Title

The Docker socket must not be mounted inside any containers. (Cat II impact)

Discussion

The Docker socket docker.sock must not be mounted inside a container, with the exception case being during the installation of Universal Control Plane (UCP) component of Docker Enterprise as it is required for install. If the Docker socket is mounted inside a container, it would allow processes running within the container to execute docker commands which effectively allows for full control of the host. By default, docker.sock (Linux) and \\.\pipe\docker_engine (Windows) is not mounted inside containers.

Check Content

If using Kubernetes orchestration, this check is Not Applicable. When using Swarm orchestration, log in to the CLI as an MKE Admin, and execute the following command using an MKE client bundle: docker ps --all --filter "label=com.docker.ucp.version" | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep -i "docker.sock\|docker_engine" If the Docker socket is mounted inside containers, this is a finding. If "volumes" is not present or if "docker.sock" is listed, this is a finding.

Fix Text

If using Kubernetes orchestration, this check is Not Applicable. When using Swarm orchestration and using the -v/--volume flags to mount volumes to containers in a docker run command, do not use docker.sock as a volume. A reference for the docker run command can be found at https://docs.docker.com/engine/reference/run/. Review and remove nonsystem containers previously created by these users without the runAsGroup must be removed using: docker container rm [container]

Additional Identifiers

Rule ID: SV-260922r966123_rule

Vulnerability ID: V-260922

Group Title: SRG-APP-000141-CTR-000315

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.