New Features

Signed-off-by: Mike Ritter <mike.ritter@target.com>
2025-01-18 16:22:33 +01:00 · 2018-02-27 08:43:51 -06:00 · 2018-02-27 08:43:51 -06:00 · a3094ac5c6
commit a3094ac5c6
parent 44b82d53e2
3 changed files with 47 additions and 24 deletions
--- a/README.md
+++ b/README.md
@ -50,7 +50,8 @@ version 1.13.0 or later.
 ```sh
  -h           optional  Print this help message
  -l FILE      optional  Log output in FILE
-  -c CHECK     optional  Run specific check or group of checks
+  -c CHECK     optional  Comma delimited list of specific check(s)
+  -x EXCLUDE   optional  Comma delimited list of patterns within a container to exclude from check
 ```

 By default the Docker Bench for Security script will run all available CIS tests
--- a/docker-bench-security.sh
+++ b/docker-bench-security.sh
@ -37,19 +37,21 @@ usage () {

  -h           optional  Print this help message
  -l FILE      optional  Log output in FILE
-  -c CHECK     optional  Run specific check
+  -c CHECK     optional  Comma delimited list of specific check(s)
+  -x EXCLUDE   optional  Comma delimited list of patterns within a container name to exclude from check
 EOF
 }

 # Get the flags
 # If you add an option here, please
 # remember to update usage() above.
-while getopts hl:c: args
+while getopts hl:c:x: args
 do
  case $args in
  h) usage; exit 0 ;;
  l) logger="$OPTARG" ;;
  c) check="$OPTARG" ;;
+  x) exclude="$OPTARG" ;;
  *) usage; exit 1 ;;
  esac
 done
@ -86,7 +88,12 @@ beginjson "1.3.4" "$(date +%s)"
 # Load all the tests from tests/ and run them
 main () {
  # List all running containers
-  containers=$(docker ps | sed '1d' | awk '{print $NF}')
+  if [ -z "$exclude" ]; then
+    containers=$(docker ps | sed '1d' | awk '{print $NF}')
+  else
+    pattern=$(echo "$exclude" | sed 's/,/|/g')
+    containers=$(docker ps | sed '1d' | grep -Ev "$pattern" | awk '{print $NF}')
+  fi
  # If there is a container with label docker_bench_security, memorize it:
  benchcont="nil"
  for c in $containers; do
@ -96,7 +103,12 @@ main () {
    fi
  done
  # List all running containers except docker-bench (use names to improve readability in logs)
-  containers=$(docker ps | sed '1d' |  awk '{print $NF}' | grep -v "$benchcont")
+  if [ -z "$exclude" ]; then
+    containers=$(docker ps | sed '1d' |  awk '{print $NF}' | grep -v "$benchcont")
+  else
+    pattern=$(echo "$exclude" | sed 's/,/|/g')
+    containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -Ev "$pattern" | grep -v "$benchcont")
+  fi

  if [ -z "$containers" ]; then
    running_containers=0
@ -112,12 +124,15 @@ main () {
  if [ -z "$check" ]; then
    cis
  else
-    if command -v "$check" 2>/dev/null 1>&2; then
-      "$check"
-    else
-      echo "Check \"$check\" doesn't seem to exist."
-      exit 1
-    fi
+    for i in $(echo "$check" | sed "s/,/ /g")
+    do
+      if command -v "$i" 2>/dev/null 1>&2; then
+        "$i"
+      else
+        echo "Check \"$i\" doesn't seem to exist."
+        continue
+      fi
+    done
  fi

  printf "\n"
--- a/tests/5_container_runtime.sh
+++ b/tests/5_container_runtime.sh
@ -988,19 +988,27 @@ check_5_29() {
  for net in $networks; do
    if docker network inspect --format '{{ .Options }}' "$net" 2>/dev/null | grep "com.docker.network.bridge.name:docker0" >/dev/null 2>&1; then
      docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" | \
-       sed -e 's/^ //' -e 's/  /\n/g' 2>/dev/null)
-      if [ -n "$docker0Containers" ]; then
-        if [ $fail -eq 0 ]; then
-          info "$check_5_29"
-          logjson "5.29" "INFO"
-          fail=1
+        sed -e 's/^ //' -e 's/  /\n/g' 2>/dev/null)
+
+        if [ -n "$docker0Containers" ]; then
+          if [ $fail -eq 0 ]; then
+            info "$check_5_29"
+            logjson "5.29" "INFO"
+            fail=1
+          fi
+          for c in $docker0Containers; do
+            if [ -z "$exclude" ]; then
+              cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g')
+            else
+              pattern=$(echo "$exclude" | sed 's/,/|/g')
+              cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g' | grep -Ev "$pattern" )
+            fi
+            if ! [ -z "$cName" ]; then
+              info "     * Container in docker0 network: $cName"
+              logjson "5.29" "INFO: $c"
+            fi
+          done
        fi
-        for c in $docker0Containers; do
-	  cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g')
-          info "     * Container in docker0 network: $cName"
-          logjson "5.29" "INFO: $c"
-        done
-      fi
      currentScore=$((currentScore + 0))
    fi
  done
@ -1081,4 +1089,3 @@ check_5_31() {
      currentScore=$((currentScore - 1))
  fi
 }
-