id:1.1.8(cis-1.3.1) was a False Alarm in detection.

Question

id:1.1.8(cis-1.3.1) was a False Alarm in detection.

y4ney opened this issue a year ago · 1 comments

Enviroment

uname -a
Linux ubuntu 6.2.0-27-generic #28-Ubuntu SMP PREEMPT_DYNAMIC Thu Jul 13 00:41:18 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux

docker version
Client: Docker Engine - Community
 Version:           24.0.5
 API version:       1.43
 Go version:        go1.20.6
 Git commit:        ced0996
 Built:             Fri Jul 21 20:36:04 2023
 OS/Arch:           linux/arm64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          24.0.5
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.6
  Git commit:       a61e2b4
  Built:            Fri Jul 21 20:36:04 2023
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.6.22
  GitCommit:        8165feabfdfe38c65b599c4993d227328c231fca
 runc:
  Version:          1.1.8
  GitCommit:        v1.1.8-0-g82f18fe
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Check Item

  - id: 1.1.8
    description: "Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)"
    audit: |
      test_file=$(grep 'containerd.sock' /etc/containerd/config.toml | awk -F "=" '{print $2}')
      if test -f "$test_file"; then
        auditctl -l | grep $test_file
      fi
    tests:
      test_items:
      - flag: "containerd.sock"
        set: true
    remediation: |
      If the file exists, you should add a rule for it. 
      For example: 
      Add the line below to the /etc/audit/audit.rules file:
      -w /run/containerd/containerd.sock -k docker
      Then restart the audit daemon. 
      For example:
      systemctl restart auditd
    scored: true

Step

Add audit for containerd.sock according to the remediation

Add rule for audit

vi /etc/audit/rules.d/audit.rules
## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 60000

## Set failure mode to syslog
-f 1

## docker-bench 1.1.8
-w /run/containerd/containerd.sock -k docker

restart audit

systemctl restart auditd

ran docker-bench again and the result was FAIL

./docker-bench --check="./docker-bench --check="1.1.8"
[INFO] 20.04 CIS Docker Community Edition Benchmark
[INFO] 1.1 Linux Hosts Specific Configuration
[FAIL] 1.1.8 Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)

== Remediations ==
1.1.8 If the file exists, you should add a rule for it.
For example:
Add the line below to the /etc/audit/audit.rules file:
-w /run/containerd/containerd.sock -k docker
Then restart the audit daemon.
For example:
systemctl restart auditd


== Summary ==
0 checks PASS
1 checks FAIL
0 checks WARN
0 checks INFO

Expect

PASS

y4ney commented a year ago

#111