4.5 Ensure Content trust for Docker is Enabled

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Content trust is disabled by default and should be enabled in line with organizational security policy.

Rationale:

Content trust provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side verification of the identity and the publisher of specific image tags and ensures the provenance of container images.

Solution

To enable content trust in a bash shell, you should enter the following command:

export DOCKER_CONTENT_TRUST=1

Alternatively, you could set this environment variable in your profile file so that content trust in enabled on every login.

Impact:

In an environment where DOCKER_CONTENT_TRUST is set, you are required to follow trust procedures whilst working with the image related commands - build, create, pull, pushand run. You can use the --disable-content-trust flag to run individual operations on tagged images without content trust on an as needed basis, but this defeats the purpose of enabling content trust and therefore should be avoided wherever possible.

Note: Content trust is currently only available for users of the public Docker Hub. It is currently not available for the Docker Trusted Registry or for private registries.

Default Value:

By default, content trust is disabled.

See Also

https://workbench.cisecurity.org/files/2433

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-7(6), CSCv6|18

Plugin: Unix

Control ID: 308eed6aa0b13da2d9ea25a1b117066d5ff1618e05168c0e81fbbcd168b9af63