UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Docker Enterprise sensitive host system directories must not be mounted on containers.


Overview

Finding ID Version Rule ID IA Controls Severity
V-95599 DKER-EE-001190 SV-104737r1_rule Medium
Description
Sensitive host system directories such as below should not be allowed to be mounted as container volumes especially in read-write mode. Linux: / /boot /dev /etc /lib /proc /sys /usr Windows: %windir% (C:\Windows) %windir%\system32 (C:\Windows\system32) %programdata% %programData%\docker C:\Program Files C:\Program Files (x86) C:\Users If sensitive directories are mounted in read-write mode, it would be possible to make changes to files within those sensitive directories. The changes might bring down security implications or unwarranted changes that could put the Docker host in compromised state. Docker defaults to a read-write volume but the user can also mount a directory read-only. By default, no sensitive host directories are mounted on containers.
STIG Date
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide 2019-09-13

Details

Check Text ( C-94427r1_chk )
This check only applies to the use of Docker Engine - Enterprise.

Verify that no running containers have mounted sensitive host system directories. Refer to System Security Plan for list of sensitive folders.

via CLI:

Execute the following command as a trusted user on the host operating system:

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep -iv "ucp\|kubelet\|dtr"

Verify in the output that no containers are running with mounted RW access to sensitive host system directories. If there are containers mounted with RW access to sensitive host system directories, this is a finding.
Fix Text (F-101265r1_fix)
This fix only applies to the use of Docker Engine - Enterprise.

Do not mount host sensitive directories on containers especially in read-write mode.