get_service_file unable to find containerd.sock

[spedersen-emailage]

get_service_file looks for $SERVICE in these directories:

• /etc/systemd/system/
• /lib/systemd/system/
• /usr/lib/systemd/system/

As well as looks at systemctl's FragmentPath property.

Reference:

docker-bench-security/functions/helper_lib.sh

Lines 132 to 148 in 820abe9

	get_service_file() {
	SERVICE="$1"
	if [ -f "/etc/systemd/system/$SERVICE" ]; then
	echo "/etc/systemd/system/$SERVICE"
	return
	fi
	if [ -f "/lib/systemd/system/$SERVICE" ]; then
	echo "/lib/systemd/system/$SERVICE"
	return
	fi
	if systemctl show -p FragmentPath "$SERVICE" 2> /dev/null 1>&2; then
	systemctl show -p FragmentPath "$SERVICE" | sed 's/.*=//'
	return
	fi
	echo "/usr/lib/systemd/system/$SERVICE"
	}

CIS test 1.1.8 throws INFO and remediation has a blank recommendation because containerd.sock is not found in any of those directories or via FP.

[INFO] 1.1.8 - Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)
[INFO]    * File not found
...
[INFO] 1.1.8 - Install auditd. Add -w  -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart. Remediation Impact: Audit can generate large log files. So you need to make sure that they are rotated and archived periodically. Create a separate partition for audit logs to avoid filling up other critical partitions.

Note the extra space between -w and -k above.

Instead, when docker runs with active containers, it's only found at /run/containerd/containerd.sock.

# find / -name "containerd.sock"
/run/containerd/containerd.sock

This has been observed with Docker v20.10.25 on Amazon Linux 2 and v25.0.3 on Amazon Linux 2023.

● docker.service - Docker Application Container Engine
   Loaded: loaded (/usr/lib/systemd/system/docker.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2024-04-11 13:06:55 UTC; 1h 31min ago
     Docs: https://docs.docker.com
 Main PID: 5089 (dockerd)
    Tasks: 62
   Memory: 644.9M
   CGroup: /system.slice/docker.service
           ├─5089 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --default-ulimit nofile=32768:65536
...

Note --containerd points to /run/containerd/containerd.sock.

I checked CIS Docker Benchmark v1.6.0 and it does not specify the location of containerd.sock, only that you find it and monitor it.

Can the tests be updated to check /run as well?

[konstruktoid]

Hi @spedersen-emailage and nice catch, could you please test #549?

[spedersen-emailage]

@konstruktoid It looks like that if statement that checks systemctl kills the function since it always returns a value, even if the value is null. Both sed and awk return a blank value, or at least a new line.

# systemctl show -p FragmentPath "containerd.sock" | sed 's/.*=//'

# systemctl show -p FragmentPath "containerd.sock" | awk -F'=' '{ print $2 }'

#

I deleted the systemctl check in a test script and it finds containerd.sock w/out issue.

[konstruktoid]

yeah, that's an "interesting" output. systemctl return every field even if an service doesn't exist, it says LoadError=org.freedesktop.systemd1.NoSuchUnit "Unit dontexist.service not found." but still return an exit code 0.

~$ systemctl show --no-pager "dontexist" && echo $?
[...]
LoadError=org.freedesktop.systemd1.NoSuchUnit "Unit dontexist.service not found."
Transient=no
Perpetual=no
StartLimitIntervalUSec=10s
StartLimitBurst=5
StartLimitAction=none
FailureAction=none
SuccessAction=none
CollectMode=inactive
0
~$ systemctl show -p FragmentPath "dontexist" && echo $?
FragmentPath=
0

[konstruktoid]

updated 287fd87

[spedersen-emailage]

@konstruktoid The updated get_service_file function works, but check_1_1_8 searches for containerd.socket instead of containerd.sock, so the check itself also fails. The actual CIS benchmark also calls for containerd.sock:

1.1.8 Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)
Profile Applicability:
• Level 2 - Docker - Linux
Description:
Audit containerd.sock, if applicable.
Rationale:
As well as auditing the normal Linux file system and system calls, you should also audit
the Docker daemon. Because this daemon runs with root privileges, it is very important
to audit its activities and usage. Its behavior depends on some key files and directories
with containerd.sock being one such file, and as this holds various parameters for the
Docker daemon, it should be audited.

