V-235783

Discussion

Sensitive host system directories such as below should not be allowed to be mounted as container volumes especially in read-write mode. Linux: / /boot /dev /etc /lib /proc /sys /usr Windows: %windir% (C:\Windows) %windir%\system32 (C:\Windows\system32) %programdata% %programData%\docker C:\Program Files C:\Program Files (x86) C:\Users If sensitive directories are mounted in read-write mode, it would be possible to make changes to files within those sensitive directories. The changes might bring down security implications or unwarranted changes that could put the Docker host in compromised state. Docker defaults to a read-write volume but the user can also mount a directory read-only. By default, no sensitive host directories are mounted on containers.

Check Content

This check only applies to the use of Docker Engine - Enterprise.

Verify that no running containers have mounted sensitive host system directories. Refer to System Security Plan for list of sensitive folders.

via CLI:

Execute the following command as a trusted user on the host operating system:

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep -iv "ucp\|kubelet\|dtr"

Verify in the output that no containers are running with mounted RW access to sensitive host system directories. If there are containers mounted with RW access to sensitive host system directories, this is a finding.