1.1.9 Is checking the wrong file #554
Comments
|
Thanks for the issue, @Yaytay I think there might be other fixes needed to be done as well regarding I've mentioned this in a CIS discussion, "Various programs will now attempt to load the main configuration file from locations below /usr/lib/, /usr/local/lib/, and /run/, not just below /etc/. For example, systemd-logind will look for /etc/systemd/logind.conf, /run/systemd/logind.conf, /usr/local/lib/systemd/logind.conf, and /usr/lib/systemd/logind.conf, and use the first file that is found. This means that the search logic for the main config file and for drop-ins is now the same. Similarly, kernel-install will look for the config files in /usr/lib/kernel/ and the other search locations, and now also supports drop-ins." |
The definition of 1.1.9 in the published CIS Docker Benchmarks is ambiguous.
Steps 1 & 2 locate the actual socket, then step 3 checks that the systemctl file is being audited (with the remediation being to audit the actual socket).
I think that both the systemctl file (/lib/systemd/system/docker.socket) and the actual socket (/var/run/docker.sock) should be audited.
The updated version of the CIS Benchmarks (available within CIS WorkBench) is now unampbiguously about the socket itself (/var/run/docker.sock).
The text was updated successfully, but these errors were encountered: