5.6 Ensure sensitive host system directories are not mounted on containers

Information

You should not allow sensitive host system directories such as those listed below to be mounted as container volumes, especially in read-write mode.

/

/boot

/dev

/etc

/lib

/proc

/sys

/usr

Rationale:

If sensitive directories are mounted in read-write mode, it could be possible to make changes to files within them. This has obvious security implications and should be avoided.

Impact:

None.

Solution

You should not mount directories which are security sensitive on the host within containers, especially in read-write mode.

Default Value:

Docker defaults to using a read-write volume but you can also mount a directory read-only. By default, no sensitive host directories are mounted within containers.

See Also

https://workbench.cisecurity.org/files/4532

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(10), CSCv7|13

Plugin: Unix

Control ID: 022647179bf7e814eac2379ddf697bc27b6b18d155c7da163dfcc8a9ef00b426