DKER-EE-001190 - Docker Enterprise sensitive host system directories must not be mounted on containers.

Information

Sensitive host system directories such as below should not be allowed to be mounted as container volumes especially in read-write mode.

Linux:

/
/boot
/dev
/etc
/lib
/proc
/sys
/usr

Windows:

%windir% (C:Windows)
%windir%system32 (C:Windowssystem32)
%programdata%
%programData%docker
C:Program Files
C:Program Files (x86)
C:Users

If sensitive directories are mounted in read-write mode, it would be possible to make changes to files within those sensitive directories. The changes might bring down security implications or unwarranted changes that could put the Docker host in compromised state.

Docker defaults to a read-write volume but the user can also mount a directory read-only. By default, no sensitive host directories are mounted on containers.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

This fix only applies to the use of Docker Engine - Enterprise.

Do not mount host sensitive directories on containers especially in read-write mode.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Docker_Enterprise_2-x_Linux-Unix_V2R2_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CAT|II, CCI|CCI-000213, Rule-ID|SV-235783r960792_rule, STIG-ID|DKER-EE-001190, STIG-Legacy|SV-104737, STIG-Legacy|V-95599, Vuln-ID|V-235783

Plugin: Unix

Control ID: c8512793c471ac96fb11cfc51cf47aafedbea8dfb50b5002b098f98ee0a1d9e6