Benchmark: 3 Docker daemon configuration files
Overview
This section covers Docker related files and directory permissions and ownership. Keeping the files and directories, that may contain sensitive parameters, secure is important for correct and secure functioning of Docker daemon.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-docker-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select 3 Docker daemon configuration files.
Run this benchmark in your terminal:
powerpipe benchmark run docker_compliance.benchmark.cis_v160_3
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run docker_compliance.benchmark.cis_v160_3 --share
Controls
- 3.1 Ensure that the docker.service file ownership is set to root:root
- 3.2 Ensure that docker.service file permissions are appropriately set
- 3.3 Ensure that docker.socket file ownership is set to root:root
- 3.4 Ensure that docker.socket file permissions are set to 644 or more restrictive
- 3.5 Ensure that the /etc/docker directory ownership is set to root:root
- 3.6 Ensure that /etc/docker directory permissions are set to 755 or more restrictively
- 3.7 Ensure that registry certificate file ownership is set to root:root
- 3.8 Ensure that registry certificate file permissions are set to 444 or more restrictively
- 3.9 Ensure that TLS CA certificate file ownership is set to root:root
- 3.10 Ensure that TLS CA certificate file permissions are set to 444 or more restrictively
- 3.11 Ensure that Docker server certificate file ownership is set to root:root
- 3.12 Ensure that the Docker server certificate file permissions are set to 444 or more restrictively
- 3.13 Ensure that the Docker server certificate key file ownership is set to root:root
- 3.14 Ensure that the Docker server certificate key file permissions are set to 400
- 3.15 Ensure that the Docker socket file ownership is set to root:docker
- 3.16 Ensure that the Docker sock file permissions are set to 660 or more restrictively
- 3.17 Ensure that the daemon.json file ownership is set to root:root
- 3.18 Ensure that daemon.json file permissions are set to 644 or more restrictive
- 3.19 Ensure that the /etc/default/docker file ownership is set to root:root
- 3.20 Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively
- 3.21 Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively
- 3.22 Ensure that the /etc/sysconfig/docker file ownership is set to root:root
- 3.23 Ensure that the Containerd socket file ownership is set to root:root
- 3.24 Ensure that the Containerd socket file permissions are set to 660 or more restrictively