4.5 Enable Content trust for Docker

Information

Content trust is disabled by default. You should enable it.Content trust provides the ability to use digital signatures for data sent to and received
from remote Docker registries. These signatures allow client-side verification of the
integrity and publisher of specific image tags. This ensures provenance of container images.

Solution

To enable content trust in a bash shell, enter the following command-export DOCKER_CONTENT_TRUST=1Alternatively, set this environment variable in your profile file so that content trust in
enabled on every login.Impact-In an environment where DOCKER_CONTENT_TRUST is set, you are required to follow trust
procedures while working with images - build, create, pull, push and run. You can use
the --disable-content-trust flag to run individual operations on tagged images without
content trust on an as-needed basis but that defeats the purpose of enabling content trust
and hence, should be avoided wherever possible.Note- Content trust is currently only available for users of the public Docker Hub. It is
currently not available for the Docker Trusted Registry or for private registries.Default Value-By default, content trust is disabled.

See Also

https://workbench.cisecurity.org/files/517

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-7(6)

Plugin: Unix

Control ID: 6b3c6a20ff33dbc303215a11cd73078da8f0a5ac7c4b840d9d90b629bd1e7ad3