Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-docker-compliance
Overview
1Dashboards
88Benchmarks
88Queries
2Variables
GitHub

Control: 1.1.1 Ensure a separate partition for containers has been created

Description

All Docker containers and their data and metadata is stored under /var/lib/docker directory. By default, /var/lib/dockershould be mounted under either the / or /var partitions dependent on how the Linux operating system in use is configured.

Remediation

For new installations, you should create a separate partition for the /var/lib/docker mount point. For systems which have already been installed, you should use the Logical Volume Manager (LVM) within Linux to create a new partition.

Default Value

By default, /var/lib/docker is mounted under the / or /var partitions dependent on how the OS is configured.

Usage

Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_1_1_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_1_1_1 --share

SQL

This control uses a named query:

with os_output as (
  select
    btrim(stdout_output, E' \n\r\t') as os,
    _ctx ->> 'connection_name' as os_conn
  from
    exec_command
  where
    command = 'uname -s'
), hostname as (
  select
    btrim(stdout_output, E' \n\r\t') as host,
    _ctx ->> 'connection_name' as host_conn,
    _ctx
  from
    exec_command
  where
    command = 'hostname'
),


  linux_output as (
    select
      stdout_output,
      _ctx ->> 'connection_name' as conn
    from
      exec_command,
      os_output
    where
      os_conn = _ctx ->> 'connection_name'
      and os_output.os = 'Linux'
      and command = E'mountpoint -- "$(docker info -f \'{{ .DockerRootDir }}\')"'
  ),
  darwin_output as (
    select
      stdout_output,
      _ctx ->> 'connection_name' as conn
    from
      exec_command,
      os_output
    where
      os_conn = _ctx ->> 'connection_name'
      and os_output.os = 'Darwin'
      and command = E'df | grep "$(docker info -f \'{{ .DockerRootDir }}\')"'
  ),
  command_output as (
    select * from darwin_output
    union all
    select * from linux_output
  )
  select
    host as resource,
    case
      when o.stdout_output = '' or o.stdout_output like '%not a mountpoint%' then 'alarm'
      else 'ok'
    end as status,
    case
      when o.stdout_output = '' or o.stdout_output like '%not a mountpoint%' then host || ' configured Docker root directory is not a mount point.'
      else host || ' configured Docker root directory is a mount point.'
    end as reason
    , h._ctx ->> 'connection_name' as connection_name
  from
    hostname as h,
    linux_output as o
  where
    o.conn = h.host_conn;

Tags

category = Compliance
cis = true
cis_item_id = 1.1.1
cis_level = 1
cis_section_id = 1
cis_type = manual
cis_version = v1.6.0
plugin = docker
service = Docker