Control: 5.20 Ensure mount propagation mode is not set to shared
Mount propagation mode allows mounting volumes in shared, slave or private mode on a container. Do not use shared mount propagation mode unless explicitly needed.
A shared mount is replicated at all mounts and changes made at any mount point are propagated to all other mount points.
Mounting a volume in shared mode does not restrict any other container from mounting and making changes to that volume.
As this is likely not a desirable option from a security standpoint, this feature should not be used unless explicitly required.
Do not mount volumes in shared mode propagation. For example, do not start a container as below:
docker run <Run arguments> --volume=/hostPath:/containerPath:shared<Container Image Name or ID> <Command>
By default, the container mounts are private.
Run the control in your terminal:
steampipe check docker_compliance.control.cis_v160_5_20
Snapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share docker_compliance.control.cis_v160_5_20
This control uses a named query:docker_container_mount_propagation_mode_shared