Control: 1.1.3 Ensure auditing is configured for the Docker daemon
Description
Audit all Docker daemon activities. As well as auditing the normal Linux file system and system calls, you should also audit the Docker daemon. Because this daemon runs with root privileges. It is very important to audit its activities and usage.
Remediation
You should add rules for the Docker daemon. For example:
Add the line below to the /etc/audit/rules.d/audit.rules file:
-w /usr/bin/dockerd -k docker
Then, restart the audit daemon using the following command
systemctl restart auditd
Default Value
By default, the Docker daemon is not audited.
Usage
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_1_1_3Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_1_1_3 --shareSQL
This control uses a named query:
with os_output as ( select btrim(stdout_output, E' \n\r\t') as os, _ctx ->> 'connection_name' as os_conn from exec_command where command = 'uname -s'), hostname as ( select btrim(stdout_output, E' \n\r\t') as host, _ctx ->> 'connection_name' as host_conn, _ctx from exec_command where command = 'hostname'),
linux_output as ( select stdout_output, _ctx ->> 'connection_name' as conn from exec_command, os_output where os_conn = _ctx ->> 'connection_name' and command = 'sudo -n auditctl -l | grep /usr/bin/dockerd')select host as resource, case when os.os ilike '%Darwin%' then 'skip' when o.stdout_output = '' then 'alarm' else 'ok' end as status, case when os.os ilike '%Darwin%' then host || ' /usr/bin/dockerd does not exist on ' || os.os || ' OS.' when o.stdout_output = '' then host || ' Docker daemon auditing is not configured.' else host || ' Docker daemon auditing is configured.' end as reason , h._ctx ->> 'connection_name' as connection_namefrom hostname as h, os_output as os, linux_output as owhere os.os_conn = h.host_conn and os.os_conn = o.conn;