Bug fixing and improving source code readability

2025-01-19 00:32:34 +01:00 · 2021-03-29 15:22:14 +03:00 · 2021-03-29 15:22:14 +03:00 · d0443cc817
commit d0443cc817
parent 86985f854f
12 changed files with 1028 additions and 783 deletions
--- a/docker-bench-security.sh
+++ b/docker-bench-security.sh
@ -24,19 +24,7 @@ readonly myname
 export PATH="$PATH:/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin/"
 # Check for required program(s)
-req_progs='awk docker grep stat tee tail wc xargs truncate sed'
+req_programs 'awk docker grep stat tee tail wc xargs truncate sed'
 for p in $req_progs; do
  command -v "$p" >/dev/null 2>&1 || { printf "%s command not found.\n" "$p"; exit 1; }
 done
 if command -v ss >/dev/null 2>&1; then
  netbin=ss
 elif command -v netstat >/dev/null 2>&1; then
  netbin=netstat
 else
  echo "ss or netstat command not found."
  exit 1
 fi
 # Ensure we can connect to docker daemon
 if ! docker ps -q >/dev/null 2>&1; then
@ -85,6 +73,7 @@ fi
 logger="log/${myname}.log"
 limit=0
 printremediation="1"
 globalRemediation=""
 # Get the flags
 # If you add an option here, please
@ -130,7 +119,6 @@ beginjson "$version" "$(date +%s)"
 # Load all the tests from tests/ and run them
 main () {
  logit "\n${bldylw}Section A - Check results${txtrsr}"
  globalRemediation=""
  # Get configuration location
  get_docker_configuration_file
--- a/functions/helper_lib.sh
+++ b/functions/helper_lib.sh
@ -6,6 +6,23 @@ abspath () { case "$1" in /*)printf "%s\n" "$1";; *)printf "%s\n" "$PWD/$1";; es
 # Audit rules default path
 auditrules="/etc/audit/audit.rules"
 # Check for required program(s)
 req_programs() {
  for p in $1; do
    command -v "$p" >/dev/null 2>&1 || { printf "Required program not found: %s\n" "$p"; exit 1; }
  done
  if command -v ss >/dev/null 2>&1; then
    netbin=ss
    return
  fi
  if command -v netstat >/dev/null 2>&1; then
    netbin=netstat
    return
  fi
  echo "ss or netstat command not found."
  exit 1
 }
 # Compares versions of software of the format X.Y.Z
 do_version_check() {
  [ "$1" = "$2" ] && return 10
@ -23,9 +40,8 @@ do_version_check() {
    [ "$ver2front" = "$2" ] || [ -z "$ver2back" ] && ver2back=0
      do_version_check "$ver1back" "$ver2back"
      return $?
  else
    [ "$1" -gt "$2" ] && return 11 || return 9
  fi
  [ "$1" -gt "$2" ] && return 11 || return 9
 }
 # Extracts commandline args from the newest running processes named like the first parameter
@ -45,10 +61,9 @@ get_command_line_args() {
 get_docker_cumulative_command_line_args() {
  OPTION="$1"
  line_arg="dockerd"
  if ! get_command_line_args "docker daemon" >/dev/null 2>&1 ; then
    line_arg="docker daemon"
  else
    line_arg="dockerd"
  fi
  get_command_line_args "$line_arg" |
@ -88,11 +103,13 @@ get_docker_configuration_file() {
  if [ -f "$FILE" ]; then
    CONFIG_FILE="$FILE"
-  elif [ -f '/etc/docker/daemon.json' ]; then
+    return
    CONFIG_FILE='/etc/docker/daemon.json'
  else
    CONFIG_FILE='/dev/null'
  fi
  if [ -f '/etc/docker/daemon.json' ]; then
    CONFIG_FILE='/etc/docker/daemon.json'
    return
  fi
  CONFIG_FILE='/dev/null'
 }
 get_docker_configuration_file_args() {
@ -108,13 +125,17 @@ get_service_file() {
  if [ -f "/etc/systemd/system/$SERVICE" ]; then
    echo "/etc/systemd/system/$SERVICE"
-  elif [ -f "/lib/systemd/system/$SERVICE" ]; then
+    return
    echo "/lib/systemd/system/$SERVICE"
  elif systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then
    systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
  else
    echo "/usr/lib/systemd/system/$SERVICE"
  fi
  if [ -f "/lib/systemd/system/$SERVICE" ]; then
    echo "/lib/systemd/system/$SERVICE"
    return
  fi
  if systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then
    systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
    return
  fi
  echo "/usr/lib/systemd/system/$SERVICE"
 }
 yell_info() {
--- a/functions/output_lib.sh
+++ b/functions/output_lib.sh
@ -125,20 +125,19 @@ starttestjson() {
  SEP=","
 }
-logcheckresult() {
+log_to_json() {
  # Log to JSON
  if [ $# -eq 1 ]; then
    printf "\"result\": \"%s\"" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2
    return 
  fi
  if [ $# -eq 2 ] && [ $# -ne 1 ]; then
    # Result also contains details
    printf "\"result\": \"%s\",\n          \"details\": \"%s\"" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
    return
  fi
  if [ $# -ne 2 ] && [ $# -ne 1 ]; then
  # Result also includes details and a list of items. Add that directly to details and to an array property "items"
  # Also limit the number of items to $limit, if $limit is non-zero
  truncItems=$3
  if [ $limit != 0 ]; then
    truncItems=""
    ITEM_COUNT=0
@ -150,12 +149,14 @@ logcheckresult() {
        break;
      fi
    done
      else
        truncItems=$3
  fi
  itemsJson=$(printf "[\n            "; ISEP=""; ITEMCOUNT=0; for item in $truncItems; do printf "%s\"%s\"" "$ISEP" "$item"; ISEP=","; done; printf "\n          ]")
  printf "\"result\": \"%s\",\n          \"details\": \"%s: %s\",\n          \"items\": %s" "$1" "$2" "$truncItems" "$itemsJson" | tee -a "$logger.json" 2>/dev/null 1>&2
-  fi
+}
 logcheckresult() {
  # Log to JSON
  log_to_json "$@"
  # Log remediation measure to JSON
  if [ -n "$remediation" ] && [ "$1" != "PASS" ] && [ "$printremediation" = "1" ]; then
--- a/functions/output_lib.sh.save
+++ b/functions/output_lib.sh.save
@ -0,0 +1,194 @@
 #!/bin/sh
 bldred='\033[1;31m' # Bold Red
 bldgrn='\033[1;32m' # Bold Green
 bldblu='\033[1;34m' # Bold Blue
 bldylw='\033[1;33m' # Bold Yellow
 txtrst='\033[0m'
 if [ -n "$nocolor" 
 ] && [ "$nocolor" = "nocolor" ]; then
  bldred=''
  bldgrn=''
  bldblu=''
  bldylw=''
  txtrst=''
 fi
 logit () {
  printf "%b\n" "$1" | tee -a "$logger"
 }
 info () {
  local infoCountCheck
  while getopts c args
  do
    case $args in
    c) infoCountCheck="true" ;;
    *) exit 1 ;;
    esac
  done
  if [ "$infoCountCheck" = "true" ]; then
    printf "%b\n" "${bldblu}[INFO]${txtrst} $2" | tee -a "$logger"
    totalChecks=$((totalChecks + 1))
    return
  fi
  printf "%b\n" "${bldblu}[INFO]${txtrst} $1" | tee -a "$logger"
 }
 pass () {
  local passScored
  while getopts sc args
  do
    case $args in
    s) passScored="true" ;;
    c) passCountCheck="true" ;;
    *) exit 1 ;;
    esac
  done
  if [ "$passScored" = "true" ] || [ "$passCountCheck" = "true" ]; then
    printf "%b\n" "${bldgrn}[PASS]${txtrst} $2" | tee -a "$logger"
    totalChecks=$((totalChecks + 1))
  fi
  if [ "$passScored" = "true" ]; then
    currentScore=$((currentScore + 1))
  fi
  if [ "$passScored" != "true" ] && [ "$passCountCheck" != "true" ]; then
    printf "%b\n" "${bldgrn}[PASS]${txtrst} $1" | tee -a "$logger"
  fi
 }
 warn () {
  local warnScored
  while getopts s args
  do
    case $args in
    s) warnScored="true" ;;
    *) exit 1 ;;
    esac
  done
  if [ "$warnScored" = "true" ]; then
    printf "%b\n" "${bldred}[WARN]${txtrst} $2" | tee -a "$logger"
    totalChecks=$((totalChecks + 1))
    currentScore=$((currentScore - 1))
    return
  fi
  printf "%b\n" "${bldred}[WARN]${txtrst} $1" | tee -a "$logger"
 }
 note () {
  local noteCountCheck
  while getopts c args
  do
    case $args in
    c) noteCountCheck="true" ;;
    *) exit 1 ;;
    esac
  done
  if [ "$noteCountCheck" = "true" ]; then
    printf "%b\n" "${bldylw}[NOTE]${txtrst} $2" | tee -a "$logger"
    totalChecks=$((totalChecks + 1))
    return 
 fi
  printf "%b\n" "${bldylw}[NOTE]${txtrst} $1" | tee -a "$logger"
 }
 yell () {
  printf "%b\n" "${bldylw}$1${txtrst}\n"
 }
 appendjson () {
  if [ -s "$logger.json" ]; then
