Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-docker-compliance
Overview
1Dashboards
88Benchmarks
88Queries
2Variables
GitHub

Control: 2.11 Ensure base device size is not changed until needed

Description

Under certain circumstances, you might need containers larger than 10G. Where this applies you should carefully choose the base device size.

The base device size can be increased on daemon restart. Increasing the base device size allows all future images and containers to be of the new base device size. A user can use this option to expand the base device size, however shrinking is not permitted. This value affects the system wide “base” empty filesystem that may already be initialized and therefore inherited by pulled images.

Although the file system does not allocate the increased size as long as it is empty, more space will be allocated for extra images. This may cause a denial of service condition if the allocated partition becomes full.

Remediation

Do not set --storage-opt dm.basesize until needed.

Default Value

The default base device size is 10G.

Usage

Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_2_11

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_2_11 --share

SQL

This control uses a named query:

with os_output as (
  select
    btrim(stdout_output, E' \n\r\t') as os,
    _ctx ->> 'connection_name' as os_conn
  from
    exec_command
  where
    command = 'uname -s'
), hostname as (
  select
    btrim(stdout_output, E' \n\r\t') as host,
    _ctx ->> 'connection_name' as host_conn,
    _ctx
  from
    exec_command
  where
    command = 'hostname'
),


 command_output as (
  select
    stdout_output,
    _ctx ->> 'connection_name' as conn
  from
    exec_command,
    os_output
  where
     os_conn = _ctx ->> 'connection_name'
    and command = 'ps -ef | grep dockerd'
), linux_output as (
  select
    stdout_output,
    _ctx ->> 'connection_name' as conn
  from
    exec_command,
    os_output
  where
    os_conn = _ctx ->> 'connection_name'
    and command = 'cat /etc/docker/daemon.json'
)
select
  host as resource,
  case
    when os.os ilike '%Darwin%' then 'skip'
    when o.stdout_output not like '%--storage-opt dm.basesize%' or j.stdout_output::jsonb->>'storage-opts' not like '%dm.basesize%' then 'ok'
    else 'alarm'
  end as status,
  case
    when os.os ilike '%Darwin%' then host || ' /etc/docker/daemon.json does not exist on ' || os.os || ' OS.'
    when o.stdout_output not like '%--storage-opt dm.basesize%' or j.stdout_output::jsonb ->> 'storage-opts' not like '%dm.basesize%' then host || ' Default base device size is set.'
    else host || ' Base device size is changed.'
  end as reason
  , h._ctx ->> 'connection_name' as connection_name
from
  hostname as h,
  os_output as os,
  command_output as o,
  linux_output as j
where
  os.os_conn = h.host_conn
  and h.host_conn = o.conn
  and h.host_conn = j.conn;

Tags

category = Compliance
cis = true
cis_item_id = 2.11
cis_level = 2
cis_section_id = 2
cis_type = manual
cis_version = v1.6.0
plugin = docker
service = Docker