Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-docker-compliance
Overview
1Dashboards
88Benchmarks
88Queries
2Variables
GitHub

Control: 2.8 Ensure the default ulimit is configured appropriately

Description

Set the default ulimit options as appropriate in your environment.

ulimit provides control over the resources available to the shell and to processes which it starts. Setting system resource limits judiciously can save you from disasters such as a fork bomb. On occasion, even friendly users and legitimate processes can overuse system resources and can make the system unusable. Setting the default ulimit for the Docker daemon enforces the ulimit for all container instances. In this case you would not need to setup ulimit for each container instance. However, the default ulimit can be overridden during container runtime, if needed. Therefore, in order to have proper control over system resources, define a default ulimit as is needed in your environment.

Remediation

Run Docker in daemon mode and pass --default-ulimit as argument with respective ulimits as appropriate in your environment and in line with your security policy. For Example,

dockerd --default-ulimit nproc=1024:2048 --default-ulimit nofile=100:200

Default Value

By default, no ulimit is set.

Usage

Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_2_8

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_2_8 --share

SQL

This control uses a named query:

with os_output as (
  select
    btrim(stdout_output, E' \n\r\t') as os,
    _ctx ->> 'connection_name' as os_conn
  from
    exec_command
  where
    command = 'uname -s'
), hostname as (
  select
    btrim(stdout_output, E' \n\r\t') as host,
    _ctx ->> 'connection_name' as host_conn,
    _ctx
  from
    exec_command
  where
    command = 'hostname'
),


 command_output as (
  select
    stdout_output,
    _ctx ->> 'connection_name' as conn
  from
    exec_command,
    os_output
  where
    os_conn = _ctx ->> 'connection_name'
    and command = 'ps -ef | grep dockerd'
), linux_output as (
  select
    stdout_output,
    _ctx ->> 'connection_name' as conn
  from
    exec_command,
    os_output
  where
    os_conn = _ctx ->> 'connection_name'
    and command = 'cat /etc/docker/daemon.json'
)
select
  host as resource,
  case
    when os.os ilike '%Darwin%' then 'skip'
    when o.stdout_output like '%--default-ulimit%' or j.stdout_output::jsonb ->> 'default-ulimit' <> '' then 'ok'
    else 'alarm'
  end as status,
  case
    when os.os ilike '%Darwin%' then host || ' /etc/docker/daemon.json does not exist on ' || os.os || ' OS.'
    when o.stdout_output like '%--default-ulimit%' or j.stdout_output::jsonb ->> 'default-ulimit' <> '' then host || ' Default ulimit is set.'
    else host || ' Default ulimit is not set.'
  end as reason
  , h._ctx ->> 'connection_name' as connection_name
from
  hostname as h,
  os_output as os,
  command_output as o,
  linux_output as j
where
  os.os_conn = h.host_conn
  and h.host_conn = o.conn
  and h.host_conn = j.conn;

Tags

category = Compliance
cis = true
cis_item_id = 2.8
cis_level = 2
cis_section_id = 2
cis_type = manual
cis_version = v1.6.0
plugin = docker
service = Docker