turbot/docker_compliance

Query: exec_auditing_configured_usr_bin_containerd_shim

Usage

powerpipe query docker_compliance.query.exec_auditing_configured_usr_bin_containerd_shim

Steampipe Tables

SQL

with os_output as (
select
btrim(stdout_output, E ' \n\r\t') as os,
_ctx ->> 'connection_name' as os_conn
from
exec_command
where
command = 'uname -s'
),
hostname as (
select
btrim(stdout_output, E ' \n\r\t') as host,
_ctx ->> 'connection_name' as host_conn,
_ctx
from
exec_command
where
command = 'hostname'
),
linux_output as (
select
stdout_output,
_ctx ->> 'connection_name' as conn
from
exec_command,
os_output
where
os_conn = _ctx ->> 'connection_name'
and command = 'sudo -n auditctl -l | grep /usr/bin/containerd-shim'
)
select
host as resource,
case
when os.os ilike '%Darwin%' then 'skip'
when o.stdout_output = '' then 'alarm'
else 'ok'
end as status,
case
when os.os ilike '%Darwin%' then host || ' /usr/bin/containerd-shim does not exist on ' || os.os || ' OS.'
when o.stdout_output = '' then host || ' /usr/bin/containerd-shim auditing is not configured.'
else host || ' /usr/bin/containerd-shim auditing is configured.'
end as reason,
h._ctx ->> 'connection_name' as connection_name
from
hostname as h,
os_output as os,
linux_output as o
where
os.os_conn = h.host_conn
and h.host_conn = o.conn;

Controls

The query is being used by the following controls: