CIS Benchmarks -- Docker Hosts -- 1.1 Ensure a separate patition for containers has been created
amitaqua opened this issue · 6 comments
Configuring docker to be on a separate folder other than default failed to be detected.
Customer set /mnt/sscp/data/docker partition instead of /var/lib/docker as the docker storage - yet the utility failed to detect this and failed the test.
We could use a substitution parameter so that it's easier to change (like we do for various parameters in kube-bench)
@yoavAqua @yoavrotems seems still not fixed when I run a test today.
Can you confirm it is fixed?
Hi to solution we made is parameter substitution in here we just replace the /var/lib/docker with the value $docker-storage, what you need to do is set the customer values in the right config, like if using cis 1.2 then edit the next file, https://github.com/aquasecurity/docker-bench/blob/master/cfg/cis-1.2/config.yaml and change there the value.
Hi @yoavrotems so you are saying that the customers would need to modify the yaml as per their environments?
We do not have the option to auto-detect the correct path used?
I think we could add something to auto detect it and will automatically edit the config.yaml (if so its has to be a flag option, so it could be manually over written) but its seems like a lot of work for one test where the user can just change the value in the config file in according to his env,
And furthermore the user can manipulate the definitions.yaml with the config.yaml substitution in ways we didn't think about or in way that unique to the user organisation
Idk if it worth doing so, wdyt @lizrice ?
@yoavrotems @lizrice I'm ok with having the option to manually configure the path in the yaml file.
With that said - the CSP customers do not have visibility to this when they check their CIS Docker benchmarks and I guess we should auto detect the correct path/partition as we can get it from the docker info command?