The container's health should be constantly monitored

docker

Classification:

compliance

Framework:

cis-docker

Control:

5.26

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

If the container image does not have an HEALTHCHECK instruction defined, you should use the --health-cmd parameter at container runtime to check container health.

Rationale

If the container image you are using does not have a pre-defined HEALTHCHECK instruction, use the --health-cmd parameter to check container health at runtime. Based on the reported health status, remedial actions can be taken if necessary.

Audit

Run this command and ensure that all containers are reporting their health status: docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}'

Remediation

You should run the container using the --health-cmd parameter. For example, docker run -d --health-cmd='stat /etc/passwd || exit 1' nginx

Impact

None

Default value

By default, health checks are not carried out at container runtime.

References

  1. https://docs.docker.com/engine/reference/run/#healthcheck

CIS controls

Version 6

18 Application Software Security Application Software Security