    tail -n 1 "$logger.json" | wc -c | xargs -I {} truncate "$logger.json" -s -{}
    printf "},\n" | tee -a "$logger.json" 2>/dev/null 1>&2
    return
  fi
  printf "[" | tee -a "$logger.json" 2>/dev/null 1>&2
 }
 beginjson () {
  printf "{\n  \"dockerbenchsecurity\": \"%s\",\n  \"start\": %s,\n  \"tests\": [" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
 }
 endjson (){
  printf "\n  ], \"checks\": %s, \"score\": %s, \"end\": %s\n}]" "$1" "$2" "$3" | tee -a "$logger.json" 2>/dev/null 1>&2
 }
 logjson (){
  printf "\n  \"%s\": \"%s\"," "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
 }
 SSEP=
 SEP=
 startsectionjson() {
  printf "%s\n    {\"id\": \"%s\", \"desc\": \"%s\",  \"results\": [" "$SSEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
  SEP=
  SSEP=","
 }
 endsectionjson() {
  printf "\n    ]}" | tee -a "$logger.json" 2>/dev/null 1>&2
 }
 starttestjson() {
  printf "%s\n      {\"id\": \"%s\", \"desc\": \"%s\", " "$SEP" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
  SEP=","
 }
 logcheckresult() {
  # Log to JSON
  if [ $# -eq 1 ]; then
      printf "\"result\": \"%s\"" "$1" | tee -a "$logger.json" 2>/dev/null 1>&2
  fi
  if [ $# -eq 2 ] && [ $# -ne 1 ]; then
      # Result also contains details
      printf "\"result\": \"%s\", \"details\": \"%s\"" "$1" "$2" | tee -a "$logger.json" 2>/dev/null 1>&2
  fi
  if [ $# -ne 2 ] && [ $# -ne 1 ]; then
      # Result also includes details and a list of items. Add that directly to details and to an array property "items"
      # Also limit the number of items to $limit, if $limit is non-zero
      if [ $limit != 0 ]; then
        truncItems=""
        ITEM_COUNT=0
        for item in $3; do
          truncItems="$truncItems $item"
          ITEM_COUNT=$((ITEM_COUNT + 1));
          if [ "$ITEM_COUNT" == "$limit" ]; then
            truncItems="$truncItems (truncated)"
            break;
          fi
        done
      else
        truncItems=$3
      fi
      itemsJson=$(printf "["; ISEP=""; ITEMCOUNT=0; for item in $truncItems; do printf "%s\"%s\"" "$ISEP" "$item"; ISEP=","; done; printf "]")
      printf "\"result\": \"%s\", \"details\": \"%s: %s\", \"items\": %s" "$1" "$2" "$truncItems" "$itemsJson" | tee -a "$logger.json" 2>/dev/null 1>&2
  fi
  # Log remediation measure to JSON
  if [ -n "$remediation" ] && [ "$1" != "PASS" ] && [ "$printremediation" = "1" ]; then
    printf ", \"remediation\": \"%s\"" "$remediation" | tee -a "$logger.json" 2>/dev/null 1>&2
    if [ -n "$remediationImpact" ]; then
      printf ", \"remediation-impact\": \"%s\"" "$remediationImpact" | tee -a "$logger.json" 2>/dev/null 1>&2
    fi
  fi
  printf "}" | tee -a "$logger.json" 2>/dev/null 1>&2
  # Save remediation measure for print log to stdout
  if [ -n "$remediation" ] && [ "$1" != "PASS" ]; then
    if [ -n "${checkHeader}" ]; then
      if [ -n "${addSpaceHeader}" ]; then
        globalRemediation="${globalRemediation}\n"
      fi
      globalRemediation="${globalRemediation}\n${bldblu}[INFO]${txtrst} ${checkHeader}"
      checkHeader=""
      addSpaceHeader="1"
    fi
    globalRemediation="${globalRemediation}\n${bldblu}[INFO]${txtrst} ${id} - ${remediation}"
    if [ -n "${remediationImpact}" ]; then
      globalRemediation="${globalRemediation} Impact: ${remediationImpact}"
    fi
  fi
 }
--- a/tests/1_host_configuration.sh
+++ b/tests/1_host_configuration.sh
@ -41,16 +41,15 @@ check_1_1_2() {
  docker_current_version="$(date +%y.%m.0 -d @$(( $(date +%s) - 2592000)))"
  do_version_check "$docker_current_version" "$docker_version"
  if [ $? -eq 11 ]; then
-    info -c "$check"
+    pass -c "$check"
    info "       * Using $docker_version, verify is it up to date as deemed necessary"
    info "       * Your operating system vendor may provide support and security maintenance for Docker"
    logcheckresult "INFO" "Using $docker_version"
-  else
+    return
  fi
  pass -c "$check"
  info "       * Using $docker_version which is current"
  info "       * Check with your operating system vendor for support and security maintenance for Docker"
  logcheckresult "PASS" "Using $docker_version"
  fi
 }
 check_1_2() {
@ -76,10 +75,10 @@ check_1_2_1() {
  if mountpoint -q -- "$docker_root_dir" >/dev/null 2>&1; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
  fi
  warn -s "$check"
  logcheckresult "WARN"
  fi
 }
 check_1_2_2() { 
@ -90,10 +89,9 @@ check_1_2_2() {
  local check="$id - $desc"
  starttestjson "$id" "$desc"
  docker_users=$(grep 'docker' /etc/group)
  if command -v getent >/dev/null 2>&1; then
    docker_users=$(getent group docker)
  else
    docker_users=$(grep 'docker' /etc/group)
  fi
  docker_users=$(printf "%s" "$docker_users" | awk -F: '{print $4}')
@ -101,10 +99,9 @@ check_1_2_2() {
  if [ -n "$dockertrustusers" ]; then
    for u in $(printf "%s" "$docker_users" | sed "s/,/ /g"); do
      if ! printf "%s" "$dockertrustusers" | grep -q "$u" ; then
        doubtfulusers="$u"
        if [ -n "${doubtfulusers}" ]; then
          doubtfulusers="${doubtfulusers},$u"
        else
          doubtfulusers="$u"
        fi
      fi
    done
@ -139,17 +136,19 @@ check_1_2_3() {
    if auditctl -l | grep "$file" >/dev/null 2>&1; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    logcheckresult "WARN"
    return
  fi
-  elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
+  if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
  fi
  warn -s "$check"
  logcheckresult "WARN"
  fi
 }
 check_1_2_4() {
@ -166,22 +165,24 @@ check_1_2_4() {
      if auditctl -l | grep $directory >/dev/null 2>&1; then
        pass -s "$check"
        logcheckresult "PASS"
-      else
+        return
      fi
      warn -s "$check"
      logcheckresult "WARN"
      return
    fi
-    elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
+    if grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    logcheckresult "WARN"
    return
  fi
  else
  info -c "$check"
  info "       * Directory not found"
  logcheckresult "INFO" "Directory not found"
  fi
 }
 check_1_2_5() {
@ -198,22 +199,24 @@ check_1_2_5() {
      if auditctl -l | grep $directory >/dev/null 2>&1; then
        pass -s "$check"
        logcheckresult "PASS"
-      else
+        return
      fi
      warn -s "$check"
      logcheckresult "WARN"
      return
    fi
-    elif grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
+    if grep -s "$directory" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    logcheckresult "WARN"
    return
  fi
  else
  info -c "$check"
  info "       * Directory not found"
  logcheckresult "INFO" "Directory not found"
 fi
 }
 check_1_2_6() {
@ -231,22 +234,24 @@ check_1_2_6() {
      if auditctl -l | grep "$file" >/dev/null 2>&1; then
        pass -s "$check"
        logcheckresult "PASS"
-      else
+        return
      fi
      warn -s "$check"
      logcheckresult "WARN"
      return
    fi
-    elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
+    if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    logcheckresult "WARN"
    return
  fi
  else
  info -c "$check"
  info "       * File not found"
  logcheckresult "INFO" "File not found"
  fi
 }
 check_1_2_7() {
@ -264,22 +269,24 @@ check_1_2_7() {
      if auditctl -l | grep "$file" >/dev/null 2>&1; then
        pass -s "$check"
        logcheckresult "PASS"
-      else
+        return
      fi
      warn -s "$check"
      logcheckresult "WARN"
      return
    fi
-    elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
+    if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    logcheckresult "WARN"
    return
  fi
  else
