update control 2.8

Signed-off-by: Patrick Münch <patrick.muench1111@gmail.com>

Author: atomic111

controls/docker_host_os_level1.rb

@@ -252,7 +252,7 @@
   title 'Audit Docker files and directories - /usr/bin/docker-runc'
   desc 'Apart from auditing your regular Linux file system and system calls, audit all Docker related files and directories. Docker daemon runs with \'root\' privileges. Its behavior depends on some key files and directories. /usr/bin/docker-runc is one such file. Docker now relies on containerd and runC to spawn containers. It must be audited, if applicable.'
   tag 'host'
-  ref 'System auditing', url:'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
+  ref 'System auditing', url: 'https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html'
   ref 'Containerd integration', url: 'https://github.com/docker/docker/pull/20662'
   ref 'Containerd tools', url: 'https://containerd.tools/'
   ref 'Opencontainers runc repository', url: 'https://github.com/opencontainers/runc'

controls/docker_level2.rb

@@ -61,14 +61,23 @@
   impact 1.0
   title 'Enable user namespace support'
   desc 'Enable user namespace support in Docker daemon to utilize container user to host user re-mapping. This recommendation is beneficial where containers you are using do not have an explicit container user defined in the container image. If container images that you are using have a pre-defined non-root user, this recommendation may be skipped since this feature is still in its infancy and might give you unpredictable issues and complexities.'
-  ref 'http://man7.org/linux/man-pages/man7/user_namespaces.7.html'
-  ref 'https://docs.docker.com/engine/reference/commandline/daemon/'
-  ref 'http://events.linuxfoundation.org/sites/events/files/slides/User%20Namespaces%20-%20ContainerCon%202015%20-%2016-9-final_0.pdf'
-  ref 'https://github.com/docker/docker/issues/21050'
+  tag 'daemon'
+  ref 'User namespeces', url: 'http://man7.org/linux/man-pages/man7/user_namespaces.7.html'
+  ref 'Docker daemon configuration', url: 'https://docs.docker.com/engine/reference/commandline/daemon/'
+  ref 'Routing out root: user namespaces in docker', url: 'http://events.linuxfoundation.org/sites/events/files/slides/User%20Namespaces%20-%20ContainerCon%202015%20-%2016-9-final_0.pdf'
+  ref 'Docker images vanish when using user namespaces ', url: 'https://github.com/docker/docker/issues/21050'
 
   describe json('/etc/docker/daemon.json') do
     its(['userns-remap']) { should eq('default') }
   end
+  describe file('/etc/subuid') do
+    it { should exist }
+    it { should be_file }
+  end
+  describe file('/etc/subgid') do
+    it { should exist }
+    it { should be_file }
+  end
 end
 
 control 'cis-docker-benchmark-2.9' do