstruktoid@users.noreply.github.com>
Date: Thu, 10 May 2018 15:41:27 +0200
Subject: [PATCH 2/2] formatting
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
 docker-bench-security.sh |  19 ++++---
 helper_lib.sh            | 119 +++++++++++++++++++--------------------
 2 files changed, 70 insertions(+), 68 deletions(-)

diff --git a/docker-bench-security.sh b/docker-bench-security.sh
index 0a8b0dc..5fe57a8 100755
--- a/docker-bench-security.sh
+++ b/docker-bench-security.sh
@@ -15,9 +15,13 @@ version='1.3.4'
 . ./output_lib.sh
 
 # Setup the paths
-this_path=$(abspath "$0")       ## Path of this file including filenamel
+this_path=$(abspath "$0")       ## Path of this file including filename
 myname=$(basename "${this_path}")     ## file name of this script.
 
+readonly version
+readonly this_path
+readonly myname
+
 export PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/
 
 # Check for required program(s)
@@ -68,8 +72,8 @@ yell_info
 # Warn if not root
 ID=$(id -u)
 if [ "x$ID" != "x0" ]; then
-    warn "Some tests might require root to run"
-    sleep 3
+  warn "Some tests might require root to run"
+  sleep 3
 fi
 
 # Total Score
@@ -112,15 +116,14 @@ main () {
     running_containers=1
   fi
 
-  for test in tests/*.sh
-  do
-     . ./"$test"
+  for test in tests/*.sh; do
+    . ./"$test"
   done
 
-  if [ -z "$check" ] && [ ! "$checkexclude" ] ; then
+  if [ -z "$check" ] && [ ! "$checkexclude" ]; then
     cis
   elif [ -z "$check" ] && [ "$checkexclude" ]; then
-    checkexcluded="$(echo $checkexclude | sed 's/,/|/g')"
+    checkexcluded="$(echo "$checkexclude" | sed 's/,/|/g')"
     for c in $(grep 'check_[0-9]_' functions_lib.sh | grep -vE "$checkexcluded"); do
       "$c"
     done
diff --git a/helper_lib.sh b/helper_lib.sh
index 6333d6a..939baca 100644
--- a/helper_lib.sh
+++ b/helper_lib.sh
@@ -8,34 +8,33 @@ auditrules="/etc/audit/audit.rules"
 
 # Compares versions of software of the format X.Y.Z
 do_version_check() {
-    [ "$1" = "$2" ] && return 10
+  [ "$1" = "$2" ] && return 10
 
-    ver1front=$(printf "%s" "$1" | cut -d "." -f -1)
-    ver1back=$(printf "%s" "$1" | cut -d "." -f 2-)
-    ver2front=$(printf "%s" "$2" | cut -d "." -f -1)
-    ver2back=$(printf "%s" "$2" | cut -d "." -f 2-)
+  ver1front=$(printf "%s" "$1" | cut -d "." -f -1)
+  ver1back=$(printf "%s" "$1" | cut -d "." -f 2-)
+  ver2front=$(printf "%s" "$2" | cut -d "." -f -1)
+  ver2back=$(printf "%s" "$2" | cut -d "." -f 2-)
 
-    if [ "$ver1front" != "$1" ] || [ "$ver2front" != "$2" ]; then
-        [ "$ver1front" -gt "$ver2front" ] && return 11
-        [ "$ver1front" -lt "$ver2front" ] && return 9
+  if [ "$ver1front" != "$1" ] || [ "$ver2front" != "$2" ]; then
+    [ "$ver1front" -gt "$ver2front" ] && return 11
+    [ "$ver1front" -lt "$ver2front" ] && return 9
 
-        [ "$ver1front" = "$1" ] || [ -z "$ver1back" ] && ver1back=0
-        [ "$ver2front" = "$2" ] || [ -z "$ver2back" ] && ver2back=0
-        do_version_check "$ver1back" "$ver2back"
-        return $?
-    else
-        [ "$1" -gt "$2" ] && return 11 || return 9
-    fi
+    [ "$ver1front" = "$1" ] || [ -z "$ver1back" ] && ver1back=0
+    [ "$ver2front" = "$2" ] || [ -z "$ver2back" ] && ver2back=0
+      do_version_check "$ver1back" "$ver2back"
+      return $?
+  else
+    [ "$1" -gt "$2" ] && return 11 || return 9
+  fi
 }
 
 # Extracts commandline args from the newest running processes named like the first parameter
 get_command_line_args() {
-    PROC="$1"
+  PROC="$1"
 
