Host devices are hidden from containers

Docs > Datadog Security > OOTB Rules > Host devices are hidden from containers

Classification:

compliance

Framework:

cis-docker

Control:

5.17

Set up the docker integration.

Description

Host devices can be directly exposed to containers at runtime. Do not directly expose host devices to containers, especially to containers that are not trusted.

Rationale

The --device option exposes host devices to containers and as a result of this, containers can directly access these devices. The the container would not need to run in privileged mode to access and manipulate them, as by default, the container is granted this type of access. Additionally, it would possible for containers to remove block devices from the host. You therefore should not expose host devices to containers directly.

If you wish to expose the host device to a container you should consider which sharing permissions you wish to use on a case by case base as appropriate to your organization: r - read only, w - writable, m - mknod allowed

Audit

Use this command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Devices={{ .HostConfig.Devices }}'

This command lists out each device with this information: CgroupPermissions

For example, rwm PathInContainer - Device path within the container PathOnHost - Device path on the host Verify that the host device needs to be accessed from within the container and that the permissions required are correctly set. If the above command returns [], then the container does not have access to host devices and is configured in line with good security practices.

Remediation

You should not directly expose host devices to containers. If you do need to expose host devices to containers, you should use granular permissions as appropriate to your organization.

For example, do not start a container using the command docker run --interactive --tty --device=/dev/tty0:/dev/tty0:rwm --device=/dev/temp_sda:/dev/temp_sda:rwm centos bash

You should only share the host device using appropriate permissions: docker run --interactive --tty --device=/dev/tty0:/dev/tty0:rw --device=/dev/temp_sda:/dev/temp_sda:r centos bash

Impact

You would not be able to use host devices directly within containers.

Default value

By default, host devices are not exposed to containers. If you do not provide sharing permissions and choose to expose a host device to a container, the host device is be exposed with read, write and mknod permissions.

References

https://docs.docker.com/engine/reference/commandline/run/#options

CIS controls

Version 6

14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know