  info -c "$check"
  info "       * File not found"
  logcheckresult "INFO" "File not found"
  fi
 }
 check_1_2_8() {
@ -296,22 +303,24 @@ check_1_2_8() {
      if auditctl -l | grep $file >/dev/null 2>&1; then
        pass -s "$check"
        logcheckresult "PASS"
-      else
+        return
      fi
      warn -s "$check"
      logcheckresult "WARN"
      return
    fi
-    elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
+    if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    logcheckresult "WARN"
    return
  fi
  else
  info -c "$check"
  info "       * File not found"
  logcheckresult "INFO" "File not found"
  fi
 }
 check_1_2_9() {
@ -328,22 +337,24 @@ check_1_2_9() {
      if auditctl -l | grep $file >/dev/null 2>&1; then
        pass -s "$check"
        logcheckresult "PASS"
-      else
+        return
      fi
      warn -s "$check"
      logcheckresult "WARN"
      return
    fi
-    elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
+    if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    logcheckresult "WARN"
    return
  fi
  else
  info -c "$check"
  info "       * File not found"
  logcheckresult "INFO" "File not found"
  fi
 }
 check_1_2_10() {
@ -360,22 +371,24 @@ check_1_2_10() {
      if auditctl -l | grep $file >/dev/null 2>&1; then
        pass -s "$check"
        logcheckresult "PASS"
-      else
+        return
      fi
      warn -s "$check"
      logcheckresult "WARN"
      return
    fi
-    elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
+    if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    logcheckresult "WARN"
    return
  fi
  else
  info -c "$check"
  info "        * File not found"
  logcheckresult "INFO" "File not found"
  fi
 }
 check_1_2_11() {
@ -392,22 +405,24 @@ check_1_2_11() {
      if auditctl -l | grep $file >/dev/null 2>&1; then
        pass -s "$check"
        logcheckresult "PASS"
-      else
+        return
      fi
      warn -s "$check"
      logcheckresult "WARN"
      return
    fi
-    elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
+    if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    logcheckresult "WARN"
    return
  fi
  else
  info -c "$check"
  info "        * File not found"
  logcheckresult "INFO" "File not found"
  fi
 }
 check_1_2_12() {
@ -424,22 +439,24 @@ check_1_2_12() {
      if auditctl -l | grep $file >/dev/null 2>&1; then
        pass -s "$check"
        logcheckresult "PASS"
-      else
+        return
      fi
      warn -s "$check"
      logcheckresult "WARN"
      return
    fi
-    elif grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
+    if grep -s "$file" "$auditrules" | grep "^[^#;]" 2>/dev/null 1>&2; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    logcheckresult "WARN"
    return
  fi
  else
  info -c "$check"
  info "        * File not found"
  logcheckresult "INFO" "File not found"
  fi
 }
 check_1_end() {
--- a/tests/2_docker_daemon_configuration.sh
+++ b/tests/2_docker_daemon_configuration.sh
@ -20,13 +20,15 @@ check_2_1() {
  if get_docker_effective_command_line_args '--icc' | grep false >/dev/null 2>&1; then
    pass -s "$check"
    logcheckresult "PASS"
-  elif get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then
+    return
  fi
  if get_docker_configuration_file_args 'icc' | grep "false" >/dev/null 2>&1; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
  fi
  warn -s "$check"
  logcheckresult "WARN"
  fi
 }
 check_2_2() {
@ -41,25 +43,29 @@ check_2_2() {
    if get_docker_configuration_file_args 'log-level' | grep info >/dev/null 2>&1; then
      pass -s "$check"
      logcheckresult "PASS"
-    elif [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then
+      return
    fi
    if [ -z "$(get_docker_configuration_file_args 'log-level')" ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    logcheckresult "WARN"
    return
  fi
-  elif get_docker_effective_command_line_args '-l'; then
+  if get_docker_effective_command_line_args '-l'; then
    if get_docker_effective_command_line_args '-l' | grep "info" >/dev/null 2>&1; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    logcheckresult "WARN"
    return
  fi
  else
  pass -s "$check"
  logcheckresult "PASS"
  fi
 }
 check_2_3() {
@ -73,13 +79,15 @@ check_2_3() {
  if get_docker_effective_command_line_args '--iptables' | grep "false" >/dev/null 2>&1; then
    warn -s "$check"
    logcheckresult "WARN"
-  elif get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then
+    return
  fi
  if get_docker_configuration_file_args 'iptables' | grep "false" >/dev/null 2>&1; then
    warn -s "$check"
    logcheckresult "WARN"
-  else
+    return
  fi
  pass -s "$check"
  logcheckresult "PASS"
  fi
 }
 check_2_4() {
@ -93,18 +101,20 @@ check_2_4() {
  if get_docker_effective_command_line_args '--insecure-registry' | grep "insecure-registry" >/dev/null 2>&1; then
    warn -s "$check"
    logcheckresult "WARN"
-  elif ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
+    return
  fi
  if ! [ -z "$(get_docker_configuration_file_args 'insecure-registries')" ]; then
    if get_docker_configuration_file_args 'insecure-registries' | grep '\[]' >/dev/null 2>&1; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    logcheckresult "WARN"
    return
  fi
  else
  pass -s "$check"
  logcheckresult "PASS"
  fi
 }
 check_2_5() {
@ -118,10 +128,10 @@ check_2_5() {
  if docker info 2>/dev/null | grep -e "^\sStorage Driver:\s*aufs\s*$" >/dev/null 2>&1; then
    warn -s "$check"
    logcheckresult "WARN"
-  else
+    return
  fi
  pass -s "$check"
  logcheckresult "PASS"
  fi
 }
 check_2_6() {
@ -138,21 +148,23 @@ check_2_6() {
        [ $(get_docker_cumulative_command_line_args '--tlsverify' | grep 'tlsverify') >/dev/null 2>&1 ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    elif [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \
+      return
    fi
    if [ $(get_docker_configuration_file_args '"tls":' | grep 'true') ] || \
        [ $(get_docker_cumulative_command_line_args '--tls' | grep 'tls$') >/dev/null 2>&1 ]; then
      warn -s "$check"
      warn "     * Docker daemon currently listening on TCP with TLS, but no verification"
      logcheckresult "WARN" "Docker daemon currently listening on TCP with TLS, but no verification"
-    else
+      return
    fi
    warn -s "$check"
    warn "     * Docker daemon currently listening on TCP without TLS"
    logcheckresult "WARN" "Docker daemon currently listening on TCP without TLS"
    return
  fi
  else
  info -c "$check"
  info "     * Docker daemon not listening on TCP"
  logcheckresult "INFO" "Docker daemon not listening on TCP"
  fi
 }
 check_2_7() {
@ -166,14 +178,16 @@ check_2_7() {
  if get_docker_configuration_file_args 'default-ulimit' | grep -v '{}' >/dev/null 2>&1; then
    pass -c "$check"
    logcheckresult "PASS"
-  elif get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
+    return
  fi
  if get_docker_effective_command_line_args '--default-ulimit' | grep "default-ulimit" >/dev/null 2>&1; then
    pass -c "$check"
    logcheckresult "PASS"
-  else
+    return
  fi
  info -c "$check"
  info "     * Default ulimit doesn't appear to be set"
  logcheckresult "INFO" "Default ulimit doesn't appear to be set"
  fi
 }
 check_2_8() {
@ -187,13 +201,15 @@ check_2_8() {
  if get_docker_configuration_file_args 'userns-remap' | grep -v '""'; then
    pass -s "$check"
    logcheckresult "PASS"
-  elif get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
+    return
  fi
  if get_docker_effective_command_line_args '--userns-remap' | grep "userns-remap" >/dev/null 2>&1; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
