Mount propagation mode is always set to a non-shared option
Set up the docker integration.
Description
Mount propagation mode allows mounting volumes in shared, slave or private mode on a container. Do not use shared mount propagation mode unless explicitly needed.
Rationale
A shared mount is replicated at all mounts and changes made at any mount point are propagated to all other mount points. Mounting a volume in shared mode does not restrict any other container from mounting and making changes to that volume. As this is likely not a desirable option from a security standpoint, this feature should not be used unless explicitly required.
Audit
Run this command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Propagation={{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}'
This command returns the propagation mode for mounted volumes. The propagation mode should not be set to shared unless needed. The above command might throw errors if there are no mounts. In that case, this recommendation is not applicable.
Do not mount volumes in shared mode propagation. For example, do not start a container. For example, docker run <Run arguments> --volume=/hostPath:/containerPath:shared <Container Image Name or ID> <Command>
Impact
None
Default value
By default, the container mounts are private.
References
- https://docs.docker.com/storage/bind-mounts/#configure-bind-propagation
- https://docs.docker.com/engine/reference/run/#volume-shared-filesystems
- https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt
CIS controls
Version 6
14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know
