4.4 Scan and rebuild the images to include security patches

Information

Images should be scanned "frequently" for any vulnerabilities. Rebuild the images to include patches and then instantiate new containers from it.

Rationale:

Vulnerabilities are loopholes/bugs that can be exploited and security patches are updates to resolve these vulnerabilities. We can use image vulnerability scanning tools to find any kind of vulnerabilities within the images and then check for available patches to mitigate these vulnerabilities. Patchesupdate the system to the most recent code base. Being on the current code base is important because that's where vendors focus on fixing problems. Evaluate the security patches before applying and follow the patching best practices.

Also, it would be better if, image vulnerability scanning tools could perform binary level analysis or hash based verification instead of just version string matching.

Solution

Follow the below steps to rebuild the images with security patches:



Step 1: 'docker pull' all the base images (i.e., given your set of Dockerfiles, extract all images declared in 'FROM'instructions, and re-pull them to check for an updated/patched versions). Patch the packages within the images too.

Step 2: Force a rebuild of each image with 'docker build --no-cache'.

Step 3: Restart all containers with the updated images.

You could also use ONBUILD directive in the Dockerfile to trigger particular update instructions for images that you know are used as base images frequently.

Impact:

None

Default Value:

By default, containers and images are not updated of their own.

See Also

https://workbench.cisecurity.org/files/1476

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7

Plugin: Unix

Control ID: 5fddca60bfd2e474ae51419dc08b42419e89d70a140b84a6f2018097cbfeab36