Control: 5.20 Ensure mount propagation mode is not set to shared
Description
Mount propagation mode allows mounting volumes in shared, slave or private mode on a container. Do not use shared mount propagation mode unless explicitly needed.
A shared mount is replicated at all mounts and changes made at any mount point are propagated to all other mount points.
Mounting a volume in shared mode does not restrict any other container from mounting and making changes to that volume.
As this is likely not a desirable option from a security standpoint, this feature should not be used unless explicitly required.
Remediation
Do not mount volumes in shared mode propagation. For example, do not start a container as below:
docker run <Run arguments> --volume=/hostPath:/containerPath:shared<Container Image Name or ID> <Command>Default Value
By default, the container mounts are private.
Usage
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_5_20Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_5_20 --shareSQL
This control uses a named query:
docker_container_mount_propagation_mode_shared