Benchmark: 5 Container Runtime Configuration
Overview
There are many security implications associated with the ways that containers are started. Some runtime parameters can be supplied that have security consequences that could compromise the host and the containers running on it. It is therefore very important to verify the way in which containers are started, and which parameters are associated with them. Container runtime configuration should be reviewed in line with organizational security policy.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-docker-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select 5 Container Runtime Configuration.
Run this benchmark in your terminal:
powerpipe benchmark run docker_compliance.benchmark.cis_v160_5Snapshot and share results via Turbot Pipes:
powerpipe benchmark run docker_compliance.benchmark.cis_v160_5 --shareControls
- 5.1 Ensure swarm mode is not Enabled, if not needed
- 5.2 Ensure that, if applicable, an AppArmor Profile is enabled
- 5.5 Ensure that privileged containers are not used
- 5.6 Ensure sensitive host system directories are not mounted on containers
- 5.10 Ensure that the host's network namespace is not shared
- 5.11 Ensure that the memory usage for containers is limited
- 5.12 Ensure that CPU priority is set appropriately on containers
- 5.13 Ensure that the container's root filesystem is mounted as read only
- 5.15 Ensure that the 'on-failure' container restart policy is set to '5'
- 5.16 Ensure that the host's process namespace is not shared
- 5.17 Ensure that the host's IPC namespace is not shared
- 5.18 Ensure that host devices are not directly exposed to containers
- 5.19 Ensure that the default ulimit is overwritten at runtime if needed
- 5.20 Ensure mount propagation mode is not set to shared
- 5.21 Ensure that the host's UTS namespace is not shared
- 5.22 Ensure the default seccomp profile is not Disabled
- 5.23 Ensure that docker exec commands are not used with the privileged option
- 5.24 Ensure that docker exec commands are not used with the user=root option
- 5.25 Ensure that cgroup usage is confirmed
- 5.26 Ensure that the container is restricted from acquiring additional privileges
- 5.29 Ensure that the PIDs cgroup limit is used
- 5.31 Ensure that the host's user namespaces are not shared
- 5.32 Ensure that the Docker socket is not mounted inside any containers