1.7 Only allow trusted users to control Docker daemon

Information

The Docker daemon currently requires 'root' privileges. A user added to the 'docker'
group gives him full 'root' access rights.

Docker allows you to share a directory between the Docker host and a guest container
without limiting the access rights of the container. This means that you can start a
container and map the / directory on your host to the container. The container will then be
able to alter your host file system without any restrictions. In simple terms, it means that
you can attain elevated privileges with just being a member of the 'docker' group and then
starting a container with mapped / directory on the host.

Solution

Remove any users from the 'docker' group that are not trusted. Additionally, do not create
a mapping of sensitive directories on host to container volumes.

Impact-Rights to build and execute containers as normal user would be restricted.

Default Value-Not Applicable

See Also

https://workbench.cisecurity.org/files/514

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(10)

Plugin: Unix

Control ID: e3d860133267388f761a9d9812dd0029cad8b2ef7aa11a798bf20242f6c44c04