Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-docker-compliance
Overview
1Dashboards
88Benchmarks
88Queries
2Variables
GitHub

Control: 4.1 Ensure that a user for the container has been created

Description

Containers should run as a non-root user.

It is good practice to run the container as a non-root user, where possible. This can be done either via the USER directive in the Dockerfile or through gosu or similar where used as part of the CMD or ENTRYPOINT directives.

Remediation

You should ensure that the Dockerfile for each container image contains the information below:

USER <username or ID>

In this case, the user name or ID refers to the user that was found in the container base image. If there is no specific user created in the container base image, then make use of the useradd command to add a specific user before the USER instruction in the Dockerfile. For example, add the below lines in the Dockerfile to create a user in the container:

RUN useradd -d /home/username -m -s /bin/bash username
USER username

Note: If there are users in the image that are not needed, you should consider deleting them. After deleting those users, commit the image and then generate new instances of the containers.

Alternatively, if it is not possible to set the USER directive in the Dockerfile, a script running as part of the CMD or ENTRYPOINT sections of the Dockerfile should be used to ensure that the container process switches to a non-root user.

Default Value

By default, containers are run with root privileges and also run as the root user inside the container.

Usage

Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_4_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_4_1 --share

SQL

This control uses a named query:

with hostname as (
  select
    btrim(stdout_output, E' \n\r\t') as host,
    _ctx ->> 'connection_name' as host_conn,
    _ctx
  from
    exec_command
  where
    command = 'hostname'
),


 command_output as (
  select
    stdout_output,
     _ctx ->> 'connection_name' as conn
  from
    exec_command
  where
    command = 'docker ps --quiet | xargs -I{} docker exec {} cat /proc/1/status | grep ''^Uid:'' | awk ''{print $3}'''
)
select
  host as resource,
  case
    when o.stdout_output like '%0%' then 'alarm'
    else 'ok'
  end as status,
  host || case
    when o.stdout_output like '%0%' then host || ' container process is running as root user.'
    else host || ' container process is not running as root user.'
  end as reason
  , h._ctx ->> 'connection_name' as connection_name
from
  hostname as h,
  command_output as o
where
  h.host_conn = o.conn;

Tags

category = Compliance
cis = true
cis_item_id = 4.1
cis_level = 4
cis_section_id = 4
cis_type = manual
cis_version = v1.6.0
plugin = docker
service = Docker