  fi
  warn -s "$check"
  logcheckresult "WARN"
  fi
 }
 check_2_9() {
@ -208,14 +224,16 @@ check_2_9() {
    warn -s "$check"
    info "     * Confirm cgroup usage"
    logcheckresult "WARN" "Confirm cgroup usage"
-  elif get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
+    return
  fi
  if get_docker_effective_command_line_args '--cgroup-parent' | grep "cgroup-parent" >/dev/null 2>&1; then
    warn -s "$check"
    info "     * Confirm cgroup usage"
    logcheckresult "WARN" "Confirm cgroup usage"
-  else
+    return
  fi
  pass -s "$check"
  logcheckresult "PASS"
  fi
 }
 check_2_10() {
@ -229,13 +247,15 @@ check_2_10() {
  if get_docker_configuration_file_args 'storage-opts' | grep "dm.basesize" >/dev/null 2>&1; then
    warn -s "$check"
    logcheckresult "WARN"
-  elif get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
+    return
  fi
  if get_docker_effective_command_line_args '--storage-opt' | grep "dm.basesize" >/dev/null 2>&1; then
    warn -s "$check"
    logcheckresult "WARN"
-  else
+    return
  fi
  pass -s "$check"
  logcheckresult "PASS"
  fi
 }
 check_2_11() {
@ -249,13 +269,15 @@ check_2_11() {
  if get_docker_configuration_file_args 'authorization-plugins' | grep -v '\[]'; then
    pass -s "$check"
    logcheckresult "PASS"
-  elif get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
+    return
  fi
  if get_docker_effective_command_line_args '--authorization-plugin' | grep "authorization-plugin" >/dev/null 2>&1; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
  fi
  warn -s "$check"
  logcheckresult "WARN"
  fi
 }
 check_2_12() {
@ -269,10 +291,10 @@ check_2_12() {
  if docker info --format '{{ .LoggingDriver }}' | grep 'json-file' >/dev/null 2>&1; then
    warn -s "$check"
    logcheckresult "WARN"
-  else
+    return
  fi
  pass -s "$check"
  logcheckresult "PASS"
  fi
 }
 check_2_13() {
@ -286,18 +308,20 @@ check_2_13() {
  if docker info 2>/dev/null | grep -e "Live Restore Enabled:\s*true\s*" >/dev/null 2>&1; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
  fi
  if docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*" >/dev/null 2>&1; then
    pass -s "$check (Incompatible with swarm mode)"
    logcheckresult "PASS"
-    elif get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then
+    return
  fi
  if get_docker_effective_command_line_args '--live-restore' | grep "live-restore" >/dev/null 2>&1; then
    pass -s "$check"
    logcheckresult "PASS"
-    else
+    return
  fi
  warn -s "$check"
  logcheckresult "WARN"
    fi
  fi
 }
 check_2_14() {
@ -311,13 +335,15 @@ check_2_14() {
  if get_docker_configuration_file_args 'userland-proxy' | grep false >/dev/null 2>&1; then
    pass -s "$check"
    logcheckresult "PASS"
-  elif get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
+    return
  fi
  if get_docker_effective_command_line_args '--userland-proxy=false' 2>/dev/null | grep "userland-proxy=false" >/dev/null 2>&1; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
  fi
  warn -s "$check"
  logcheckresult "WARN"
  fi
 }
 check_2_15() {
@ -331,10 +357,10 @@ check_2_15() {
  if docker info --format '{{ .SecurityOptions }}' | grep 'name=seccomp,profile=default' 2>/dev/null 1>&2; then
    pass -c "$check"
    logcheckresult "PASS"
-  else
+    return
  fi
  info -c "$check"
  logcheckresult "INFO"
  fi
 }
 check_2_16() {
@ -352,16 +378,16 @@ check_2_16() {
    if docker version -f '{{.Server.Experimental}}' | grep false 2>/dev/null 1>&2; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    logcheckresult "WARN"
    return
  fi
  else
  local desc="$desc (Deprecated)"
  local check="$id  - $desc"
  info -c "$desc"
  logcheckresult "INFO"
  fi
 }
 check_2_17() {
@ -375,13 +401,15 @@ check_2_17() {
  if get_docker_effective_command_line_args '--no-new-privileges' | grep "no-new-privileges" >/dev/null 2>&1; then
    pass -s "$check"
    logcheckresult "PASS"
-  elif get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then
+    return
  fi
  if get_docker_configuration_file_args 'no-new-privileges' | grep true >/dev/null 2>&1; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
  fi
  warn -s "$check"
  logcheckresult "WARN"
  fi
 }
 check_2_end() {
--- a/tests/3_docker_daemon_configuration_files.sh
+++ b/tests/3_docker_daemon_configuration_files.sh
@ -22,16 +22,16 @@ check_3_1() {
    if [ "$(stat -c %u%g $file)" -eq 00 ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    warn "     * Wrong ownership for $file"
    logcheckresult "WARN" "Wrong ownership for $file"
    return
  fi
  else
  info -c "$check"
  info "     * File not found"
  logcheckresult "INFO" "File not found"
  fi
 }
 check_3_2() {
@ -47,16 +47,16 @@ check_3_2() {
    if [ "$(stat -c %a $file)" -le 644 ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    warn "     * Wrong permissions for $file"
    logcheckresult "WARN" "Wrong permissions for $file"
    return
  fi
  else
  info -c "$check"
  info "     * File not found"
  logcheckresult "INFO" "File not found"
  fi
 }
 check_3_3() {
@ -72,16 +72,16 @@ check_3_3() {
    if [ "$(stat -c %u%g $file)" -eq 00 ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    warn "     * Wrong ownership for $file"
    logcheckresult "WARN" "Wrong ownership for $file"
    return
  fi
  else
  info -c "$check"
  info "     * File not found"
  logcheckresult "INFO" "File not found"
  fi
 }
 check_3_4() {
@ -97,16 +97,16 @@ check_3_4() {
    if [ "$(stat -c %a $file)" -le 644 ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    warn "     * Wrong permissions for $file"
    logcheckresult "WARN" "Wrong permissions for $file"
    return
  fi
  else
  info -c "$check"
  info "     * File not found"
  logcheckresult "INFO" "File not found"
  fi
 }
 check_3_5() {
@ -122,16 +122,16 @@ check_3_5() {
    if [ "$(stat -c %u%g $directory)" -eq 00 ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    warn "     * Wrong ownership for $directory"
    logcheckresult "WARN" "Wrong ownership for $directory"
    return
  fi
  else
  info -c "$check"
  info "     * Directory not found"
  logcheckresult "INFO" "Directory not found"
  fi
 }
 check_3_6() {
@ -147,16 +147,16 @@ check_3_6() {
    if [ "$(stat -c %a $directory)" -le 755 ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    warn "     * Wrong permissions for $directory"
    logcheckresult "WARN" "Wrong permissions for $directory"
    return
  fi
  else
  info -c "$check"
  info "     * Directory not found"
  logcheckresult "INFO" "Directory not found"
  fi
 }
 check_3_7() {
@ -180,15 +180,15 @@ check_3_7() {
      warn -s "$check"
      warn "     * Wrong ownership for $directory"
      logcheckresult "WARN" "Wrong ownership for $directory"
-    else
+      return
    fi
    pass -s "$check"
    logcheckresult "PASS"
    return
  fi
  else
  info -c "$check"
  info "     * Directory not found"
  logcheckresult "INFO" "Directory not found"
  fi
 }
 check_3_8() {
@ -212,15 +212,15 @@ check_3_8() {
      warn -s "$check"
      warn "     * Wrong permissions for $directory"
      logcheckresult "WARN" "Wrong permissions for $directory"
-    else
+      return
    fi
    pass -s "$check"
    logcheckresult "PASS"
    return
  fi
  else
  info -c "$check"
  info "     * Directory not found"
  logcheckresult "INFO" "Directory not found"
  fi
 }
 check_3_9() {
@ -231,25 +231,24 @@ check_3_9() {
  local check="$id  - $desc"
  starttestjson "$id" "$desc"
  tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
  if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then
    tlscacert=$(get_docker_configuration_file_args 'tlscacert')
  else
    tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
  fi
  if [ -f "$tlscacert" ]; then
    if [ "$(stat -c %u%g "$tlscacert")" -eq 00 ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    warn "     * Wrong ownership for $tlscacert"
    logcheckresult "WARN" "Wrong ownership for $tlscacert"
    return
  fi
  else
  info -c "$check"
  info "     * No TLS CA certificate found"
  logcheckresult "INFO" "No TLS CA certificate found"
  fi
 }
 check_3_10() {
@ -260,25 +259,24 @@ check_3_10() {
  local check="$id  - $desc"
  starttestjson "$id" "$desc"
  tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
  if [ -n "$(get_docker_configuration_file_args 'tlscacert')" ]; then
    tlscacert=$(get_docker_configuration_file_args 'tlscacert')
  else
    tlscacert=$(get_docker_effective_command_line_args '--tlscacert' | sed -n 's/.*tlscacert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
  fi
  if [ -f "$tlscacert" ]; then
    if [ "$(stat -c %a $tlscacert)" -le 444 ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    warn "      * Wrong permissions for $tlscacert"
    logcheckresult "WARN" "Wrong permissions for $tlscacert"
    return
  fi
  else
  info -c "$check"
  info "      * No TLS CA certificate found"
  logcheckresult "INFO" "No TLS CA certificate found"
  fi
 }
 check_3_11() {
@ -289,25 +287,24 @@ check_3_11() {
  local check="$id  - $desc"
  starttestjson "$id" "$desc"
  tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
  if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then
    tlscert=$(get_docker_configuration_file_args 'tlscert')
  else
    tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
  fi
  if [ -f "$tlscert" ]; then
    if [ "$(stat -c %u%g "$tlscert")" -eq 00 ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    warn "      * Wrong ownership for $tlscert"
    logcheckresult "WARN" "Wrong ownership for $tlscert"
    return
  fi
  else
  info -c "$check"
  info "      * No TLS Server certificate found"
  logcheckresult "INFO" "No TLS Server certificate found"
  fi
 }
 check_3_12() {
@ -318,25 +315,24 @@ check_3_12() {
  local check="$id  - $desc"
  starttestjson "$id" "$desc"
  tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
  if [ -n "$(get_docker_configuration_file_args 'tlscert')" ]; then
    tlscert=$(get_docker_configuration_file_args 'tlscert')
  else
    tlscert=$(get_docker_effective_command_line_args '--tlscert' | sed -n 's/.*tlscert=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
  fi
  if [ -f "$tlscert" ]; then
    if [ "$(stat -c %a $tlscert)" -le 444 ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    warn "      * Wrong permissions for $tlscert"
    logcheckresult "WARN" "Wrong permissions for $tlscert"
    return
  fi
  else
  info -c "$check"
  info "      * No TLS Server certificate found"
  logcheckresult "INFO" "No TLS Server certificate found"
  fi
 }
 check_3_13() {
@ -347,25 +343,24 @@ check_3_13() {
  local check="$id  - $desc"
  starttestjson "$id" "$desc"
  tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
  if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then
    tlskey=$(get_docker_configuration_file_args 'tlskey')
  else
    tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
  fi
  if [ -f "$tlskey" ]; then
    if [ "$(stat -c %u%g "$tlskey")" -eq 00 ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    warn "      * Wrong ownership for $tlskey"
    logcheckresult "WARN" "Wrong ownership for $tlskey"
    return
  fi
  else
  info -c "$check"
  info "      * No TLS Key found"
  logcheckresult "INFO" "No TLS Key found"
  fi
 }
 check_3_14() {
@ -376,25 +371,24 @@ check_3_14() {
  local check="$id  - $desc"
  starttestjson "$id" "$desc"
  tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
  if [ -n "$(get_docker_configuration_file_args 'tlskey')" ]; then
    tlskey=$(get_docker_configuration_file_args 'tlskey')
  else
    tlskey=$(get_docker_effective_command_line_args '--tlskey' | sed -n 's/.*tlskey=\([^s]\)/\1/p' | sed 's/--/ --/g' | cut -d " " -f 1)
  fi
  if [ -f "$tlskey" ]; then
    if [ "$(stat -c %a $tlskey)" -eq 400 ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    warn "      * Wrong permissions for $tlskey"
    logcheckresult "WARN" "Wrong permissions for $tlskey"
    return
  fi
  else
  info -c "$check"
  info "      * No TLS Key found"
  logcheckresult "INFO" "No TLS Key found"
  fi
 }
 check_3_15() {
@ -410,16 +404,16 @@ check_3_15() {
    if [ "$(stat -c %U:%G $file)" = 'root:docker' ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    warn "      * Wrong ownership for $file"
    logcheckresult "WARN" "Wrong ownership for $file"
    return
  fi
  else
  info -c "$check"
  info "      * File not found"
  logcheckresult "INFO" "File not found"
  fi
 }
 check_3_16() {
@ -435,16 +429,16 @@ check_3_16() {
    if [ "$(stat -c %a $file)" -le 660 ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    warn "      * Wrong permissions for $file"
    logcheckresult "WARN" "Wrong permissions for $file"
    return
  fi
  else
  info -c "$check"
  info "      * File not found"
  logcheckresult "INFO" "File not found"
  fi
 }
 check_3_17() {
@ -460,16 +454,16 @@ check_3_17() {
    if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    warn "      * Wrong ownership for $file"
    logcheckresult "WARN" "Wrong ownership for $file"
    return
  fi
  else
  info -c "$check"
  info "      * File not found"
  logcheckresult "INFO" "File not found"
  fi
 }
 check_3_18() {
@ -485,16 +479,16 @@ check_3_18() {
    if [ "$(stat -c %a $file)" -le 644 ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    warn "      * Wrong permissions for $file"
    logcheckresult "WARN" "Wrong permissions for $file"
    return
  fi
  else
  info -c "$check"
  info "      * File not found"
  logcheckresult "INFO" "File not found"
  fi
 }
 check_3_19() {
@ -510,16 +504,16 @@ check_3_19() {
    if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    warn "      * Wrong ownership for $file"
    logcheckresult "WARN" "Wrong ownership for $file"
    return
  fi
  else
  info -c "$check"
  info "      * File not found"
  logcheckresult "INFO" "File not found"
  fi
 }
 check_3_20() {
@ -535,16 +529,16 @@ check_3_20() {
    if [ "$(stat -c %U:%G $file)" = 'root:root' ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    warn "      * Wrong ownership for $file"
    logcheckresult "WARN" "Wrong ownership for $file"
    return
  fi
  else
  info -c "$check"
  info "      * File not found"
  logcheckresult "INFO" "File not found"
  fi
 }
 check_3_21() {
@ -560,16 +554,16 @@ check_3_21() {
    if [ "$(stat -c %a $file)" -le 644 ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    warn "      * Wrong permissions for $file"
    logcheckresult "WARN" "Wrong permissions for $file"
    return
  fi
  else
  info -c "$check"
  info "      * File not found"
  logcheckresult "INFO" "File not found"
  fi
 }
 check_3_22() {
@ -585,16 +579,16 @@ check_3_22() {
    if [ "$(stat -c %a $file)" -le 644 ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    warn "      * Wrong permissions for $file"
    logcheckresult "WARN" "Wrong permissions for $file"
    return
  fi
  else
  info -c "$check"
  info "      * File not found"
  logcheckresult "INFO" "File not found"
  fi
 }
 check_3_end() {
--- a/tests/4_container_images.sh
+++ b/tests/4_container_images.sh
@ -22,7 +22,8 @@ check_4_1() {
    info -c "$check"
    info "     * No containers running"
    logcheckresult "INFO" "No containers running"
