4.4 Ensure images are scanned and rebuilt to include security patches


Images should be scanned "frequently" for any vulnerabilities. Rebuild the images to include patches and then instantiate new containers from it.
Vulnerabilities are loopholes/bugs that can be exploited and security patches are updates to resolve these vulnerabilities. We can use image vulnerability scanning tools to find any kind of vulnerabilities within the images and then check for available patches to mitigate these vulnerabilities. Patches update the system to the most recent code base. Being on the current code base is important because that's where vendors focus on fixing problems. Evaluate the security patches before applying and follow the patching best practices.
Also, it would be better if, image vulnerability scanning tools could perform binary level analysis or hash based verification instead of just version string matching.


Follow the below steps to rebuild the images with security patches:
Step 1: Pull all the base images (i.e., given your set of Dockerfiles, extract all images declared in FROM instructions, and re-pull them to check for an updated/patched versions). Patch the packages within the images too.
docker pull
Step 2: Force a rebuild of each image:
docker build --no-cache
Step 3: Restart all containers with the updated images.
You could also use ONBUILD directive in the Dockerfile to trigger particular update instructions for images that you know are used as base images frequently.
Default Value:
By default, containers and images are not updated of their own.

See Also


Item Details


References: 800-53|CM-7, CSCv6|18.1

Plugin: Unix

Control ID: 6952564972fed8b9049b6f681d4183edde16c89748d5c2231b89bb888488803e