-    for PID in $(pgrep -f -n "$PROC")
-    do
-        tr "\0" " " < /proc/"$PID"/cmdline
-    done
+  for PID in $(pgrep -f -n "$PROC"); do
+    tr "\0" " " < /proc/"$PID"/cmdline
+  done
 }
 
 # Extract the cumulative command line arguments for the docker daemon
@@ -44,33 +43,33 @@ get_command_line_args() {
 # Accounts for long and short variants, call with short option.
 # Does not account for option defaults or implicit options.
 get_docker_cumulative_command_line_args() {
-    OPTION="$1"
+  OPTION="$1"
 
-    if ! get_command_line_args "docker daemon" >/dev/null 2>&1 ; then
-      line_arg="docker daemon"
-    else
-      line_arg="dockerd"
-    fi
+  if ! get_command_line_args "docker daemon" >/dev/null 2>&1 ; then
+    line_arg="docker daemon"
+  else
+    line_arg="dockerd"
+  fi
 
-    get_command_line_args "$line_arg" |
-    # normalize known long options to their short versions
-    sed \
-        -e 's/\-\-debug/-D/g' \
-        -e 's/\-\-host/-H/g' \
-        -e 's/\-\-log-level/-l/g' \
-        -e 's/\-\-version/-v/g' \
-        |
+  get_command_line_args "$line_arg" |
+  # normalize known long options to their short versions
+  sed \
+    -e 's/\-\-debug/-D/g' \
+    -e 's/\-\-host/-H/g' \
+    -e 's/\-\-log-level/-l/g' \
+    -e 's/\-\-version/-v/g' \
+    |
     # normalize parameters separated by space(s) to -O=VALUE
     sed \
-        -e 's/\-\([DHlv]\)[= ]\([^- ][^ ]\)/-\1=\2/g' \
-        |
+      -e 's/\-\([DHlv]\)[= ]\([^- ][^ ]\)/-\1=\2/g' \
+      |
     # get the last interesting option
     tr ' ' "\n" |
     grep "^${OPTION}" |
     # normalize quoting of values
     sed \
-        -e 's/"//g' \
-        -e "s/'//g"
+      -e 's/"//g' \
+      -e "s/'//g"
 }
 
 # Extract the effective command line arguments for the docker daemon
@@ -79,36 +78,36 @@ get_docker_cumulative_command_line_args() {
 # Accounts for long and short variants, call with short option
 # Does not account for option default or implicit options.
 get_docker_effective_command_line_args() {
-    OPTION="$1"
-    get_docker_cumulative_command_line_args "$OPTION" | tail -n1
+  OPTION="$1"
+  get_docker_cumulative_command_line_args "$OPTION" | tail -n1
 }
 
 get_docker_configuration_file_args() {
-    OPTION="$1"
-    FILE="$(get_docker_effective_command_line_args '--config-file' | \
-        sed 's/.*=//g')"
+  OPTION="$1"
+  FILE="$(get_docker_effective_command_line_args '--config-file' | \
+    sed 's/.*=//g')"
 
-    if [ -f "$FILE" ]; then
-      CONFIG_FILE="$FILE"
-    elif [ -f '/etc/docker/daemon.json' ]; then
-      CONFIG_FILE='/etc/docker/daemon.json'
-    else
-      CONFIG_FILE='/dev/null'
-    fi
+  if [ -f "$FILE" ]; then
+    CONFIG_FILE="$FILE"
+  elif [ -f '/etc/docker/daemon.json' ]; then
+    CONFIG_FILE='/etc/docker/daemon.json'
+  else
+    CONFIG_FILE='/dev/null'
+  fi
 
-    grep "$OPTION" "$CONFIG_FILE" | sed 's/.*: //g' | tr -d \",
+  grep "$OPTION" "$CONFIG_FILE" | sed 's/.*: //g' | tr -d \",
 }
 
-get_systemd_service_file(){
-    SERVICE="$1"
+get_systemd_service_file() {
+  SERVICE="$1"
 
-    if [ -f "/etc/systemd/system/$SERVICE" ]; then
-      echo "/etc/systemd/system/$SERVICE"
-    elif systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then
-      systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
-    else
-      echo "/usr/lib/systemd/system/$SERVICE"
-    fi
+  if [ -f "/etc/systemd/system/$SERVICE" ]; then
+    echo "/etc/systemd/system/$SERVICE"
+  elif systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then
+    systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
+  else
+    echo "/usr/lib/systemd/system/$SERVICE"
+  fi
 }
 
 yell_info() {