Merge pull request #6 from dev-sec/chris-rock/inspec-check

atomic111 · web-flow · commit 8d49cee90d93 · 2016-06-14T09:39:44.000+02:00
handle nil results for docker.path
diff --git a/controls/docker_host_os_level1.rb b/controls/docker_host_os_level1.rb
@@ -150,9 +150,15 @@
   desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. docker.service is one such file. The docker.service file might be present if the daemon parameters have been changed by an administrator. It holds various parameters for Docker daemon. It must be audited, if applicable.'
   ref 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
 
-  rule = '-w ' << docker.path << ' -p rwxa -k docker'
-  describe auditd_rules do
-    its(:lines) { should include(rule) }
+  unless docker.path.nil?
+    rule = '-w ' << docker.path << ' -p rwxa -k docker'
+    describe auditd_rules do
+      its(:lines) { should include(rule) }
+    end
+  else
+    describe 'audit docker service' do
+      skip "Cannot determine docker path"
+    end
   end
 end
 
@@ -162,9 +168,15 @@
   desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. docker.service is one such file. The docker.service file might be present if the daemon parameters have been changed by an administrator. It holds various parameters for Docker daemon. It must be audited, if applicable.'
   ref 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
 
-  rule = '-w ' << docker.socket << ' -p rwxa -k docker'
-  describe auditd_rules do
-    its(:lines) { should include(rule) }
+  unless docker.path.nil?
+    rule = '-w ' << docker.socket << ' -p rwxa -k docker'
+    describe auditd_rules do
+      its(:lines) { should include(rule) }
+    end
+  else
+    describe 'audit docker service' do
+      skip "Cannot determine docker socket"
+    end
   end
 end
 
