Classification:
compliance
Framework:
cis-docker
Control:
5.5
You should not allow sensitive host system directories such as those listed below to be mounted as container volumes, especially in read-write mode. /
/boot
/dev
/etc
/lib
/proc
/sys
/usr
If sensitive directories are mounted in read-write mode, it is possible to make changes to files within them. This has obvious security implications and should be avoided.
Run this command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}'
This command returns a list of currently mapped directories and indicates whether they are mounted in read-write mode for each container instance.
Do not mount directories which are security sensitive on the host within containers, especially in read-write mode.
None
Docker defaults to using a read-write volume but you can also mount a directory read-only. By default, no sensitive host directories are mounted within containers.
Version 6
14 Controlled Access Based on the Need to Know Controlled Access Based on the Need to Know