Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide
SRG-APP-000141
SRG-APP-000141
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
SRG-APP-000141
1 Rule
<GroupDescription></GroupDescription>
All Docker Enterprise containers root filesystem must be mounted as read only.
High Severity
<VulnDiscussion>The container's root filesystem should be treated as a 'golden image' by using Docker run's --read-only option. This prevents any writes to the container's root filesystem at container runtime and enforces the principle of immutable infrastructure. Enabling this option forces containers at runtime to explicitly define their data writing strategy to persist or not persist their data. This also reduces security attack vectors since the container instance's filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories. Enabling --read-only at container runtime may break some container OS packages if a data writing strategy is not defined. Define what the container's data should and should not persist at runtime to determine which recommendation procedure to utilize. Example: - Enable use --tmpfs for temporary file writes to /tmp - Use Docker shared data volumes for persistent data writes By default, a container will have its root filesystem writable allowing all container processes to write files owned by the container's runtime user.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>