Control: 2.16 Ensure Userland Proxy is Disabled

Description

The Docker daemon starts a userland proxy service for port forwarding whenever a port is exposed. Where hairpin NAT is available, this service is generally superfluous to requirements and can be disabled.

Usage

Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_2_16

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_2_16 --share

SQL

This control uses a named query:

with hostname as (
  select
    btrim(stdout_output, E' \n\r\t') as host,
    _ctx ->> 'connection_name' as host_conn,
    _ctx
  from
    exec_command
  where
    command = 'hostname'
),

 command_output as (
  select
    stdout_output,
     _ctx ->> 'connection_name' as conn
  from
    exec_command
  where
    command = 'ps -ef | grep dockerd'
)
select
  host as resource,
  case
    when o.stdout_output like '%--userland-proxy=false%' then 'ok'
    else 'alarm'
  end as status,
  case
    when o.stdout_output like '%--userland-proxy=false%' then host || ' userland proxy is Disabled.'
    else host || ' userland proxy is enabled.'
  end as reason
  , h._ctx ->> 'connection_name' as connection_name
from
  hostname as h,
  command_output as o
where
  h.host_conn = o.conn;

Control: 2.16 Ensure Userland Proxy is Disabled

Description

Usage

SQL

Tags