Containers should not mount the Docker socket docker.sock inside them

docker

Classification:

compliance

Framework:

cis-docker

Control:

5.31

Set up the docker integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

The Docker socket docker.sock should not be mounted inside a container.

Rationale

If the Docker socket is mounted inside a container it could allow processes running within the container to execute Docker commands which would effectively allow for full control of the host.

Audit

Run this command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep docker.sock This returns any instances where docker.sock has been mapped to a container as a volume.

Remediation

You should ensure that no containers mount docker.sock as a volume.

Impact

None

Default value

By default, docker.sock is not mounted inside containers.

References

  1. https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/
  2. https://forums.docker.com/t/docker-in-docker-vs-mounting-var-run-docker-sock/9450/2
  3. https://github.com/docker/docker/issues/21109

CIS controls

Version 6

9 Limitation and Control of Network Ports, Protocols, and Services