Sensitive host system directories should not be mounted on containers

docker

Classification:

compliance

Framework:

cis-docker

Control:

5.5

Set up the docker integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

You should not allow sensitive host system directories such as those listed below to be mounted as container volumes, especially in read-write mode. / /boot /dev /etc /lib /proc /sys /usr

Rationale

If sensitive directories are mounted in read-write mode, it is possible to make changes to files within them. This has obvious security implications and should be avoided.

Audit

Run this command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' This command returns a list of currently mapped directories and indicates whether they are mounted in read-write mode for each container instance.

Remediation

Do not mount directories which are security sensitive on the host within containers, especially in read-write mode.

Impact

None

Default value

Docker defaults to using a read-write volume but you can also mount a directory read-only. By default, no sensitive host directories are mounted within containers.

References

  1. https://docs.docker.com/engine/tutorials/dockervolumes/

CIS controls

Version 6

14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know