Query: 1.1.4 Ensure auditing is configured for Docker files and directories - /run/containerd

Description

Audit /run/containerd.

Query

Tables used in this query:

exec_command

Controls using this query:

1.1.4 Ensure auditing is configured for Docker files and directories - /run/containerd

SQL

with os_output as (
  select
    btrim(stdout_output, E ' \n\r\t') as os,
    _ctx ->> 'connection_name' as os_conn
  from
    exec_command
  where
    command = 'uname -s'
),
hostname as (
  select
    btrim(stdout_output, E ' \n\r\t') as host,
    _ctx ->> 'connection_name' as host_conn,
    _ctx
  from
    exec_command
  where
    command = 'hostname'
),
linux_output as (
  select
    stdout_output,
    _ctx ->> 'connection_name' as conn
  from
    exec_command,
    os_output
  where
    os_conn = _ctx ->> 'connection_name'
    and command = 'sudo -n auditctl -l | grep /run/containerd'
)
select
  host as resource,
  case
    when os.os ilike '%Darwin%' then 'skip'
    when o.stdout_output = '' then 'alarm'
    else 'ok'
  end as status,
  case
    when os.os ilike '%Darwin%' then host || ' /run/containerd does not exist on ' || os.os || ' OS.'
    when o.stdout_output = '' then host || ' /run/containerd auditing is not configured.'
    else host || ' /run/containerd auditing is configured.'
  end as reason,
  h._ctx ->> 'connection_name' as connection_name
from
  hostname as h,
  os_output as os,
  linux_output as o
where
  os.os_conn = h.host_conn
  and h.host_conn = o.conn;