-  else
+    return
  fi
  # We have some containers running, set failure flag to 0. Check for Users.
  fail=0
  # Make the loop separator be a new-line in POSIX compliant fashion
@ -39,20 +40,19 @@ check_4_1() {
        warn "     * Running as root: $c"
        root_containers="$root_containers $c"
        fail=1
-        else
+        continue
      fi
      warn "     * Running as root: $c"
      root_containers="$root_containers $c"
    fi
      fi
  done
  # We went through all the containers and found none running as root
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-    else
+    return
  fi
  logcheckresult "WARN" "running as root" "$root_containers"
    fi
  fi
  # Make the loop separator go back to space
  set +f; unset IFS
 }
@ -104,10 +104,10 @@ check_4_5() {
  if [ "x$DOCKER_CONTENT_TRUST" = "x1" ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
  fi
  warn -s "$check"
  logcheckresult "WARN"
  fi
 }
 check_4_6() {
@ -139,9 +139,9 @@ check_4_6() {
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
    logcheckresult "WARN" "Images w/o HEALTHCHECK" "$no_health_images"
  fi
  logcheckresult "WARN" "Images w/o HEALTHCHECK" "$no_health_images"
 }
 check_4_7() {
@ -170,9 +170,9 @@ check_4_7() {
  if [ $fail -eq 0 ]; then
    pass -c "$check"
    logcheckresult "PASS"
-  else
+    return
    logcheckresult "INFO" "Update instructions found" "$update_images"
  fi
  logcheckresult "INFO" "Update instructions found" "$update_images"
 }
 check_4_8() {
@ -214,9 +214,9 @@ check_4_9() {
  if [ $fail -eq 0 ]; then
    pass -c "$check"
    logcheckresult "PASS"
-  else
+    return
    logcheckresult "INFO" "Images using ADD" "$add_images"
  fi
  logcheckresult "INFO" "Images using ADD" "$add_images"
 }
 check_4_10() {
--- a/tests/5_container_runtime.sh
+++ b/tests/5_container_runtime.sh
@ -13,11 +13,11 @@ check_running_containers() {
  # If containers is empty, there are no running containers
  if [ -z "$containers" ]; then
    info "  * No containers running, skipping Section 5"
-  else
+    return
  fi
  # Make the loop separator be a new-line in POSIX compliant fashion
  set -f; IFS=$'
  '
  fi
 }
 check_5_1() {
@ -44,19 +44,19 @@ check_5_1() {
        warn "     * No AppArmorProfile Found: $c"
        no_apparmor_containers="$no_apparmor_containers $c"
        fail=1
-      else
+        continue
      fi
      warn "     * No AppArmorProfile Found: $c"
      no_apparmor_containers="$no_apparmor_containers $c"
    fi
    fi
  done
  # We went through all the containers and found none without AppArmor
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Containers with no AppArmorProfile" "$no_apparmor_containers"
  fi
  logcheckresult "WARN" "Containers with no AppArmorProfile" "$no_apparmor_containers"
 }
 check_5_2() {
@ -83,19 +83,19 @@ check_5_2() {
        warn "     * No SecurityOptions Found: $c"
        no_securityoptions_containers="$no_securityoptions_containers $c"
        fail=1
-      else
+        continue
      fi
      warn "     * No SecurityOptions Found: $c"
      no_securityoptions_containers="$no_securityoptions_containers $c"
    fi
    fi
  done
  # We went through all the containers and found none without SELinux
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Containers with no SecurityOptions" "$no_securityoptions_containers"
  fi
  logcheckresult "WARN" "Containers with no SecurityOptions" "$no_securityoptions_containers"
 }
 check_5_3() {
@ -125,19 +125,19 @@ check_5_3() {
        warn "     * Capabilities added: $caps to $c"
        caps_containers="$caps_containers $c"
        fail=1
-      else
+        continue
      fi
      warn "     * Capabilities added: $caps to $c"
      caps_containers="$caps_containers $c"
    fi
    fi
  done
  # We went through all the containers and found none with extra capabilities
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Capabilities added for containers" "$caps_containers"
  fi
  logcheckresult "WARN" "Capabilities added for containers" "$caps_containers"
 }
 check_5_4() {
@ -164,19 +164,19 @@ check_5_4() {
        warn "     * Container running in Privileged mode: $c"
        privileged_containers="$privileged_containers $c"
        fail=1
-      else
+        continue
      fi
      warn "     * Container running in Privileged mode: $c"
      privileged_containers="$privileged_containers $c"
    fi
    fi
  done
  # We went through all the containers and found no privileged containers
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Containers running in privileged mode" "$privileged_containers"
  fi
  logcheckresult "WARN" "Containers running in privileged mode" "$privileged_containers"
 }
 check_5_5() {
@ -204,10 +204,9 @@ check_5_5() {
  fail=0
  sensitive_mount_containers=""
  for c in $containers; do
    volumes=$(docker inspect --format '{{ .Mounts }}' "$c")
    if docker inspect --format '{{ .VolumesRW }}' "$c" 2>/dev/null 1>&2; then
      volumes=$(docker inspect --format '{{ .VolumesRW }}' "$c")
    else
      volumes=$(docker inspect --format '{{ .Mounts }}' "$c")
    fi
    # Go over each directory in sensitive dir and see if they exist in the volumes
    for v in $sensitive_dirs; do
@ -222,20 +221,20 @@ check_5_5() {
          warn "     * Sensitive directory $v mounted in: $c"
          sensitive_mount_containers="$sensitive_mount_containers $c:$v"
          fail=1
-        else
+          continue
        fi
        warn "     * Sensitive directory $v mounted in: $c"
        sensitive_mount_containers="$sensitive_mount_containers $c:$v"
      fi
      fi
    done
  done
  # We went through all the containers and found none with sensitive mounts
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Containers with sensitive directories mounted" "$sensitive_mount_containers"
  fi
  logcheckresult "WARN" "Containers with sensitive directories mounted" "$sensitive_mount_containers"
 }
 check_5_6() {
@ -286,9 +285,9 @@ check_5_6() {
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Containers with sshd/docker exec failures" "$ssh_exec_containers"
  fi
  logcheckresult "WARN" "Containers with sshd/docker exec failures" "$ssh_exec_containers"
 }
 check_5_7() {
@ -318,20 +317,20 @@ check_5_7() {
          warn "     * Privileged Port in use: $port in $c"
          privileged_port_containers="$privileged_port_containers $c:$port"
          fail=1
-        else
+          continue
        fi
        warn "     * Privileged Port in use: $port in $c"
        privileged_port_containers="$privileged_port_containers $c:$port"
      fi
      fi
    done
  done
  # We went through all the containers and found no privileged ports
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Containers using privileged ports" "$privileged_port_containers"
  fi
  logcheckresult "WARN" "Containers using privileged ports" "$privileged_port_containers"
 }
 check_5_8() {
@ -374,19 +373,19 @@ check_5_9() {
        warn "     * Container running with networking mode 'host': $c"
        net_host_containers="$net_host_containers $c"
        fail=1
-      else
+        continue
      fi
      warn "     * Container running with networking mode 'host': $c"
      net_host_containers="$net_host_containers $c"
    fi
    fi
  done
  # We went through all the containers and found no Network Mode host
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Containers running with networking mode 'host'" "$net_host_containers"
  fi
  logcheckresult "WARN" "Containers running with networking mode 'host'" "$net_host_containers"
 }
 check_5_10() {
@ -404,10 +403,9 @@ check_5_10() {
  fail=0
  mem_unlimited_containers=""
  for c in $containers; do
    memory=$(docker inspect --format '{{ .HostConfig.Memory }}' "$c")
    if docker inspect --format '{{ .Config.Memory }}' "$c" 2> /dev/null 1>&2; then
      memory=$(docker inspect --format '{{ .Config.Memory }}' "$c")
    else
      memory=$(docker inspect --format '{{ .HostConfig.Memory }}' "$c")
    fi
    if [ "$memory" = "0" ]; then
@ -417,19 +415,19 @@ check_5_10() {
        warn "      * Container running without memory restrictions: $c"
        mem_unlimited_containers="$mem_unlimited_containers $c"
        fail=1
-      else
+        continue
      fi
      warn "      * Container running without memory restrictions: $c"
      mem_unlimited_containers="$mem_unlimited_containers $c"
    fi
    fi
  done
  # We went through all the containers and found no lack of Memory restrictions
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Container running without memory restrictions" "$mem_unlimited_containers"
