5.28 Ensure that Docker commands always make use of the latest version of their image

Information

You should always ensure that you are using the latest version of the images within your repository and not cached older versions.

Rationale:

Multiple Docker commands such as docker pull, docker run etc. are known to have an issue where by default, they extract the local copy of the image, if present, even though there is an updated version of the image with the same tag in the upstream repository. This could lead to using older images containing known vulnerabilites.

Impact:

None

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

You should use proper version pinning mechanisms (the 'latest' tag which is assigned by default is still vulnerable to caching attacks) to avoid extracting cached older versions. Version pinning mechanisms should be used for base images, packages, and entire images. You can customize version pinning rules according to your requirements.

Default Value:

By default, Docker commands extract the local copy unless version pinning mechanisms are used or the local cache is cleared.

See Also

https://workbench.cisecurity.org/files/4532

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-2, CSCv7|5.2

Plugin: Unix

Control ID: 31f658a348ef6eb1dec334587583f39ce9d0861472ed4834ba8ba378b215aa6d