6.6 Avoid image sprawl

Information

Do not keep a large number of container images on the same host. Use only tagged images
as appropriate.

Tagged images are useful to fall back from 'latest' to a specific version of an image in
production. Images with unused or old tags may contain vulnerabilities that might be
exploited, if instantiated. Additionally, if you fail to remove unused images from the system
and there are various such redundant and unused images, the host filesystem may become
full and could lead to denial of service.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Keep the set of the images that you actually need and establish a workflow to remove old or
stale images from the host. Additionally, use features such as pull-by-digest to get specific
images from the registry. Additionally, you can follow below set of steps to find out unused images on the system and
delete them.

Step 1 Make a list of all image IDs that are currently instantiated by executing below
command-
docker ps -q | xargs docker inspect --format '{{ .Id }}- Image={{ .Image }}'
Step 2- List all the images present on the system by executing below command-docker images
Step 3- Compare the list of image IDs populated from Step 1 and Step 2 and find out images
that are currently not being instantiated.
Step 4- Decide if you want to keep the images that are not currently in use. If not delete
them by executing below command-docker rmi $IMAGE_ID

Impact-None

Default Value-Images and layered filesystems remain accessible on the host until the administrator
removes all tags that refer to those images or layers.

See Also

https://workbench.cisecurity.org/files/514

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Unix

Control ID: 88ba9f84174bea2de4b9a4efadd8b1170ba8a5d957c33749aae812d9eb2dc857