Control: 5.17 Ensure that the host's IPC namespace is not shared
Description
IPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated.
The IPC namespace provides separation of IPC between the host and containers. If the host's IPC namespace is shared with the container, it would allow processes within the container to see all of IPC communications on the host system. This would remove the benefit of IPC level isolation between host and containers. An attacker with access to a container could get access to the host at this level with major consequences. The IPC namespace should therefore not be shared between the host and its containers.
Remediation
You should not start a container with the --ipc=host argument. For example, do not start a container as below:
docker run --interactive --tty --ipc=host centos /bin/bashDefault Value
By default, all containers have their IPC namespace enabled and host IPC namespace is not shared with any container.
Usage
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_5_17Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_5_17 --shareSQL
This control uses a named query:
docker_container_host_ipc_namespace_shared