Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-docker-compliance
Overview
1Dashboards
88Benchmarks
88Queries
2Variables
GitHub

Control: 2.7 Ensure TLS authentication for Docker daemon is configured

Description

It is possible to make the Docker daemon available remotely over a TCP port. If this is required, you should ensure that TLS authentication is configured in order to restrict access to the Docker daemon via IP address and port.

By default, the Docker daemon binds to a non-networked Unix socket and runs with root privileges. If you change the default Docker daemon binding to a TCP port or any other Unix socket, anyone with access to that port or socket could have full access to the Docker daemon and therefore in turn to the host system. For this reason, you should not bind the Docker daemon to another IP/port or a Unix socket.

If you must expose the Docker daemon via a network socket, you should configure TLS authentication for the daemon and for any Docker Swarm APIs (if they are in use). This type of configuration restricts the connections to your Docker daemon over the network to a limited number of clients who have access to the TLS client credentials.

Remediation

Follow the steps mentioned in the Docker documentation or other references.

Default Value

By default, TLS authentication is not configured.

Usage

Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_2_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_2_7 --share

SQL

This control uses a named query:

with os_output as (
  select
    btrim(stdout_output, E' \n\r\t') as os,
    _ctx ->> 'connection_name' as os_conn
  from
    exec_command
  where
    command = 'uname -s'
), hostname as (
  select
    btrim(stdout_output, E' \n\r\t') as host,
    _ctx ->> 'connection_name' as host_conn,
    _ctx
  from
    exec_command
  where
    command = 'hostname'
),


linux_output as (
  select
    stdout_output,
    _ctx ->> 'connection_name' as conn
  from
    exec_command,
    os_output
  where
    os_conn = _ctx ->> 'connection_name'
    and command = 'cat /etc/docker/daemon.json'
)
select
  host as resource,
  case
    when os.os ilike '%Darwin%' then 'skip'
    when o.stdout_output::jsonb->>'hosts' not like '%tcp%' then 'info'
    when o.stdout_output::jsonb->>'tlsverify' = 'true'
      and o.stdout_output::jsonb->>'tlscacert' <> ''
      and o.stdout_output::jsonb->>'tlscert' <> ''
      and o.stdout_output::jsonb->>'tlskey' <> '' then 'ok'
    else 'alarm'
  end as status,
  case
    when os.os ilike '%Darwin%' then host || ' /etc/docker/daemon.json does not exist on ' || os.os || ' OS.'
    when o.stdout_output::jsonb->>'hosts' not like '%tcp%' then host || ' Docker daemon not listening on TCP.'
    when o.stdout_output::jsonb->>'tlsverify' = 'true'
      and o.stdout_output::jsonb->>'tlscacert' <> ''
      and o.stdout_output::jsonb->>'tlscert' <> ''
      and o.stdout_output::jsonb->>'tlskey' <> '' then host || ' TLS authentication for Docker daemon is configured.'
    else host || ' TLS authentication for Docker daemon is not configured.'
  end as reason
  , h._ctx ->> 'connection_name' as connection_name
from
  hostname as h,
  os_output as os,
  linux_output as o
where
  os.os_conn = h.host_conn
  and h.host_conn = o.conn

Tags

category = Compliance
cis = true
cis_item_id = 2.7
cis_level = 2
cis_section_id = 2
cis_type = manual
cis_version = v1.6.0
plugin = docker
service = Docker