Control: 5.25 Ensure that cgroup usage is confirmed
Description
It is possible to attach to a particular cgroup when a container is instantiated. Confirming cgroup usage would ensure that containers are running in defined cgroups.
System administrators typically define cgroups in which containers are supposed to run. If cgroups are not explicitly defined by the system administrator, containers run in the docker cgroup by default.
At run time, it is possible to attach a container to a different cgroup other than the one originally defined. This usage should be monitored and confirmed, as by attaching to a different cgroup, excess permissions and resources might be granted to the container and this can therefore prove to be a security risk.
Remediation
You should not use the --cgroup-parent option within the docker run command unless strictly required.
Default Value
By default, containers run under docker cgroup.
Usage
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_5_25
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_5_25 --share
SQL
This control uses a named query:
docker_container_cgroup_usage