Details
Do not use update instructions such as apt-get update alone or in a single line in the Dockerfile.
Rationale:
Adding the update instructions in a single line on the Dockerfile will cache the update layer. Thus, when you build any image later using the same instruction, previously cached update layer will be used. This could potentially deny any fresh updates to go in the later builds.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Use update instructions along with install instructions (or any other) and version pinning for packages while installing them. This would bust the cache and force to extract the required versions.
Alternatively, you could use –no-cache flag during docker build process to avoid using cached layers.
Impact:
None
Default Value:
By default, docker does not enforce any restrictions on using update instructions.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.