Images are scanned and rebuilt to include security patches

docker

Classification:

compliance

Framework:

cis-docker

Control:

4.4

Set up the docker integration.

Description

Images should be scanned frequently for any vulnerabilities. You should rebuild all images to include these patches and then instantiate new containers from them.

Rationale

Vulnerabilities are loopholes or bugs that can be exploited by hackers or malicious users, and security patches are updates to resolve these vulnerabilities. Image vulnerability scanning tools can be used to find vulnerabilities in images and then check for available patches to mitigate these. Patches update the system to a more recent code base which does not contain these problems, and being on a supported version of the code base is very important, as vendors do not tend to supply patches for older versions which have gone out of support. Security patches should be evaluated before applying and patching should be implemented in line with the organization’s IT Security Policy. Care should be taken with the results returned by vulnerability assessment tools, as some will simply return results based on software banners, and these may not be entirely accurate.

Audit

  1. List all the running instances of containers by executing this command: docker ps --quiet
  2. For each container instance, use the package manager within the container to check for the availability of security patches.

Alternatively, run image vulnerability assessment tools to scan all the images in your environment.

Remediation

Rebuild images to ensure that the latest version of the base images are used and to keep the operating system patch level at an appropriate level. Once the images have been re-built, containers should be re-started making use of the updated images.

Impact

None

Default value

By default, containers and images are not updated automatically to address missing operating system security patches.

References

  1. https://docs.docker.com/userguide/dockerimages/
  2. https://docs.docker.com/docker-cloud/builds/image-scan/
  3. https://blog.docker.com/2016/05/docker-security-scanning/
  4. https://docs.docker.com/engine/reference/builder/#/onbuild

CIS controls

Version 6

18.1 Use Only Vendor-supported Software For all acquired application software, check that the version you are using is still supported by the vendor. If not, update to the most current version and install all relevant patches and vendor security recommendations.

Version 7

18.3 Verify That Acquired Software is Still Supported Verify that the version of all software acquired from outside your organization is still supported by the developer or appropriately hardened based on developer security recommendations.