Only verified packages are are installed
Set up the docker integration.
Description
Verify the authenticity of packages before installing them into images.
Rationale
Verifying authenticity of software packages is essential for building a secure container image. Packages with no known provenance could potentially be malicious or have vulnerabilities that could be exploited.
Audit
- Run this command to get the list of images:
docker images - Run this command for each image in the list above, and check how the authenticity of the packages is being determined. This could be with the use of GPG keys or other secure package distribution mechanisms.
docker history <Image_ID>
Alternatively, if you have access to Dockerfile for the image, verify that the authenticity of the packages is checked.
Secure package distribution mechanism of your choice to ensure the authenticity of software packages.
Impact
None
Default value
Not Applicable
References
- https://github.com/docker-library/httpd/blob/12bf8c8883340c98b3988a7bade8ef2d0d6dcf8a/2.4/Dockerfile
- https://github.com/docker-library/php/blob/d8a4ccf4d620ec866d5b42335b699742df08c5f0/7.0/alpine/Dockerfile
- https://access.redhat.com/security/team/key
CIS controls
Version 6
18.1 Use Only Vendor-supported Software - For all acquired application software, check that the version you are using is still supported by the vendor. If not, update to the most current version and install all relevant patches and vendor security recommendations.
Version 7
18.3 Verify That Acquired Software is Still Supported Verify that the version of all software acquired from outside your organization is still supported by the developer or appropriately hardened based on developer security recommendations.
