5.32 Ensure that the Docker socket is not mounted inside any containers

Information

The Docker socket docker.sock should not be mounted inside a container.

Rationale:

If the Docker socket is mounted inside a container it could allow processes running within the container to execute Docker commands which would effectively allow for full control of the host.

Impact:

None

Solution

You should ensure that no containers mount docker.sock as a volume.

Default Value:

By default, docker.sock is not mounted inside containers.

See Also

https://workbench.cisecurity.org/files/4532