Sensitive host system directories should not be mounted on containers

docker

Classification:

compliance

Framework:

cis-docker

Control:

5.5

Set up the docker integration.

Description

You should not allow sensitive host system directories such as those listed below to be mounted as container volumes, especially in read-write mode. / /boot /dev /etc /lib /proc /sys /usr

Rationale

If sensitive directories are mounted in read-write mode, it is possible to make changes to files within them. This has obvious security implications and should be avoided.

Audit

Run this command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' This command returns a list of currently mapped directories and indicates whether they are mounted in read-write mode for each container instance.

Remediation

Do not mount directories which are security sensitive on the host within containers, especially in read-write mode.

Impact

None

Default value

Docker defaults to using a read-write volume but you can also mount a directory read-only. By default, no sensitive host directories are mounted within containers.

References

  1. https://docs.docker.com/engine/tutorials/dockervolumes/

CIS controls

Version 6

14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know