Base device size set to default value (10 GB)

Docs > Datadog Security > OOTB Rules > Base device size set to default value (10 GB)

Classification:

compliance

Framework:

cis-docker

Control:

2.10

Set up the docker integration.

Description

Under certain circumstances, you might need containers larger than 10G. Where this applies you should carefully choose the base device size.

Rationale

The base device size can be increased on daemon restart. Increasing the base device size allows all future images and containers to be of the new base device size. A user can use this option to expand the base device size, however shrinking is not permitted. This value affects the system wide base empty filesystem that may already be initialized and therefore inherited by pulled images. Although the file system does not allocate the increased size as long as it is empty, more space will be allocated for extra images. This may cause a denial of service condition if the allocated partition becomes full.

Audit

Confirm the base device size setting the dockerd startup options and settings in the /etc/docker/daemon.json file. To review the dockerd startup options, run:

ps -ef | grep dockerd

There should be no --storage-opt dm.basesize parameters. Also review the /etc/docker/daemon.json file for the presence of basesize settings.

Remediation

Do not set --storage-opt dm.basesize until needed.

Impact

None.

Default value

The default base device size is 10G.

References

https://docs.docker.com/engine/reference/commandline/dockerd/#storage-driver-options

CIS controls

Version 6

18 Application Software Security Application Software Security