turbot/docker_compliance
GitHub
Loading controls...

Control: 5.20 Ensure mount propagation mode is not set to shared

Description

Mount propagation mode allows mounting volumes in shared, slave or private mode on a container. Do not use shared mount propagation mode unless explicitly needed.

A shared mount is replicated at all mounts and changes made at any mount point are propagated to all other mount points.

Mounting a volume in shared mode does not restrict any other container from mounting and making changes to that volume.

As this is likely not a desirable option from a security standpoint, this feature should not be used unless explicitly required.

Remediation

Do not mount volumes in shared mode propagation. For example, do not start a container as below:

docker run <Run arguments> --volume=/hostPath:/containerPath:shared
<Container Image Name or ID> <Command>

Default Value

By default, the container mounts are private.

Usage

Run the control in your terminal:

steampipe check docker_compliance.control.cis_v160_5_20

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share docker_compliance.control.cis_v160_5_20

SQL

This control uses a named query:

docker_container_mount_propagation_mode_shared

Tags