Sensitive host system directories should not be mounted on containers

docker

Classification:

compliance

Framework:

cis-docker

Control:

5.5

Set up the docker integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

You should not allow sensitive host system directories such as those listed below to be mounted as container volumes, especially in read-write mode. / /boot /dev /etc /lib /proc /sys /usr

Rationale

If sensitive directories are mounted in read-write mode, it is possible to make changes to files within them. This has obvious security implications and should be avoided.

Audit

Run this command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' This command returns a list of currently mapped directories and indicates whether they are mounted in read-write mode for each container instance.

Remediation

Do not mount directories which are security sensitive on the host within containers, especially in read-write mode.

Impact

None

Default value

Docker defaults to using a read-write volume but you can also mount a directory read-only. By default, no sensitive host directories are mounted within containers.

References

  1. https://docs.docker.com/engine/tutorials/dockervolumes/

CIS controls

Version 6

14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know