After I modified the function, it works:

# ./docker-bench-security.sh -c check_1_1_8 -p
# --------------------------------------------------------------------------------------------
# Docker Bench for Security v1.6.0
#
# Docker, Inc. (c) 2015-2024
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Based on the CIS Docker Benchmark 1.6.0.
# --------------------------------------------------------------------------------------------

Initializing 2024-04-15T19:40:12+00:00


Section A - Check results
[PASS] 1.1.8 - Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)


Section C - Score

[INFO] Checks: 1
[INFO] Score: 1

diff:

# git diff
diff --git a/tests/1_host_configuration.sh b/tests/1_host_configuration.sh
index 86247a8..dd8d2c0 100644
--- a/tests/1_host_configuration.sh
+++ b/tests/1_host_configuration.sh
@@ -248,7 +248,7 @@ check_1_1_8() {
   local check="$id - $desc"
   starttestjson "$id" "$desc"
 
-  file="$(get_service_file containerd.socket)"
+  file="$(get_service_file containerd.sock)"
   if [ -e "$file" ]; then
     if command -v auditctl >/dev/null 2>&1; then
       if auditctl -l | grep "$file" >/dev/null 2>&1; then

[konstruktoid]

yeah, there's a bit of inconsistencies there.

$ git grep containerd.sock
tests/1_host_configuration.sh:  local desc="Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)"
tests/1_host_configuration.sh:  remediation="Install auditd. Add -w $(get_service_file containerd.socket) -k docker to the /etc/audit/rules.d/audit.rules file. Then restart the audit daemon using command service auditd restart."
tests/1_host_configuration.sh:  file="$(get_service_file containerd.socket)"
tests/3_docker_daemon_configuration_files.sh:  local remediation="You should run the following command: chown root:root /run/containerd/containerd.sock. This sets the ownership and group ownership for the file to root."
tests/3_docker_daemon_configuration_files.sh:  file="/run/containerd/containerd.sock"
tests/3_docker_daemon_configuration_files.sh:  local remediation="You should run the following command: chmod 660 /run/containerd/containerd.sock. This sets the file permissions for this file to 660."
tests/3_docker_daemon_configuration_files.sh:  file="/run/containerd/containerd.sock"

[konstruktoid]

updated

[spedersen-emailage]

@konstruktoid Confirmed!

# ./docker-bench-security.sh -c check_1_1_8 -p
# --------------------------------------------------------------------------------------------
# Docker Bench for Security v1.6.0
#
# Docker, Inc. (c) 2015-2024
#
# Checks for dozens of common best-practices around deploying Docker containers in production.
# Based on the CIS Docker Benchmark 1.6.0.
# --------------------------------------------------------------------------------------------

Initializing 2024-04-16T15:52:45+00:00

Section A - Check results
[PASS] 1.1.8 - Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)

Section C - Score

[INFO] Checks: 1
[INFO] Score: 1

[konstruktoid]

Thanks @spedersen-emailage

[OdinVex]

Oddly enough it's not able to find mine for /usr/lib/systemd/system/docker.service and such.

Edit: I narrowed it down to the following being at fault (for not allowing fallthrough to the echo afterwards) in ./functions/helper_lib.sh:

  if find /run -name "$SERVICE" 2> /dev/null 1>&2; then
    ...
  fi

The first if section always is true even if docker.service does not exist under /run so it returns nothing.

Edit: systemctl is also not found so that prints an error and fusses as well. I've commented those two sections out to continue my auditing though that temporarily breaks anything under /run too.
Edit: Stock still broken for /run/containerd/containerd.sock (git clone of latest master branch).

[OdinVex]

Latest tagged release still has containerd.socket instead of containerd.sock.