4.5 Ensure Content trust for Docker is Enabled

Information

Content trust is disabled by default and should be enabled in line with organizational security policy.

Rationale:

Content trust provides the ability to use digital signatures for data sent to and received from remote Docker registries. These signatures allow client-side verification of the identity and the publisher of specific image tags and ensures the provenance of container images.

Impact:

In an environment where DOCKER_CONTENT_TRUST is set, you are required to follow trust procedures whilst working with the image related commands - build, create, pull, push and run. You can use the --disable-content-trust flag to run individual operations on tagged images without content trust on an as needed basis, but this defeats the purpose of enabling content trust and therefore should be avoided wherever possible.

Note: Content trust is currently only available for users of the public Docker Hub. It is currently not available for the Docker Trusted Registry or for private registries.

Solution

To enable content trust in a bash shell, you should enter the following command:

export DOCKER_CONTENT_TRUST=1

Alternatively, you could set this environment variable in your profile file so that content trust in enabled on every login.

Default Value:

By default, content trust is disabled.

See Also

https://workbench.cisecurity.org/benchmarks/11818

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(10), CSCv7|13

Plugin: Unix

Control ID: 84e5c7b68fb81a173583bac61ee862233cf860923df930b049c1bb3a32a19e5e