Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-docker-compliance
Overview
1Dashboards
88Benchmarks
88Queries
2Variables
GitHub

Control: 3.6 Ensure that /etc/docker directory permissions are set to 755 or more restrictively

Description

You should verify that the /etc/docker directory permissions are correctly set to 755 or more restrictively

The /etc/docker directory contains certificates and keys in addition to various sensitive files. It should therefore only be writeable by root to ensure that it can not be modified by a less privileged user.

Remediation

You should run the following command:

chmod 755 /etc/docker

This sets the permissions for the directory to 755.

Default Value

By default, the permissions for this directory are set to 755.

Usage

Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_3_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_3_6 --share

SQL

This control uses a named query:

with os_output as (
  select
    btrim(stdout_output, E' \n\r\t') as os,
    _ctx ->> 'connection_name' as os_conn
  from
    exec_command
  where
    command = 'uname -s'
), hostname as (
  select
    btrim(stdout_output, E' \n\r\t') as host,
    _ctx ->> 'connection_name' as host_conn,
    _ctx
  from
    exec_command
  where
    command = 'hostname'
),


linux_output as (
  select
    stdout_output,
    stderr_output,
    _ctx ->> 'connection_name' as conn
  from
    exec_command,
    os_output
  where
    os_conn = _ctx ->> 'connection_name'
    and command = 'stat -c %a /etc/docker'
)
select
  host as resource,
  case
    when os.os ilike '%Darwin%' then 'skip'
    when o.stderr_output like '%No such file or directory%' then 'skip'
    when o.stdout_output like '%755%' then 'ok'
    else 'alarm'
  end as status,
  case
    when os.os ilike '%Darwin%' then host || ' /etc/docker does not exist on ' || os.os || ' OS.'
    when o.stderr_output like '%No such file or directory%' then host || ' recommendation is not applicable as the file is unavailable.'
    else host || ' /etc/docker directory permission set to ' || (btrim(o.stdout_output, E' \n\r\t')) || '.'
  end as reason
  , h._ctx ->> 'connection_name' as connection_name
from
  hostname as h,
  os_output as os,
  linux_output as o
where
  os.os_conn = h.host_conn
  and h.host_conn = o.conn;

Tags

category = Compliance
cis = true
cis_item_id = 3.6
cis_level = 1
cis_section_id = 3
cis_type = automated
cis_version = v1.6.0
plugin = docker
service = Docker