Docker exec commands are used with a non-root user option

Docs > Datadog Security > OOTB Rules > Docker exec commands are used with a non-root user option

Classification:

compliance

Framework:

cis-docker

Control:

5.23

Set up the docker integration.

Description

You should not use docker exec with the --user=root option.

Rationale

Using the --user=root option in a docker exec command, executes it within the container as the root user. This could potentially be insecure, particularly when you are running containers with reduced capabilities or enhanced restrictions. For example, if your container is running as a tomcat user (or any other non-root user), it would be possible to run a command through docker exec as root with the --user=root option. This could potentially be dangerous.

Audit

If you have auditing enabled as recommended in Section 1, use this command to filter out docker exec commands that use the --user=root option: ausearch -k docker | grep exec | grep user

Remediation

You should not use the --user=root option in docker exec commands.

Impact

None.

Default value

By default, the docker exec command runs without the --user option.

References

https://docs.docker.com/engine/reference/commandline/exec/

CIS controls

Version 6

5 Controlled Use of Administration Privileges Controlled Use of Administration Privileges