Only necessary packages are installed in the container

docker

Classification:

compliance

Framework:

cis-docker

Control:

4.3

Set up the docker integration.

Description

Containers should have as small a footprint as possible, and should not contain unnecessary software packages which could increase their attack surface.

Rationale

Unnecessary software should not be installed into containers, as doing so increases their attack surface. Only packages strictly necessary for the correct operation of the application being deployed should be installed.

Audit

  1. List all of the running instances of containers by executing this command: docker ps --quiet
  2. For each container instance, execute this command: docker exec $INSTANCE_ID rpm -qa

The command above lists the packages installed. You should review the list and ensure that everything installed is actually required.

Remediation

You should not install anything within the container that is not required. Consider using a minimal base image rather than the standard Redhat/Centos/Debian images if you can. Some of the options available include BusyBox and Alpine. Not only can this trim your image size considerably, but there are also fewer pieces of software which could contain vectors for attack.

Impact

None

Default value

Not Applicable

References

  1. https://docs.docker.com/userguide/dockerimages/
  2. http://www.livewyer.com/blog/2015/02/24/slimming-down-your-docker-containers-alpine-linux
  3. https://github.com/progrium/busybox

CIS controls

Version 6

18 Application Software Security Application Software Security