From 83ed8122ef6c4ca0161b73183bb0ac056bf396e4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
 <konstruktoid@users.noreply.github.com>
Date: Thu, 18 Jan 2018 11:28:36 +0100
Subject: [PATCH 1/4] update the README about community checks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
 README.md | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index a212808..004b3c8 100644
--- a/README.md
+++ b/README.md
@@ -50,11 +50,11 @@ version 1.13.0 or later.
 ```sh
   -h           optional  Print this help message
   -l FILE      optional  Log output in FILE
-  -c CHECK     optional  Run specific check
+  -c CHECK     optional  Run specific check or group of checks
 ```
 
-By default the Docker Bench for Security script will run all available tests and
-produce logs in the current directory named `docker-bench-security.sh.log.json`
+By default the Docker Bench for Security script will run all available CIS tests
+and produce logs in the current directory named `docker-bench-security.sh.log.json`
 and `docker-bench-security.sh.log`.
 The CIS based checks are named `check_<section>_<number>`, e.g. `check_2_6`
 and community contributed checks are named `check_c_<number>`.
@@ -62,6 +62,10 @@ A complete list of checks are present in [functions_lib.sh](functions_lib.sh).
 
 `sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -c check_2_2`
 
+Note that when submitting checks, provide information why it is a
+reasonable test to add and please include some kind of official documentation
+verifying that information.
+
 ## Building Docker Bench for Security
 
 If you wish to build and run this container yourself, you can follow the

From 57365ba1e46ebc325d383b999ca0678482deddec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
 <konstruktoid@users.noreply.github.com>
Date: Thu, 18 Jan 2018 11:29:02 +0100
Subject: [PATCH 2/4] fail if check doesnt exist
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
 docker-bench-security.sh | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/docker-bench-security.sh b/docker-bench-security.sh
index e84cec5..5700c55 100755
--- a/docker-bench-security.sh
+++ b/docker-bench-security.sh
@@ -112,7 +112,12 @@ main () {
   if [ -z "$check" ]; then
     cis
   else
-    "$check"
+    if command -v "$check" 2>/dev/null 1>&2; then
+      "$check"
+    else
+      echo "Check \"$check\" doesn't seem to exist."
+      exit 1
+    fi
   fi
 
   printf "\n"

From 2aa9719dd653d6575644ae3bcdace77536f73875 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
 <konstruktoid@users.noreply.github.com>
Date: Thu, 18 Jan 2018 11:29:20 +0100
Subject: [PATCH 3/4] silence example check output
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
 Vagrantfile                  | 77 ++++++++++++++++++++++++++++++++++++
 tests/99_community_checks.sh |  2 +-
 2 files changed, 78 insertions(+), 1 deletion(-)
 create mode 100644 Vagrantfile

diff --git a/Vagrantfile b/Vagrantfile
new file mode 100644
index 0000000..b358387
--- /dev/null
+++ b/Vagrantfile
@@ -0,0 +1,77 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+# All Vagrant configuration is done below. The "2" in Vagrant.configure
+# configures the configuration version (we support older styles for
+# backwards compatibility). Please don't change it unless you know what
+# you're doing.
+Vagrant.configure("2") do |config|
+  # The most common configuration options are documented and commented below.
+  # For a complete reference, please see the online documentation at
+  # https://docs.vagrantup.com.
+
+  # Every Vagrant development environment requires a box. You can search for
+  # boxes at https://atlas.hashicorp.com/search.
+  config.vm.box = "centos/7"
+
+  # Disable automatic box update checking. If you disable this, then
+  # boxes will only be checked for updates when the user runs
+  # `vagrant box outdated`. This is not recommended.
+  # config.vm.box_check_update = false
+
+  # Create a forwarded port mapping which allows access to a specific port
+  # within the machine from a port on the host machine. In the example below,
+  # accessing "localhost:8080" will access port 80 on the guest machine.
+  # NOTE: This will enable public access to the opened port
+  # config.vm.network "forwarded_port", guest: 80, host: 8080
+
+  # Create a forwarded port mapping which allows access to a specific port
+  # within the machine from a port on the host machine and only allow access
+  # via 127.0.0.1 to disable public access
+  # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
+
+  # Create a private network, which allows host-only access to the machine
+  # using a specific IP.
+  # config.vm.network "private_network", ip: "192.168.33.10"
+
+  # Create a public network, which generally matched to bridged network.
+  # Bridged networks make the machine appear as another physical device on
+  # your network.
+  # config.vm.network "public_network"
+
+  # Share an additional folder to the guest VM. The first argument is
+  # the path on the host to the actual folder. The second argument is
+  # the path on the guest to mount the folder. And the optional third
+  # argument is a set of non-required options.
+  # config.vm.synced_folder "../data", "/vagrant_data"
+
+  # Provider-specific configuration so you can fine-tune various
+  # backing providers for Vagrant. These expose provider-specific options.
+  # Example for VirtualBox:
+  #
+  # config.vm.provider "virtualbox" do |vb|
+  #   # Display the VirtualBox GUI when booting the machine
+  #   vb.gui = true
+  #
+  #   # Customize the amount of memory on the VM:
+  #   vb.memory = "1024"
+  # end
+  #
+  # View the documentation for the provider you are using for more
+  # information on available options.
+
+  # Define a Vagrant Push strategy for pushing to Atlas. Other push strategies
+  # such as FTP and Heroku are also available. See the documentation at
+  # https://docs.vagrantup.com/v2/push/atlas.html for more information.
+  # config.push.define "atlas" do |push|
+  #   push.app = "YOUR_ATLAS_USERNAME/YOUR_APPLICATION_NAME"
+  # end
+
+  # Enable provisioning with a shell script. Additional provisioners such as
+  # Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
+  # documentation for more information about their specific syntax and use.
+  # config.vm.provision "shell", inline: <<-SHELL
+  #   apt-get update
+  #   apt-get install -y apache2
+  # SHELL
+end
diff --git a/tests/99_community_checks.sh b/tests/99_community_checks.sh
index a800b09..953ed5c 100644
--- a/tests/99_community_checks.sh
+++ b/tests/99_community_checks.sh
@@ -8,7 +8,7 @@ check_c() {
 check_c_1() {
   check_c_1="C.1  - This is a example check"
   totalChecks=$((totalChecks + 1))
-  if docker info --format='{{ .Architecture }}' | grep 'x86_64'; then
+  if docker info --format='{{ .Architecture }}' | grep 'x86_64' 2>/dev/null 1>&2; then
     pass "$check_c_1"
     logjson "c.1" "PASS"
   else

