id:1.1.8(cis-1.3.1) was a False Alarm in detection.
y4ney opened this issue · 1 comments
y4ney commented
Enviroment
uname -a
Linux ubuntu 6.2.0-27-generic #28-Ubuntu SMP PREEMPT_DYNAMIC Thu Jul 13 00:41:18 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux
docker version
Client: Docker Engine - Community
Version: 24.0.5
API version: 1.43
Go version: go1.20.6
Git commit: ced0996
Built: Fri Jul 21 20:36:04 2023
OS/Arch: linux/arm64
Context: default
Server: Docker Engine - Community
Engine:
Version: 24.0.5
API version: 1.43 (minimum version 1.12)
Go version: go1.20.6
Git commit: a61e2b4
Built: Fri Jul 21 20:36:04 2023
OS/Arch: linux/arm64
Experimental: false
containerd:
Version: 1.6.22
GitCommit: 8165feabfdfe38c65b599c4993d227328c231fca
runc:
Version: 1.1.8
GitCommit: v1.1.8-0-g82f18fe
docker-init:
Version: 0.19.0
GitCommit: de40ad0
Check Item
- id: 1.1.8
description: "Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)"
audit: |
test_file=$(grep 'containerd.sock' /etc/containerd/config.toml | awk -F "=" '{print $2}')
if test -f "$test_file"; then
auditctl -l | grep $test_file
fi
tests:
test_items:
- flag: "containerd.sock"
set: true
remediation: |
If the file exists, you should add a rule for it.
For example:
Add the line below to the /etc/audit/audit.rules file:
-w /run/containerd/containerd.sock -k docker
Then restart the audit daemon.
For example:
systemctl restart auditd
scored: true
Step
Add audit for containerd.sock according to the remediation
- Add rule for audit
vi /etc/audit/rules.d/audit.rules
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## This determine how long to wait in burst of events
--backlog_wait_time 60000
## Set failure mode to syslog
-f 1
## docker-bench 1.1.8
-w /run/containerd/containerd.sock -k docker
- restart audit
systemctl restart auditd
- ran docker-bench again and the result was
FAIL
./docker-bench --check="./docker-bench --check="1.1.8"
[INFO] 20.04 CIS Docker Community Edition Benchmark
[INFO] 1.1 Linux Hosts Specific Configuration
[FAIL] 1.1.8 Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)
== Remediations ==
1.1.8 If the file exists, you should add a rule for it.
For example:
Add the line below to the /etc/audit/audit.rules file:
-w /run/containerd/containerd.sock -k docker
Then restart the audit daemon.
For example:
systemctl restart auditd
== Summary ==
0 checks PASS
1 checks FAIL
0 checks WARN
0 checks INFO
Expect
PASS