Containers should not mount the Docker socket docker.sock inside them

docker

Classification:

compliance

Framework:

cis-docker

Control:

5.31

Set up the docker integration.

Description

The Docker socket docker.sock should not be mounted inside a container.

Rationale

If the Docker socket is mounted inside a container it could allow processes running within the container to execute Docker commands which would effectively allow for full control of the host.

Audit

Run this command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep docker.sock This returns any instances where docker.sock has been mapped to a container as a volume.

Remediation

You should ensure that no containers mount docker.sock as a volume.

Impact

None

Default value

By default, docker.sock is not mounted inside containers.

References

  1. https://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/
  2. https://forums.docker.com/t/docker-in-docker-vs-mounting-var-run-docker-sock/9450/2
  3. https://github.com/docker/docker/issues/21109

CIS controls

Version 6

9 Limitation and Control of Network Ports, Protocols, and Services