Containers use only trusted base images
Set up the docker integration.
Description
You should ensure that container images you use are either written from scratch or are based on another established and trusted base image downloaded over a secure channel.
Rationale
Official repositories contain Docker images curated and optimized by the Docker community or by their vendor. There is no guarantee that these images are safe and do not contain security vulnerabilities or malicious code. Caution should therefore be exercised when obtaining container images from Docker and third parties and running these images should be reviewed in line with organizational security policy.
Audit
You should review what Docker images are present on the host by executing this command: docker images
This command lists all of the container images that are currently available for use on the Docker host. You should then review the origin of each image and review its contents in line with your organization’s security policy. You can use this command to review the history of commits to the image: docker history <imageName>
The following procedures are useful for establishing trust for a specific image. Configure and use Docker Content Trust. View the history of each Docker image to evaluate its risk, dependent on the sensitivity of the application you wish to deploy using it. Scan Docker images for vulnerabilities at regular intervals.
Impact
None
Default value
Not Applicable
References
- https://titanous.com/posts/docker-insecurity
- https://registry.hub.docker.com/
- http://blog.docker.com/2014/10/docker-1-3-signed-images-process-injection-security-options-mac-shared-directories/
- https://github.com/docker/docker/issues/8093
- https://docs.docker.com/engine/reference/commandline/pull/
- https://github.com/docker/docker/pull/11109
- https://blog.docker.com/2015/11/docker-trusted-registry-1-4/
CIS controls
Version 6
3 Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
