← Library
splApache-2.0from splunk/security_content

Linux Docker Root Directory Mount

This detection identifies Docker containers that mount the host's root directory into the container filesystem. Mounting the entire host root directory into a container effectively grants the container visibility and potential write access to all files on the host system. If the container is running as root or with elevated capabilities (e.g., --privileged), the risk is significantly increased.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/linux_docker_root_directory_mount.yml
| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime
from datamodel=Endpoint.Processes where
Processes.process_name=docker*
Processes.process IN (
  "* -v *",
  "* --volume *"
)
Processes.process="* /:/*"
by Processes.action Processes.dest Processes.original_file_name
   Processes.parent_process Processes.parent_process_exec
   Processes.parent_process_guid Processes.parent_process_id
   Processes.parent_process_name Processes.parent_process_path
   Processes.process Processes.process_exec Processes.process_guid
   Processes.process_hash Processes.process_id
   Processes.process_integrity_level Processes.process_name
   Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `linux_docker_root_directory_mount_filter`