Classification:
compliance
Framework:
cis-docker
Control:
5.31
The Docker socket docker.sock should not be mounted inside a container.
If the Docker socket is mounted inside a container it could allow processes running within the container to execute Docker commands which would effectively allow for full control of the host.
Run this command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep docker.sock
This returns any instances where docker.sock
has been mapped to a container as a volume.
You should ensure that no containers mount docker.sock as a volume.
None
By default, docker.sock is not mounted inside containers.
Version 6
9 Limitation and Control of Network Ports, Protocols, and Services