Information
Do not use update instructions such as apt-get updatealone or in a single line in the Dockerfile.
Rationale:
Adding the update instructions in a single line on the Dockerfile will cache the update layer. Thus, when you build any image later using the same instruction, previously cached update layer will be used. This could potentially deny any fresh updates to go in the later builds.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Use update instructions along with install instructions (or any other) and version pinning for packages while installing them. This would bust the cache and force to extract the required versions.
Alternatively, you could use --no-cache flag duringdocker buildprocess to avoid using cached layers.
Impact:
None
Default Value:
By default, docker does not enforce any restrictions on using update instructions.