Loading controls...
Control: 5.6 Ensure sensitive host system directories are not mounted on containers
Description
You should not allow sensitive host system directories such as those listed below to be mounted as container volumes, especially in read-write mode.
//boot/dev/etc/lib/proc/sys/usrIf sensitive directories are mounted in read-write mode, it could be possible to make changes to files within them. This has obvious security implications and should be avoided.
Remediation
You should not mount directories which are security sensitive on the host within containers, especially in read-write mode.
docker run --interactive --tty --privileged centos /bin/bashDefault Value
Docker defaults to using a read-write volume but you can also mount a directory read-only. By default, no sensitive host directories are mounted within containers.
Usage
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_5_6Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_5_6 --shareSQL
This control uses a named query:
docker_container_host_system_directories_mounted