Containers should not mount the Docker socket docker.sock inside them

docker

Classification:

compliance

Framework:

cis-docker

Control:

5.31

Set up the docker integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

The Docker socket docker.sock should not be mounted inside a container.

Rationale

If the Docker socket is mounted inside a container it could allow processes running within the container to execute Docker commands which would effectively allow for full control of the host.

Audit

Run this command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep docker.sock This returns any instances where docker.sock has been mapped to a container as a volume.

Remediation

You should ensure that no containers mount docker.sock as a volume.

Impact

None

Default value

By default, docker.sock is not mounted inside containers.

References

  1. https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/
  2. https://forums.docker.com/t/docker-in-docker-vs-mounting-var-run-docker-sock/9450/2
  3. https://github.com/docker/docker/issues/21109

CIS controls

Version 6

9 Limitation and Control of Network Ports, Protocols, and Services