From 2494261ddf9ff5a21b5a5ad05f1c292d11497749 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?=
 <konstruktoid@users.noreply.github.com>
Date: Thu, 18 Jan 2018 11:30:31 +0100
Subject: [PATCH 4/4] remove Vagrantfile
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
---
 Vagrantfile | 77 -----------------------------------------------------
 1 file changed, 77 deletions(-)
 delete mode 100644 Vagrantfile

diff --git a/Vagrantfile b/Vagrantfile
deleted file mode 100644
index b358387..0000000
--- a/Vagrantfile
+++ /dev/null
@@ -1,77 +0,0 @@
-# -*- mode: ruby -*-
-# vi: set ft=ruby :
-
-# All Vagrant configuration is done below. The "2" in Vagrant.configure
-# configures the configuration version (we support older styles for
-# backwards compatibility). Please don't change it unless you know what
-# you're doing.
-Vagrant.configure("2") do |config|
-  # The most common configuration options are documented and commented below.
-  # For a complete reference, please see the online documentation at
-  # https://docs.vagrantup.com.
-
-  # Every Vagrant development environment requires a box. You can search for
-  # boxes at https://atlas.hashicorp.com/search.
-  config.vm.box = "centos/7"
-
-  # Disable automatic box update checking. If you disable this, then
-  # boxes will only be checked for updates when the user runs
-  # `vagrant box outdated`. This is not recommended.
-  # config.vm.box_check_update = false
-
-  # Create a forwarded port mapping which allows access to a specific port
-  # within the machine from a port on the host machine. In the example below,
-  # accessing "localhost:8080" will access port 80 on the guest machine.
-  # NOTE: This will enable public access to the opened port
-  # config.vm.network "forwarded_port", guest: 80, host: 8080
-
-  # Create a forwarded port mapping which allows access to a specific port
-  # within the machine from a port on the host machine and only allow access
-  # via 127.0.0.1 to disable public access
-  # config.vm.network "forwarded_port", guest: 80, host: 8080, host_ip: "127.0.0.1"
-
-  # Create a private network, which allows host-only access to the machine
-  # using a specific IP.
-  # config.vm.network "private_network", ip: "192.168.33.10"
-
-  # Create a public network, which generally matched to bridged network.
-  # Bridged networks make the machine appear as another physical device on
-  # your network.
-  # config.vm.network "public_network"
-
-  # Share an additional folder to the guest VM. The first argument is
-  # the path on the host to the actual folder. The second argument is
-  # the path on the guest to mount the folder. And the optional third
-  # argument is a set of non-required options.
-  # config.vm.synced_folder "../data", "/vagrant_data"
-
-  # Provider-specific configuration so you can fine-tune various
-  # backing providers for Vagrant. These expose provider-specific options.
-  # Example for VirtualBox:
-  #
-  # config.vm.provider "virtualbox" do |vb|
-  #   # Display the VirtualBox GUI when booting the machine
-  #   vb.gui = true
-  #
-  #   # Customize the amount of memory on the VM:
-  #   vb.memory = "1024"
-  # end
-  #
-  # View the documentation for the provider you are using for more
-  # information on available options.
-
-  # Define a Vagrant Push strategy for pushing to Atlas. Other push strategies
-  # such as FTP and Heroku are also available. See the documentation at
-  # https://docs.vagrantup.com/v2/push/atlas.html for more information.
-  # config.push.define "atlas" do |push|
-  #   push.app = "YOUR_ATLAS_USERNAME/YOUR_APPLICATION_NAME"
-  # end
-
-  # Enable provisioning with a shell script. Additional provisioners such as
-  # Puppet, Chef, Ansible, Salt, and Docker are also available. Please see the
-  # documentation for more information about their specific syntax and use.
-  # config.vm.provision "shell", inline: <<-SHELL
-  #   apt-get update
-  #   apt-get install -y apache2
-  # SHELL
-end