fix: allow combining include and exclude

[wilmardo]

Reason for change

For a CI pipeline I was trying to scan just container images but without the healtcheck and docker trust check:
./docker-bench-security.sh -i test -c container_images -e check_4_5,check_4_6

This wasn't yet implemented so I took a stab at it.

Technical explaining

The magic is in the sed:

sed -ne "/$i()/,/}/{ /{/d; /}/d; p}" functions_lib.sh

$i is the checkname, for example container_images so it matches on container_images() { until }
This results in:

# sed -ne "/container_images() {/,/}/p" functions_lib.sh
container_images() {
  check_4
  check_4_1
  check_4_2
  check_4_3
  check_4_4
  check_4_5
  check_4_6
  check_4_7
  check_4_8
  check_4_9
  check_4_10
  check_4_11
  check_4_end
}

But I am just interested in the checks so just print the checks:

# sed -ne "/container_images() {/,/}/{/check/p}" functions_lib.sh
  check_4
  check_4_1
  check_4_2
  check_4_3
  check_4_4
  check_4_5
  check_4_6
  check_4_7
  check_4_8
  check_4_9
  check_4_10
  check_4_11
  check_4_end

And then I just did the same grep trick as checkexclude to exlude test.

[konstruktoid]

Thanks @wilmardo for the PR, looks interesting and I'll have look asap.

[konstruktoid]

Looks good! Could you update the README with a couple examples as well?

[wilmardo]

I made a little improvement to make it a bit more versatile . The sed is now:
sed -ne "/$i() {/,/}/{/{/d; /}/d; p}" functions_lib.sh

The change is that it does not match on check anymore but removes the lines containing { and } so it now also works for functions without checks.

# sed -ne "/cis() {/,/}/{/{/d; /}/d; p}" functions_lib.sh
  host_configuration
  docker_daemon_configuration
  docker_daemon_files
  container_images
  container_runtime
  docker_security_operations
  docker_swarm_configuration
  docker_enterprise_configuration

So a command like this works now:
./docker-bench-security.sh -i test -c cis -e host_configuration,docker_enterprise_configuration

I will add a commit for some documentation :)

[konstruktoid]

Awesome!
<picture of happy cute animal>

[wilmardo]

Added the examples in the readme but while writing I found another case which isn't working yet.

sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -e docker_enterprise_configuration

I will refactor the logic a bit more, decided against it while starting this change. But now I will make the deepdive since it will simplify the logic.

Set the title to WIP until I implented this :)

[konstruktoid]

Great! Thanks for doing this :)

[wilmardo]

Reworked the include exclude logic so now all combinations should be possible:

• sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -e docker_enterprise_configuration
• sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -e docker_enterprise_configuration,check_2_2
• sh docker-bench-security.sh -l /tmp/docker-bench-security.sh.log -c container_images -e check_4_5

Added them to the readme.

I tried my best to test this thoroughly but I could have easily missed something due the fact that is it my own code ;)

/ready_for_review 🎉

[wilmardo]

@konstruktoid PTAL, no need to rush just bringing this to your attention again :)

Best of wishes for 2020! 🎆

[konstruktoid]

@wilmardo no worries, I just wondered, see comment above, why the export was removed. I believe it might be necessary on some distributions.

[wilmardo]

@konstruktoid Good catch, had an issue while testing and accidentally committed the change. Can't remember what the issue was and it seems to work fine with the PATH as it was.

[konstruktoid]

Thanks alot @wilmardo!