1.1.2 Ensure only trusted users are allowed to control Docker daemon

Information

The Docker daemon currently requires access to the Docker socket which is, by default, owned by the user root and the group docker.

Rationale:

Docker allows you to share a directory between the Docker host and a guest container without limiting the access rights of the container. This means that you can start a container and map the / directory on your host to the container. The container would then be able to modify your host file system without any restrictions. This means that you could gain elevated privileges simply by being a member of the docker group and subsequently start a container which maps the root / directory on the host.

Impact:

Provided the proceeding instructions are implemented, rights to build and execute containers as normal user would be restricted.

Solution

You should remove any untrusted users from the docker group. Additionally, you should not create a mapping of sensitive directories from the host to container volumes.

Default Value:

Not Applicable

See Also

https://workbench.cisecurity.org/files/3353

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-1, 800-53|AC-2, 800-53|IA-4, 800-53|IA-5, CSCv6|5.1, CSCv7|4

Plugin: Unix

Control ID: ebf96a37d376c85a7263a57518eee1f57eee52e8518a770fd799b1e7f8c0b9f4