Content trust for Docker is enabled

docker

Classification:

compliance

Framework:

cis-docker

Control:

4.5

Set up the docker integration.

Description

Content trust is disabled by default and should be enabled in line with organizational security policy.

Rationale

Content trust provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side verification of the identity and the publisher of specific image tags and ensures the provenance of container images.

Audit

Execute this command: echo $DOCKER_CONTENT_TRUST This should return a value of 1.

Remediation

To enable content trust in a Bash shell, enter the following command: export DOCKER_CONTENT_TRUST=1

Alternatively, you can set this environment variable in your profile file so that content trust in enabled on every login.

Impact

In an environment where DOCKER_CONTENT_TRUST is set, you are required to follow trust procedures whilst working with the image related commands - build, create, pull, pushand run. You can use the --disable-content-trust flag to run individual operations on tagged images without content trust on an as needed basis, but this defeats the purpose of enabling content trust and therefore should be avoided wherever possible.

Note: Content trust is currently only available for users of the public Docker Hub. It is currently not available for the Docker Trusted Registry or for private registries.

Default value

By default, content trust is disabled.

References

  1. https://docs.docker.com/engine/security/trust/content_trust/
  2. https://docs.docker.com/engine/reference/commandline/cli/#notary
  3. https://docs.docker.com/engine/reference/commandline/cli/#environment-variables

CIS controls

Version 6

18 Application Software Security Application Software Security