🚀Launch Week 07, Jaunary 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/docker_compliance
Overview
1Dashboards
88Controls
88Queries
2Variables
GitHub

Control: 5.20 Ensure mount propagation mode is not set to shared

Description

Mount propagation mode allows mounting volumes in shared, slave or private mode on a container. Do not use shared mount propagation mode unless explicitly needed.

A shared mount is replicated at all mounts and changes made at any mount point are propagated to all other mount points.

Mounting a volume in shared mode does not restrict any other container from mounting and making changes to that volume.

As this is likely not a desirable option from a security standpoint, this feature should not be used unless explicitly required.

Remediation

Do not mount volumes in shared mode propagation. For example, do not start a container as below:

docker run <Run arguments> --volume=/hostPath:/containerPath:shared
<Container Image Name or ID> <Command>

Default Value

By default, the container mounts are private.

Usage

Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_5_20

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_5_20 --share

SQL

This control uses a named query:

docker_container_mount_propagation_mode_shared

Tags

category = Compliance
cis = true
cis_item_id = 5.20
cis_level = 5
cis_section_id = 5
cis_type = manual
cis_version = v1.6.0
plugin = docker
service = Docker