Docker Compliance Mod
Run individual configuration, compliance and security controls or full compliance benchmarks for CIS across all your Docker resources.
References
CIS Docker Benchmarks provide a predefined set of compliance and security best-practice checks for Docker resources.
Steampipe is an open source CLI to instantly query cloud APIs using SQL.
Steampipe Mods are collections of named queries, and codified controls that can be used to test current configuration of your cloud resources against a desired configuration.
Documentation
Installation
Download and install Steampipe (https://steampipe.io/downloads). Or use Brew:
brew tap turbot/tapbrew install steampipeInstall the Docker and Exec plugins with Steampipe:
steampipe plugin install docker execClone:
git clone https://github.com/turbot/steampipe-mod-docker-compliance.gitUsage
Start your dashboard server to get started:
steampipe dashboardBy default, the dashboard interface will then be launched in a new browser window at http://localhost:9194. From here, you can run benchmarks by selecting one or searching for a specific one.
Instead of running benchmarks in a dashboard, you can also run them within your
terminal with the steampipe check command:
Run all benchmarks:
steampipe check allRun a single benchmark:
steampipe check benchmark.cis_v160_5Run a specific control:
steampipe check control.cis_v160_5_1Different output formats are also available, for more information please see Output Formats.
Configuration
This mod uses the credentials configured in the Steampipe Docker plugin and the Steampipe Exec plugin. Please see below for examples on how to configure connections for these plugins.
Local connections
When connecting to Docker on your local host, the Docker and Exec plugin connections require basic configuration:
connection "docker_local" { plugin = "docker"}
connection "exec_local" { plugin = "exec"}Remote connections
Docker without TLS enabled
Note: It is not recommended to allow insecure connections. Please see Protect the Docker daemon socket for instructions on setting up TLS.
You only need to specify the host:
connection "docker_remote" { plugin = "docker" host = "tcp://12.345.67.890:2375"}To connect to the remote host, you need to provide additional details in the Exec plugin connection, including the private key:
connection "exec_remote" { plugin = "exec" host = "12.345.67.890" user = "ec2-user" protocol = "ssh" private_key = "/Users/myuser/keys/key.pem"}Docker with TLS enabled
If Docker does have TLS enabled, you will need to set tls_verify and provide a path to the directory containing your certificates and key files:
connection "docker_remote_tls" { plugin = "docker" host = "tcp://12.345.67.890:2376" tls_verify = true cert_path = "/Users/myuser/certs"}The Exec plugin connection does not require any different configuration:
connection "exec_remote" { plugin = "exec" host = "12.345.67.890" user = "ec2-user" protocol = "ssh" private_key = "/Users/myuser/keys/key.pem"}Using workspaces with multiple connections
If you have multiple local and/or remote Docker and Exec connections, you can use Steampipe workspaces to manage your Steampipe environments. Workspaces are profiles that are usually defined in ~/.steampipe/config/workspaces.spc.
For instance, if multiple Docker and Exec plugin connections were configured:
connection "docker_local" { plugin = "docker"}
connection "docker_remote_tls" { plugin = "docker" host = "tcp://12.345.67.890:2376" tls_verify = true cert_path = "/Users/myuser/certs"}connection "exec_local" { plugin = "exec"}
connection "exec_remote" { plugin = "exec" host = "12.345.67.890" user = "ec2-user" protocol = "ssh" private_key = "/Users/myuser/keys/key.pem"}You can create multiple workspaces in ~/.steampipe/config/workspaces.spc:
workspace "docker_exec_local" { search_path_prefix = "docker_local,exec_local"}
workspace "docker_exec_remote" { search_path_prefix = "docker_remote_tls,exec_remote"}To switch between workspaces, you can use the --workspace argument:
steampipe check benchmark.cis_v160 --workspace docker_exec_localsteampipe check benchmark.cis_v160 --workspace docker_exec_remoteAdditional argments can be set in each workspace, including cache TTL, mod location, and more. Please see Workspace Arguments for a full list.
Setting control types
The Docker Compliance mod queries use the Docker and Exec plugin tables in order to retrieve information about the Docker Engine and the host it runs on. If you do not have access to connect to either of those, you can set the benchmark_plugins variable to decide which controls are included in benchmarks.
By default, both Docker and Exec queries are included:
benchmark_plugins = ["docker", "exec"]To only execute queries using Docker plugin tables, create steampipe.spvars with the following value:
benchmark_plugins = ["docker"]Note that controls can always be run directly, even if benchmark_plugins does not include the plugin type. For instance:
steampipe check control.cis_v160_5This variable can be overwritten in several ways:
Copy and rename the
steampipe.spvars.examplefile tosteampipe.spvars, and then modify the variable values inside that filePass in a value on the command line:
steampipe check benchmark.cis_v160 --var 'benchmark_plugins=["docker"]'Set an environment variable:
SP_VAR_benchmark_plugins='["exec"]' steampipe check benchmark.cis_v160
Contributing
If you have an idea for additional compliance controls, or just want to help maintain and extend this mod (or others) we would love you to join the community and start contributing. (Even if you just want to help with the docs.)
- Join #steampipe on Slack → and hang out with other Mod developers.
Please see the contribution guidelines and our code of conduct. All contributions are subject to the Apache 2.0 open source license.
Want to help but not sure where to start? Pick up one of the help wanted issues: