convert second CIS section to bats

test/1_host_configuration.bats

@@ -1,11 +1,8 @@
 #!/usr/bin/env bats
 
-load 'test_helper/bats-support/load'
-load 'test_helper/bats-assert/load'
-
-setup() {
-  . "$BATS_TEST_DIRNAME/../helper_lib.sh"
-}
+load "test_helper/bats-support/load"
+load "test_helper/bats-assert/load"
+load "$BATS_TEST_DIRNAME/../helper_lib.sh"
 
 # 1.1
 @test "1.1  - Create a separate partition for containers" {
@@ -63,74 +60,87 @@ setup() {
 @test "1.7  - Audit docker daemon - /usr/bin/docker" {
   file="/usr/bin/docker"
   run command -v auditctl
-  if [ $status -eq 0 ]; then
-    auditctl -l | grep "$file" >/dev/null 2>&1
-  else
-    fail "Failed to inspect: auditctl command not found."
-  fi
-  [ $status -eq 0 ]
+  assert_success
+  run auditctl -l | grep "$file"
+  assert_success
 }
 
 # 1.8
 @test "1.8  - Audit Docker files and directories - /var/lib/docker" {
   directory="/var/lib/docker"
-  if [ -d "$directory" ]; then
-    run command -v auditctl >/dev/null
-    if [ $status -eq 0 ]; then
-      auditctl -l | grep $directory >/dev/null 2>&1
-    else
-      fail "1.8  - Failed to inspect: auditctl command not found."
-    fi
-    [ $status -eq 0 ]
-  else
-    fail "     * '$directory' Directory not found"
-    [ -d "$directory" ]
-  fi
+  refute [ -d "$directory" ] "'$directory' Directory not found"
+  run command -v auditctl >/dev/null
+  assert_success
+  run auditctl -l | grep $directory
+  assert_success
 }
 
 # 1.9
 @test "1.9  - Audit Docker files and directories - /etc/docker" {
   directory="/etc/docker"
-  if [ -d "$directory" ]; then
-    run command -v auditctl >/dev/null
-    if [ $status -eq 0 ]; then
-      auditctl -l | grep $directory >/dev/null 2>&1
-    else
-      fail "1.9  - Failed to inspect: auditctl command not found."
-    fi
-    [ $status -eq 0 ]
-  else
-    fail "'$directory' Directory not found"
-    [ -d "$directory" ]
-  fi
+  refute [ -d "$directory" ] "'$directory' Directory not found"
+  run command -v auditctl
+  assert_success
+  run auditctl -l | grep $directory
+  assert_success
 }
 
 # 1.10
 @test "1.10 - Audit Docker files and directories - docker.service" {
-  skip "TODO: need to implement"
+  file="$(get_systemd_service_file docker.service)"
+  refute [ -f "$file" ] "'docker.service' file not found"
+  run command -v auditctl
+  assert_success
+  run auditctl -l | grep "$file"
+  assert_success
 }
 
 # 1.11
 @test "1.11 - Audit Docker files and directories - docker.socket" {
-  skip "TODO: need to implement"
+  file="$(get_systemd_service_file docker.socket)"
+  refute [ -e "$file" ] "'docker.socket' file not found"
+  run command -v auditctl
+  assert_success
+  run auditctl -l | grep "$file"
+  assert_success
 }
 
 # 1.12
 @test "1.12 - Audit Docker files and directories - /etc/default/docker" {
-  skip "TODO: need to implement"
+  file="/etc/default/docker"
+  refute [ -f "$file" ] "'$file' file not found"
+  run command -v auditctl
+  assert_success
+  run auditctl -l | grep $file
+  assert_success
 }
 
 # 1.13
 @test "1.13 - Audit Docker files and directories - /etc/docker/daemon.json" {
-  skip "TODO: need to implement"
+  file="/etc/docker/daemon.json"
+  refute [ -f "$file" ] "'$file' file not found"
+  run command -v auditctl
+  assert_success
+  run auditctl -l | grep $file
+  assert_success
 }
 
 # 1.14
 @test "1.14 - Audit Docker files and directories - /usr/bin/docker-containerd" {
-  skip "TODO: need to implement"
+  file="/usr/bin/docker-containerd"
+  refute [ -f "$file" ] "'$file' file not found"
+  run command -v auditctl
+  assert_success
+  run auditctl -l | grep $file
+  assert_success
 }
 
 # 1.15
 @test "1.15 - Audit Docker files and directories - /usr/bin/docker-runc" {
-  skip "TODO: need to implement"
+  file="/usr/bin/docker-runc"
+  refute [ -f "$file" ] "'$file' file not found"
+  run command -v auditctl
+  assert_success
+  run auditctl -l | grep $file
+  assert_success
 }

test/2_docker_daemon_configuration.bats

@@ -0,0 +1,102 @@
+#!/usr/bin/env bats
+
+load "test_helper/bats-support/load"
+load "test_helper/bats-assert/load"
+load "$BATS_TEST_DIRNAME/../helper_lib.sh"
+
+# 2.1
+@test "2.1  - Restrict network traffic between containers" {
+  result=$(get_docker_effective_command_line_args '--icc')
+  run grep "false" <<< "$result"
+  assert_success
+}
+
+# 2.2
+@test "2.2  - Set the logging level" {
+  result=$(get_docker_effective_command_line_args '-l')
+  run grep 'debug' <<< "$result"
+  assert_failure
+}
+
+# 2.3
+@test "2.3  - Allow Docker to make changes to iptables" {
+  result=$(get_docker_effective_command_line_args '--iptables')
+  run grep "false" <<< "$result"
+  assert_failure
+}
+
+# 2.4
+@test "2.4  - Do not use insecure registries" {
+  result=$(get_docker_effective_command_line_args '--insecure-registry')
+  run grep "insecure-registry" <<< "$result"
+  assert_failure
+}
+
+# 2.5
+@test "2.5  - Do not use the aufs storage driver" {
+  result=$(docker info 2>/dev/null)
+  run grep -e "^Storage Driver:\s*aufs\s*$" <<< "$result"
+  assert_failure
+}
+
+# 2.6
+@test "2.6  - Configure TLS authentication for Docker daemon" {
+  result=$(get_docker_cumulative_command_line_args '-H')
+  run grep -vE '(unix|fd)://' <<< "$result"
+  if [ $status -eq 0 ]; then
+    result=$(get_command_line_args docker)
+    run $(grep "tlsverify" <<< "$result" | grep "tlskey")
+    assert_success
+  fi
+}
+
+# 2.7
+@test "2.7 - Set default ulimit as appropriate" {
+  result=$(get_docker_effective_command_line_args '--default-ulimit')
+  run grep "default-ulimit" <<< "$result"
+  assert_success
+}
+
+# 2.8
+@test "2.8  - Enable user namespace support" {
+  result=$(get_docker_effective_command_line_args '--userns-remap')
+  run grep "userns-remap" <<< "$result"
+  assert_success
+}
+
+# 2.9
+@test "2.9  - Confirm default cgroup usage" {
+  result=$(get_docker_effective_command_line_args '--cgroup-parent')
+  run grep "cgroup-parent" <<< "$result"
+  if [ $status -eq 0 ]; then
+    refute_output_contains "docker"
+  fi
+}
+
+# 2.10
+@test "2.10 - Do not change base device size until needed" {
+  result=$(get_docker_effective_command_line_args '--storage-opt')
+  run grep "dm.basesize" <<< "$result"
+  assert_failure
+}
+
+# 2.11
+@test "2.11 - Use authorization plugin" {
+  result=$(get_docker_effective_command_line_args '--authorization-plugin')
+  run grep "authorization-plugin" <<< "$result"
+  assert_success
+}
+
+# 2.12
+@test "2.12 - Configure centralized and remote logging" {
+  result=$(get_docker_effective_command_line_args '--log-driver')
+  run grep "log-driver" <<< "$result"
+  assert_success
+}
+
+# 2.13
+@test "2.13 - Disable operations on legacy registry (v1)" {
+  result=$(get_docker_effective_command_line_args '--disable-legacy-registry')
+  run grep "disable-legacy-registry" <<< "$result"
+  assert_success
+}