From a3094ac5c6dd8e7f5e7b939aef14b6e112664159 Mon Sep 17 00:00:00 2001
From: Mike Ritter <mike.ritter@target.com>
Date: Tue, 27 Feb 2018 08:43:51 -0600
Subject: [PATCH] New Features

Signed-off-by: Mike Ritter <mike.ritter@target.com>
---
 README.md                    |  3 ++-
 docker-bench-security.sh     | 35 +++++++++++++++++++++++++----------
 tests/5_container_runtime.sh | 33 ++++++++++++++++++++-------------
 3 files changed, 47 insertions(+), 24 deletions(-)

diff --git a/README.md b/README.md
index 004b3c8..28f1572 100644
--- a/README.md
+++ b/README.md
@@ -50,7 +50,8 @@ version 1.13.0 or later.
 ```sh
   -h           optional  Print this help message
   -l FILE      optional  Log output in FILE
-  -c CHECK     optional  Run specific check or group of checks
+  -c CHECK     optional  Comma delimited list of specific check(s)
+  -x EXCLUDE   optional  Comma delimited list of patterns within a container to exclude from check
 ```
 
 By default the Docker Bench for Security script will run all available CIS tests
diff --git a/docker-bench-security.sh b/docker-bench-security.sh
index 5700c55..ab32924 100755
--- a/docker-bench-security.sh
+++ b/docker-bench-security.sh
@@ -37,19 +37,21 @@ usage () {
 
   -h           optional  Print this help message
   -l FILE      optional  Log output in FILE
-  -c CHECK     optional  Run specific check
+  -c CHECK     optional  Comma delimited list of specific check(s)
+  -x EXCLUDE   optional  Comma delimited list of patterns within a container name to exclude from check
 EOF
 }
 
 # Get the flags
 # If you add an option here, please
 # remember to update usage() above.
-while getopts hl:c: args
+while getopts hl:c:x: args
 do
   case $args in
   h) usage; exit 0 ;;
   l) logger="$OPTARG" ;;
   c) check="$OPTARG" ;;
+  x) exclude="$OPTARG" ;;
   *) usage; exit 1 ;;
   esac
 done
@@ -86,7 +88,12 @@ beginjson "1.3.4" "$(date +%s)"
 # Load all the tests from tests/ and run them
 main () {
   # List all running containers
-  containers=$(docker ps | sed '1d' | awk '{print $NF}')
+  if [ -z "$exclude" ]; then
+    containers=$(docker ps | sed '1d' | awk '{print $NF}')
+  else
+    pattern=$(echo "$exclude" | sed 's/,/|/g')
+    containers=$(docker ps | sed '1d' | grep -Ev "$pattern" | awk '{print $NF}')
+  fi
   # If there is a container with label docker_bench_security, memorize it:
   benchcont="nil"
   for c in $containers; do
@@ -96,7 +103,12 @@ main () {
     fi
   done
   # List all running containers except docker-bench (use names to improve readability in logs)
-  containers=$(docker ps | sed '1d' |  awk '{print $NF}' | grep -v "$benchcont")
+  if [ -z "$exclude" ]; then
+    containers=$(docker ps | sed '1d' |  awk '{print $NF}' | grep -v "$benchcont")
+  else
+    pattern=$(echo "$exclude" | sed 's/,/|/g')
+    containers=$(docker ps | sed '1d' | awk '{print $NF}' | grep -Ev "$pattern" | grep -v "$benchcont")
+  fi
 
   if [ -z "$containers" ]; then
     running_containers=0
@@ -112,12 +124,15 @@ main () {
   if [ -z "$check" ]; then
     cis
   else
-    if command -v "$check" 2>/dev/null 1>&2; then
-      "$check"
-    else
-      echo "Check \"$check\" doesn't seem to exist."
-      exit 1
-    fi
+    for i in $(echo "$check" | sed "s/,/ /g")
+    do
+      if command -v "$i" 2>/dev/null 1>&2; then
+        "$i"
+      else
+        echo "Check \"$i\" doesn't seem to exist."
+        continue
+      fi
+    done
   fi
 
   printf "\n"
diff --git a/tests/5_container_runtime.sh b/tests/5_container_runtime.sh
index 1aca0fe..2551796 100644
--- a/tests/5_container_runtime.sh
+++ b/tests/5_container_runtime.sh
@@ -988,19 +988,27 @@ check_5_29() {
   for net in $networks; do
     if docker network inspect --format '{{ .Options }}' "$net" 2>/dev/null | grep "com.docker.network.bridge.name:docker0" >/dev/null 2>&1; then
       docker0Containers=$(docker network inspect --format='{{ range $k, $v := .Containers }} {{ $k }} {{ end }}' "$net" | \
-       sed -e 's/^ //' -e 's/  /\n/g' 2>/dev/null)
-      if [ -n "$docker0Containers" ]; then
-        if [ $fail -eq 0 ]; then
-          info "$check_5_29"
-          logjson "5.29" "INFO"
-          fail=1
+        sed -e 's/^ //' -e 's/  /\n/g' 2>/dev/null)
+
+        if [ -n "$docker0Containers" ]; then
+          if [ $fail -eq 0 ]; then
+            info "$check_5_29"
+            logjson "5.29" "INFO"
+            fail=1
+          fi
+          for c in $docker0Containers; do
+            if [ -z "$exclude" ]; then
+              cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g')
+            else
+              pattern=$(echo "$exclude" | sed 's/,/|/g')
+              cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g' | grep -Ev "$pattern" )
+            fi
+            if ! [ -z "$cName" ]; then
+              info "     * Container in docker0 network: $cName"
+              logjson "5.29" "INFO: $c"
+            fi
+          done
         fi
-        for c in $docker0Containers; do
-	  cName=$(docker inspect --format '{{.Name}}' "$c" 2>/dev/null | sed 's/\///g')
-          info "     * Container in docker0 network: $cName"
-          logjson "5.29" "INFO: $c"
-        done
-      fi
       currentScore=$((currentScore + 0))
     fi
   done
@@ -1081,4 +1089,3 @@ check_5_31() {
       currentScore=$((currentScore - 1))
   fi
 }
-