2.7 false positive when log_opt set

[dhrapson]

I'm using this excellent utility to assess compliance. We set the following in our /etc/docker/daemon.json:

{
"log-opt": syslog-address=tcp://<some_ip>
}

Doing this causes check_2_7 to trigger incorrectly because of the logic in this line:

docker-bench-security/tests/2_docker_daemon_configuration.sh

Line 157 in cd1619c

if [ $(get_docker_configuration_file_args 'tcp://') ] || \

The output is [WARN] * Docker daemon currently listening on TCP without TLS when it is not listening on TCP at all.

[konstruktoid]

Thanks for creating this issue @dhrapson, I'll have a look as soon as possible.

[konstruktoid]

So sorry for the long delay @dhrapson, could you please test #501?

[aretandic]

Hello @konstruktoid. Wanted to notify you that this fix is not working as expected unfortunately. It now incorrectly work with 2.7 check and not providing positive results at all with some configuration of daemon.json.

"hosts": [
"tcp://127.0.0.1:2376",
"unix:///var/run/docker.sock"
],

I have such configuration of daemon.json and then grep -E "host.*tcp://" /etc/docker/daemon.json will not show anything.
if i will set configuration to:

"hosts": ["tcp://127.0.0.1:2376","unix:///var/run/docker.sock"],

Code will return error docker-bench-security.sh: 157: [: "hosts":: unexpected operator, I assume because grep will return [ in output.
I think that it could be fixed by grep -Ez, but it will return docker-bench-security.sh: 157: [: "hosts":: unexpected operator error.
Please take a look

[aretandic]

For me I solved issue like this:
$(grep -Ez 'host.*tcp://([0-9].)+' "$CONFIG_FILE" | grep -Ea 'tcp://([0-9].)+')
But it will not help if there are other tcp addresses in code, unfortunately didn't have enough time to take a dipper look into it

[konstruktoid]

Yeah, the drawbacks of parsing json using shell.
I guess the best way would be to add jq to the dependencies and use that to parse the config, and use the current semi-working code as fallback.