Control: 5.32 Ensure that the Docker socket is not mounted inside any containers
Description
The Docker socket docker.sock should not be mounted inside a container.
If the Docker socket is mounted inside a container it could allow processes running within the container to execute Docker commands which would effectively allow for full control of the host.
Remediation
You should ensure that no containers mount docker.sock as a volume.
Default Value
By default, docker.sock is not mounted inside containers.
Usage
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_5_32Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_5_32 --shareSQL
This control uses a named query:
with hostname as ( select btrim(stdout_output, E' \n\r\t') as host, _ctx ->> 'connection_name' as host_conn, _ctx from exec_command where command = 'hostname'),
command_output as ( select stdout_output, _ctx ->> 'connection_name' as conn from exec_command where command = 'docker ps --quiet --all | xargs docker inspect --format ''{{ .Id }}: Volumes={{ .Mounts }}'' | grep docker.sock' ) select host as resource, case when o.stdout_output = '' then 'ok' else 'alarm' end as status, case when o.stdout_output = '' then host || ' Docker socket is not mounted inside any containers.' else host || ' Docker socket is mounted inside ' || (btrim(o.stdout_output, E' \n\r\t')) || '.' end as reason , h._ctx ->> 'connection_name' as connection_name from hostname as h, command_output as o where h.host_conn = o.conn;