Prompt #125

Back to prompts
FU5 docker.sock audit pattern
Analysis Β· claude-3.7-sonnet
5/5
Variables
{'name': 'compose_file', 'description': 'e.g. /docker-yaml/ai-stack.yml'}, {'name': 'service', 'description': 'specific container, optional'}
Tags
stack-aware,security,docker-sock,fu5,audit
Source
research-2026-05-01-stack-aware-handcrafted
Use count
0
Created
2026-05-01T18:30:35.938632+00:00
Updated
2026-05-01T18:30:35.938632+00:00

Content

Audit `{compose_file}` (or specific service `{service}`) for docker.sock exposure following FU5 methodology (rag-stack#84).

Steps:
1. `grep -nE 'docker\.sock' {compose_file}` β€” find all mounts
2. For each: classify
   - **JUSTIFIED + RO** β€” read-only mount, only reads container list (e.g., monitoring). Document reason.
   - **JUSTIFIED + RW** β€” has explicit use-case (portainer, dockge, autoheal). Document reason + risk.
   - **UNJUSTIFIED** β€” no clear reason. Recommend removal.
   - **NEEDS REVIEW** β€” uncertain. Flag for operator.
3. CRITICAL caveat: `:ro` on UNIX socket mounts is NOT enforced by Linux kernel. `tecnativa/docker-socket-proxy` is the only real boundary.
4. Verify code-level use: `grep -rE 'docker\.sock|docker\.from_env|DOCKER_HOST' /nvmetank1/AI/` for the source code path
5. For unjustified findings: propose mount removal, document rollback (backup compose first to /tank2/backups/$(date +%Y-%m-%d)/)

Output as table: container | mount-mode | classification | reason | mitigation