1.1.9 Is checking the wrong file

[Yaytay]

The definition of 1.1.9 in the published CIS Docker Benchmarks is ambiguous.
Steps 1 & 2 locate the actual socket, then step 3 checks that the systemctl file is being audited (with the remediation being to audit the actual socket).

I think that both the systemctl file (/lib/systemd/system/docker.socket) and the actual socket (/var/run/docker.sock) should be audited.

The updated version of the CIS Benchmarks (available within CIS WorkBench) is now unampbiguously about the socket itself (/var/run/docker.sock).

[konstruktoid]

Thanks for the issue, @Yaytay

I think there might be other fixes needed to be done as well regarding .service and .sock files.

I've mentioned this in a CIS discussion, systemd will have multiple configuration directories we'll need to address.

"Various programs will now attempt to load the main configuration file from locations below /usr/lib/, /usr/local/lib/, and /run/, not just below /etc/. For example, systemd-logind will look for /etc/systemd/logind.conf, /run/systemd/logind.conf, /usr/local/lib/systemd/logind.conf, and /usr/lib/systemd/logind.conf, and use the first file that is found. This means that the search logic for the main config file and for drop-ins is now the same. Similarly, kernel-install will look for the config files in /usr/lib/kernel/ and the other search locations, and now also supports drop-ins."

https://github.com/systemd/systemd/releases