  fi
  logcheckresult "WARN" "Container running without memory restrictions" "$mem_unlimited_containers"
 }
 check_5_11() {
@ -447,10 +445,9 @@ check_5_11() {
  fail=0
  cpu_unlimited_containers=""
  for c in $containers; do
    shares=$(docker inspect --format '{{ .HostConfig.CpuShares }}' "$c")
    if docker inspect --format '{{ .Config.CpuShares }}' "$c" 2> /dev/null 1>&2; then
      shares=$(docker inspect --format '{{ .Config.CpuShares }}' "$c")
    else
      shares=$(docker inspect --format '{{ .HostConfig.CpuShares }}' "$c")
    fi
    if [ "$shares" = "0" ]; then
@ -460,19 +457,19 @@ check_5_11() {
        warn "      * Container running without CPU restrictions: $c"
        cpu_unlimited_containers="$cpu_unlimited_containers $c"
        fail=1
-      else
+        continue
      fi
      warn "      * Container running without CPU restrictions: $c"
      cpu_unlimited_containers="$cpu_unlimited_containers $c"
    fi
    fi
  done
  # We went through all the containers and found no lack of CPUShare restrictions
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Containers running without CPU restrictions" "$cpu_unlimited_containers"
  fi
  logcheckresult "WARN" "Containers running without CPU restrictions" "$cpu_unlimited_containers"
 }
 check_5_12() {
@ -499,19 +496,19 @@ check_5_12() {
        warn "      * Container running with root FS mounted R/W: $c"
        fsroot_mount_containers="$fsroot_mount_containers $c"
        fail=1
-      else
+        continue
      fi
      warn "      * Container running with root FS mounted R/W: $c"
      fsroot_mount_containers="$fsroot_mount_containers $c"
    fi
    fi
  done
  # We went through all the containers and found no R/W FS mounts
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Containers running with root FS mounted R/W" "$fsroot_mount_containers"
  fi
  logcheckresult "WARN" "Containers running with root FS mounted R/W" "$fsroot_mount_containers"
 }
 check_5_13() {
@ -537,20 +534,20 @@ check_5_13() {
          warn "      * Port being bound to wildcard IP: $ip in $c"
          incoming_unbound_containers="$incoming_unbound_containers $c:$ip"
          fail=1
-        else
+          continue
        fi
        warn "      * Port being bound to wildcard IP: $ip in $c"
        incoming_unbound_containers="$incoming_unbound_containers $c:$ip"
      fi
      fi
    done
  done
  # We went through all the containers and found no ports bound to 0.0.0.0
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Containers with port bound to wildcard IP" "$incoming_unbound_containers"
  fi
  logcheckresult "WARN" "Containers with port bound to wildcard IP" "$incoming_unbound_containers"
 }
 check_5_14() {
@ -577,19 +574,19 @@ check_5_14() {
        warn "      * MaximumRetryCount is not set to 5: $c"
        maxretry_unset_containers="$maxretry_unset_containers $c"
        fail=1
-      else
+        continue
      fi
      warn "      * MaximumRetryCount is not set to 5: $c"
      maxretry_unset_containers="$maxretry_unset_containers $c"
    fi
    fi
  done
  # We went through all the containers and they all had MaximumRetryCount=5
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5" "$maxretry_unset_containers"
  fi
  logcheckresult "WARN" "Containers with MaximumRetryCount not set to 5" "$maxretry_unset_containers"
 }
 check_5_15() {
@ -616,19 +613,19 @@ check_5_15() {
        warn "      * Host PID namespace being shared with: $c"
        pidns_shared_containers="$pidns_shared_containers $c"
        fail=1
-      else
+        continue
      fi
      warn "      * Host PID namespace being shared with: $c"
      pidns_shared_containers="$pidns_shared_containers $c"
    fi
    fi
  done
  # We went through all the containers and found none with PidMode as host
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Containers sharing host PID namespace" "$pidns_shared_containers"
  fi
  logcheckresult "WARN" "Containers sharing host PID namespace" "$pidns_shared_containers"
 }
 check_5_16() {
@ -655,19 +652,19 @@ check_5_16() {
        warn "      * Host IPC namespace being shared with: $c"
        ipcns_shared_containers="$ipcns_shared_containers $c"
        fail=1
-      else
+        continue
      fi
      warn "      * Host IPC namespace being shared with: $c"
      ipcns_shared_containers="$ipcns_shared_containers $c"
    fi
    fi
  done
  # We went through all the containers and found none with IPCMode as host
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Containers sharing host IPC namespace" "$ipcns_shared_containers"
  fi
  logcheckresult "WARN" "Containers sharing host IPC namespace" "$ipcns_shared_containers"
 }
 check_5_17() {
@ -694,19 +691,19 @@ check_5_17() {
        info "      * Container has devices exposed directly: $c"
        hostdev_exposed_containers="$hostdev_exposed_containers $c"
        fail=1
-      else
+        continue
      fi
      info "      * Container has devices exposed directly: $c"
      hostdev_exposed_containers="$hostdev_exposed_containers $c"
    fi
    fi
  done
  # We went through all the containers and found none with devices
  if [ $fail -eq 0 ]; then
    pass -c "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "INFO" "Containers with host devices exposed directly" "$hostdev_exposed_containers"
  fi
  logcheckresult "INFO" "Containers with host devices exposed directly" "$hostdev_exposed_containers"
 }
 check_5_18() {
@ -733,19 +730,19 @@ check_5_18() {
        info "      * Container no default ulimit override: $c"
        no_ulimit_containers="$no_ulimit_containers $c"
        fail=1
-      else
+        continue
      fi
      info "      * Container no default ulimit override: $c"
      no_ulimit_containers="$no_ulimit_containers $c"
    fi
    fi
  done
  # We went through all the containers and found none without Ulimits
  if [ $fail -eq 0 ]; then
    pass -c "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "INFO" "Containers with no default ulimit override" "$no_ulimit_containers"
  fi
  logcheckresult "INFO" "Containers with no default ulimit override" "$no_ulimit_containers"
 }
 check_5_19() {
@ -771,19 +768,19 @@ check_5_19() {
        warn "      * Mount propagation mode is shared: $c"
        mountprop_shared_containers="$mountprop_shared_containers $c"
        fail=1
-      else
+        continue
      fi
      warn "      * Mount propagation mode is shared: $c"
      mountprop_shared_containers="$mountprop_shared_containers $c"
    fi
    fi
  done
  # We went through all the containers and found none with shared propagation mode
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
    logcheckresult "WARN" "Containers with shared mount propagation" "$mountprop_shared_containers"
  fi
  logcheckresult "WARN" "Containers with shared mount propagation" "$mountprop_shared_containers"
 }
 check_5_20() {
@ -810,19 +807,19 @@ check_5_20() {
        warn "      * Host UTS namespace being shared with: $c"
        utcns_shared_containers="$utcns_shared_containers $c"
        fail=1
-      else
+        continue
      fi
      warn "      * Host UTS namespace being shared with: $c"
      utcns_shared_containers="$utcns_shared_containers $c"
    fi
    fi
  done
  # We went through all the containers and found none with UTSMode as host
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Containers sharing host UTS namespace" "$utcns_shared_containers"
  fi
  logcheckresult "WARN" "Containers sharing host UTS namespace" "$utcns_shared_containers"
 }
 check_5_21() {
@ -858,9 +855,9 @@ check_5_21() {
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Containers with default seccomp profile disabled" "$seccomp_disabled_containers"
  fi
  logcheckresult "WARN" "Containers with default seccomp profile disabled" "$seccomp_disabled_containers"
 }
 check_5_22() {
@ -919,19 +916,19 @@ check_5_24() {
        warn "      * Confirm cgroup usage: $c"
        unexpected_cgroup_containers="$unexpected_cgroup_containers $c"
        fail=1
-      else
+        continue
      fi
      warn "      * Confirm cgroup usage: $c"
      unexpected_cgroup_containers="$unexpected_cgroup_containers $c"
    fi
    fi
  done
  # We went through all the containers and found none with UTSMode as host
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Containers using unexpected cgroup" "$unexpected_cgroup_containers"
  fi
    logcheckresult "WARN" "Containers using unexpected cgroup" "$unexpected_cgroup_containers"
 }
 check_5_25() {
@ -955,19 +952,19 @@ check_5_25() {
        warn "      * Privileges not restricted: $c"
        addprivs_containers="$addprivs_containers $c"
        fail=1
-      else
+        continue
      fi
      warn "      * Privileges not restricted: $c"
      addprivs_containers="$addprivs_containers $c"
    fi
    fi
  done
  # We went through all the containers and found none with capability to acquire additional privileges
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Containers without restricted privileges" "$addprivs_containers"
  fi
  logcheckresult "WARN" "Containers without restricted privileges" "$addprivs_containers"
 }
 check_5_26() {
@ -991,18 +988,18 @@ check_5_26() {
        warn "      * Health check not set: $c"
        nohealthcheck_containers="$nohealthcheck_containers $c"
        fail=1
-      else
+        continue
      fi
      warn "      * Health check not set: $c"
      nohealthcheck_containers="$nohealthcheck_containers $c"
    fi
    fi
  done
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Containers without health check" "$nohealthcheck_containers"
  fi
  logcheckresult "WARN" "Containers without health check" "$nohealthcheck_containers"
 }
 check_5_27() {
@ -1045,19 +1042,19 @@ check_5_28() {
        warn "      * PIDs limit not set: $c"
        nopids_limit_containers="$nopids_limit_containers $c"
        fail=1
-      else
+        continue
      fi
      warn "      * PIDs limit not set: $c"
      nopids_limit_containers="$nopids_limit_containers $c"
    fi
    fi
  done
  # We went through all the containers and found all with PIDs limit
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Containers without PIDs cgroup limit" "$nopids_limit_containers"
  fi
  logcheckresult "WARN" "Containers without PIDs cgroup limit" "$nopids_limit_containers"
 }
 check_5_29() {
@ -1104,9 +1101,9 @@ check_5_29() {
  if [ $fail -eq 0 ]; then
    pass -c "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "INFO" "Containers using docker0 network" "$docker_network_containers"
  fi
  logcheckresult "INFO" "Containers using docker0 network" "$docker_network_containers"
 }
 check_5_30() {
@ -1131,19 +1128,19 @@ check_5_30() {
        warn "      * Namespace shared: $c"
        hostns_shared_containers="$hostns_shared_containers $c"
        fail=1
-      else
+        continue
      fi
      warn "      * Namespace shared: $c"
      hostns_shared_containers="$hostns_shared_containers $c"
    fi
    fi
  done
  # We went through all the containers and found none with host's user namespace shared
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Containers sharing host user namespace" "$hostns_shared_containers"
  fi
  logcheckresult "WARN" "Containers sharing host user namespace" "$hostns_shared_containers"
 }
 check_5_31() {
@ -1168,19 +1165,19 @@ check_5_31() {
        warn "      * Docker socket shared: $c"
        docker_sock_containers="$docker_sock_containers $c"
        fail=1
-      else
+        continue
      fi
      warn "      * Docker socket shared: $c"
      docker_sock_containers="$docker_sock_containers $c"
    fi
    fi
  done
  # We went through all the containers and found none with docker.sock shared
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
      logcheckresult "WARN" "Containers sharing docker socket" "$docker_sock_containers"
  fi
  logcheckresult "WARN" "Containers sharing docker socket" "$docker_sock_containers"
 }
 check_5_end() {
--- a/tests/7_docker_swarm_configuration.sh
+++ b/tests/7_docker_swarm_configuration.sh
@ -20,10 +20,10 @@ check_7_1() {
  if docker info 2>/dev/null | grep -e "Swarm:*\sinactive\s*" >/dev/null 2>&1; then
    pass -s "$check"
    logcheckresult "PASS"
-  else
+    return
  fi
  warn -s "$check"
  logcheckresult "WARN"
  fi
 }
 check_7_2() {
@ -39,14 +39,14 @@ check_7_2() {
    if [ "$managernodes" -eq 1 ]; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    logcheckresult "WARN"
    return
  fi
  else
  pass -s "$check (Swarm mode not enabled)"
  logcheckresult "PASS"
  fi
 }
 check_7_3() {
@ -62,14 +62,14 @@ check_7_3() {
    if [ $? -eq 1 ]; then
      pass -s "$check"
      logcheckresult "PASS" 
-    else
+      return
    fi
    warn -s "$check"
    logcheckresult "WARN"
    return
  fi
  else
  pass -s "$check (Swarm mode not enabled)"
  logcheckresult "PASS" 
  fi
 }
 check_7_4() {
@ -98,9 +98,9 @@ check_7_4() {
  if [ $fail -eq 0 ]; then
    pass -s "$check"
    logcheckresult "PASS" 
-  else
+    return
      logcheckresult "WARN" "Unencrypted overlay networks:" "$unencrypted_networks"
  fi
  logcheckresult "WARN" "Unencrypted overlay networks:" "$unencrypted_networks"
 }
 check_7_5() {
@ -115,14 +115,14 @@ check_7_5() {
    if [ "$(docker secret ls -q | wc -l)" -ge 1 ]; then
      pass -c "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    info -c "$check"
    logcheckresult "INFO"
    return
  fi
  else
  pass -c "$check (Swarm mode not enabled)"
  logcheckresult "PASS"
  fi
 }
 check_7_6() {
@ -137,14 +137,14 @@ check_7_6() {
    if ! docker swarm unlock-key 2>/dev/null | grep 'SWMKEY' 2>/dev/null 1>&2; then
      warn -s "$check"
      logcheckresult "WARN"
-    else
+      return
    fi
    pass -s "$check"
    logcheckresult "PASS"
    return
  fi
  else
  pass -s "$check (Swarm mode not enabled)"
  logcheckresult "PASS" 
  fi
 }
 check_7_7() {
@ -158,10 +158,10 @@ check_7_7() {
  if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
    note -c "$check"
    logcheckresult "NOTE"
-  else
+    return
  fi
  pass -c "$check (Swarm mode not enabled)"
  logcheckresult "PASS"
  fi
 }
 check_7_8() {
@ -176,14 +176,14 @@ check_7_8() {
    if docker info 2>/dev/null | grep "Expiry Duration: 2 days"; then
      pass -c "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    info -c "$check"
    logcheckresult "INFO"
    return
  fi
  else
  pass -c "$check (Swarm mode not enabled)"
  logcheckresult "PASS"
  fi
 }
 check_7_9() {
@ -197,10 +197,10 @@ check_7_9() {
  if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
    info -c "$check"
    logcheckresult "INFO"
-  else
+    return
  fi
  pass -c "$check (Swarm mode not enabled)"
  logcheckresult "PASS"
  fi
 }
 check_7_10() {
@ -214,10 +214,10 @@ check_7_10() {
  if docker info 2>/dev/null | grep -e "Swarm:\s*active\s*" >/dev/null 2>&1; then
    info -c "$check"
    logcheckresult "INFO"
-  else
+    return
  fi
  pass -c "$check (Swarm mode not enabled)"
  logcheckresult "PASS"
  fi
 }
 check_7_end() {
--- a/tests/8_docker_enterprise_configuration.sh
+++ b/tests/8_docker_enterprise_configuration.sh
@ -10,11 +10,10 @@ check_8() {
 }
 check_product_license() {
  enterprise_license=1
  if docker version | grep -Eqi '^Server.*Community$|Version.*-ce$'; then
    info "  * Community Engine license, skipping section 8"
    enterprise_license=0
  else
    enterprise_license=1
  fi
 }
--- a/tests/99_community_checks.sh
+++ b/tests/99_community_checks.sh
@ -19,13 +19,15 @@ check_c_1() {
  if docker info --format='{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>&2; then
    pass -s "$check"
    logcheckresult "PASS"
-  elif docker info --format='{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>&2; then
+    return
  fi
  if docker info --format='{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>&2; then
    info -c "$check"
    logcheckresult "INFO"
-  else
+    return
  fi
  warn -s "$check"
  logcheckresult "WARN"
  fi
 }
 check_c_1_1() {
@ -39,13 +41,15 @@ check_c_1_1() {
  if docker info --format='{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>&2; then
    pass -c "$check"
    logcheckresult "PASS"
-  elif docker info --format='{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>&2; then
+    return
  fi
  if docker info --format='{{ .Architecture }}' | grep 'aarch64' 2>/dev/null 1>&2; then
    info -c "$check"
    logcheckresult "INFO"
-  else
+    return
  fi
  warn -c "$check"
  logcheckresult "WARN"
  fi
 }
 check_c_2() {
@ -63,19 +67,21 @@ check_c_2() {
    if get_docker_configuration_file_args 'disable-legacy-registry' | grep 'true' >/dev/null 2>&1; then
      pass -s "$check"
      logcheckresult "PASS"
-    elif get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then
+      return
    fi
    if get_docker_effective_command_line_args '--disable-legacy-registry' | grep "disable-legacy-registry" >/dev/null 2>&1; then
      pass -s "$check"
      logcheckresult "PASS"
-    else
+      return
    fi
    warn -s "$check"
    logcheckresult "WARN"
    return
  fi
  else
  local desc="$desc (Deprecated)"
  local check="$id  - $desc"
  info -c "$check"
  logcheckresult "INFO"
  fi
 }
 check_c_end() {