4.4 Rebuild the images to include security patches

Information

Instead of patching your containers and images, rebuild the images from scratch and instantiate new containers from it.Security patches are updates to products to resolve known issues. These patchesupdate the system to the most recent code base. Being on the current code base is important because that's where vendors focus on fixing problems. Evaluate the security patches before applying and follow the patching best practices.
On conventional systems, rebuilding the system is a risky operation, because it is rarely done, and many components can diverge over time between two rebuilds. However, when using state-of-the-art configuration management or a build system like the one provided by Docker with Dockerfiles, rebuilds are easy to do, and fast. This allows (and promotes) frequent rebuilds, and ensures that at any given time, it is safe (and reliable) to do such a full rebuilds. As such, in case of security vulnerability affecting a package or library, rebuilding with the latest available software is the best practice and should be followed.

Solution

Follow the below steps to rebuild the images with security patches-Step 1- 'docker pull' all the base images (i.e., given your set of Dockerfiles, extract all images declared in 'FROM'instructions, and re-pull them to check for an updated version).
Step 2- Force a rebuild of each image with 'docker build --no-cache'.
Step 3- Restart all containers with the updated images.
Impact-
Rebuilding the images has to be done after upstream packages are available, otherwise re-pulling and rebuilding will do no good. When the affected packages are in the base image, it is necessary to pull it (and therefore rebuild). When the affected packages are in the downloaded packages, it is not necessary to pull the image; but nonetheless, in doubt, it is recommended to always follow this strict procedure and rebuild the entire image.
Note- If updated packages are not available and it is critical to install a security patch, live patching could be used.
Default Value-
By default, containers and images are not updated of their own.

See Also

https://workbench.cisecurity.org/files/516

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7

Plugin: Unix

Control ID: e32ad9849fc50f3c5c5794ea5f182bbc3955964d7663bda7c8e4714daf9424a6