CIS Benchmarks -- Docker Hosts -- 2.18、Ensure containers are restricted from acquiring new privileges

Question

CIS Benchmarks -- Docker Hosts -- 2.18、Ensure containers are restricted from acquiring new privileges

amitaqua opened this issue 4 years ago · 1 comments

Seems we do not check the value in /etc/docker/daemon.json file.

So if we configured there
"no-new-privileges": true

This is not checked during the compliance check and provides a fail result.

Answer 1 · 2020-08-03T06:38:51.000Z

@yoavrotems still shows as not fixed on my test:
[root@aquadocker docker-bench]# dockerd --no-new-privileges
unable to configure the Docker daemon with file /etc/docker/daemon.json: the following directives are specified both as a flag and in the configuration file: no-new-privileges: (from flag: true, from file: true)
[root@aquadocker docker-bench]# more /etc/docker/daemon.json
{
"data-root": "/mnt/mydocker/docker-data",
"userland-proxy": false,
"no-new-privileges": true
}
[root@aquadocker docker-bench]#