Control: 1.1.1 Ensure a separate partition for containers has been created
Description
All Docker containers and their data and metadata is stored under /var/lib/docker
directory. By default, /var/lib/dockershould be mounted under either the / or /var
partitions dependent on how the Linux operating system in use is configured.
Remediation
For new installations, you should create a separate partition for the /var/lib/docker
mount point. For systems which have already been installed, you should use the Logical
Volume Manager (LVM) within Linux to create a new partition.
Default Value
By default, /var/lib/docker is mounted under the / or /var partitions dependent on
how the OS is configured.
Usage
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_1_1_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_1_1_1 --shareSQL
This control uses a named query:
with os_output as (  select    btrim(stdout_output, E' \n\r\t') as os,    _ctx ->> 'connection_name' as os_conn  from    exec_command  where    command = 'uname -s'), hostname as (  select    btrim(stdout_output, E' \n\r\t') as host,    _ctx ->> 'connection_name' as host_conn,    _ctx  from    exec_command  where    command = 'hostname'),
  linux_output as (    select      stdout_output,      _ctx ->> 'connection_name' as conn    from      exec_command,      os_output    where      os_conn = _ctx ->> 'connection_name'      and os_output.os = 'Linux'      and command = E'mountpoint -- "$(docker info -f \'{{ .DockerRootDir }}\')"'  ),  darwin_output as (    select      stdout_output,      _ctx ->> 'connection_name' as conn    from      exec_command,      os_output    where      os_conn = _ctx ->> 'connection_name'      and os_output.os = 'Darwin'      and command = E'df | grep "$(docker info -f \'{{ .DockerRootDir }}\')"'  ),  command_output as (    select * from darwin_output    union all    select * from linux_output  )  select    host as resource,    case      when o.stdout_output = '' or o.stdout_output like '%not a mountpoint%' then 'alarm'      else 'ok'    end as status,    case      when o.stdout_output = '' or o.stdout_output like '%not a mountpoint%' then host || ' configured Docker root directory is not a mount point.'      else host || ' configured Docker root directory is a mount point.'    end as reason    , h._ctx ->> 'connection_name' as connection_name  from    hostname as h,    linux_output as o  where    o.conn = h.host_conn;