Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-docker-compliance
Overview
1Dashboards
88Benchmarks
88Queries
2Variables
GitHub

Control: 7.2 Ensure that swarm services are bound to a specific host interface

Description

You should not keep a large number of containers on the same host.

The flexibility of containers makes it easy to run multiple instances of applications and therefore indirectly leads to Docker images that can exist at varying security patch levels. It also means that you are consuming host resources that otherwise could have been used for running 'useful' containers. Having more than just an essential number of containers on a particular host makes the system vulnerable to mishandling, misconfiguration and fragmentation. You should therefore keep the number of containers on a given host to the minimum number commensurate with serving production applications.

Remediation

You should periodically check your container inventory on each host and clean up containers which are not in active use with the command below:

docker container prune

Default Value

By default, Docker does not restrict the number of containers you may have on a host.

Usage

Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_7_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_7_2 --share

SQL

This control uses a named query:

with hostname as (
  select
    btrim(stdout_output, E' \n\r\t') as host,
    _ctx ->> 'connection_name' as host_conn,
    _ctx
  from
    exec_command
  where
    command = 'hostname'
),


command_output as (
  select
    stdout_output,
    _ctx ->> 'connection_name' as conn
  from
    exec_command
  where
    command = 'docker info 2>/dev/null | grep -e "Swarm:*\sactive\s*"'
),
json_output as (
  select
    e.stdout_output,
    _ctx ->> 'connection_name' as conn
  from
    exec_command as e,
    command_output as c
  where
    c.conn = _ctx ->> 'connection_name'
    and c.stdout_output <> ''
    and command = 'netstat -lnt | grep -e ''\\[::]:2377 '' -e '':::2377'' -e ''*:2377 '' -e '' 0\.0\.0\.0:2377 '''
)
select
  h.host as resource,
  case
    when o.stdout_output = '' then 'ok'
    when j.stdout_output <> '' then 'ok'
    else 'alarm'
  end as status,
  case
    when o.stdout_output = '' then h.host || ' Swarm mode not enabled.'
    when j.stdout_output <> '' then h.host || ' swarm services are bound to a specific host interface.'
    else h.host || ' swarm services are not bound to a specific host interface.'
  end as reason
  , h._ctx ->> 'connection_name' as connection_name
from
  hostname as h
  left join command_output as o on h.host_conn = o.conn
  left join json_output as j on o.conn = j.conn;

Tags

category = Compliance
cis = true
cis_item_id = 7.2
cis_level = 1
cis_section_id = 7
cis_type = manual
cis_version = v1.6.0
plugin = docker
service = Docker