Control: 2.4 Ensure Docker is allowed to make changes to iptables'
Description
Set Docker daemon log level to info.
Setting up an appropriate log level, configures the Docker daemon to log events that you would want to review later. A base log level of info and above would capture all logs except debug logs. Until and unless required, you should not run Docker daemon at debug log level.
Remediation
Ensure that the Docker daemon configuration file has the following configuration included
"log-level": "info"
Alernatively, run the docker daemon as below
dockerd --log-level="info"
Default Value
By default, Docker daemon is set to log level of info.
Usage
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_2_4Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_2_4 --shareSQL
This control uses a named query:
with hostname as ( select btrim(stdout_output, E' \n\r\t') as host, _ctx ->> 'connection_name' as host_conn, _ctx from exec_command where command = 'hostname'),
command_output as ( select stdout_output, _ctx ->> 'connection_name' as conn from exec_command where command = 'ps -ef | grep dockerd')select host as resource, case when o.stdout_output like '%--iptables=false%' then 'ok' when o.stdout_output not like '%--iptables%' then 'ok' else 'alarm' end as status, case when o.stdout_output like '%--iptables=false%' then host || ' iptables is set to false.' when o.stdout_output not like '%--iptables%' then host || ' iptables not set.' else host || ' iptables are set to true.' end as reason , h._ctx ->> 'connection_name' as connection_namefrom hostname as h, command_output as owhere o.conn = h.host_conn;