konstruktoid
commented
5 months ago Thanks for the issue, @Yaytay
I think there might be other fixes needed to be done as well regarding .service and .sock files.
I've mentioned this in a CIS discussion, systemd will have multiple configuration directories we'll need to address.
"Various programs will now attempt to load the main configuration file from locations below /usr/lib/, /usr/local/lib/, and /run/, not just below /etc/. For example, systemd-logind will look for /etc/systemd/logind.conf, /run/systemd/logind.conf, /usr/local/lib/systemd/logind.conf, and /usr/lib/systemd/logind.conf, and use the first file that is found. This means that the search logic for the main config file and for drop-ins is now the same. Similarly, kernel-install will look for the config files in /usr/lib/kernel/ and the other search locations, and now also supports drop-ins."
The definition of 1.1.9 in the published CIS Docker Benchmarks is ambiguous. Steps 1 & 2 locate the actual socket, then step 3 checks that the systemctl file is being audited (with the remediation being to audit the actual socket).
I think that both the systemctl file (/lib/systemd/system/docker.socket) and the actual socket (/var/run/docker.sock) should be audited.
The updated version of the CIS Benchmarks (available within CIS WorkBench) is now unampbiguously about the socket itself (/var/run/docker.sock).