turbot/docker_compliance

Control: 5.17 Ensure that the host's IPC namespace is not shared

Description

IPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated.

The IPC namespace provides separation of IPC between the host and containers. If the host's IPC namespace is shared with the container, it would allow processes within the container to see all of IPC communications on the host system. This would remove the benefit of IPC level isolation between host and containers. An attacker with access to a container could get access to the host at this level with major consequences. The IPC namespace should therefore not be shared between the host and its containers.

Remediation

You should not start a container with the --ipc=host argument. For example, do not start a container as below:

docker run --interactive --tty --ipc=host centos /bin/bash

Default Value

By default, all containers have their IPC namespace enabled and host IPC namespace is not shared with any container.

Usage

Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_5_17

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_5_17 --share

SQL

This control uses a named query:

docker_container_host_ipc_namespace_shared

Tags