turbot/docker_compliance

Control: 5.25 Ensure that cgroup usage is confirmed

Description

It is possible to attach to a particular cgroup when a container is instantiated. Confirming cgroup usage would ensure that containers are running in defined cgroups.

System administrators typically define cgroups in which containers are supposed to run. If cgroups are not explicitly defined by the system administrator, containers run in the docker cgroup by default.

At run time, it is possible to attach a container to a different cgroup other than the one originally defined. This usage should be monitored and confirmed, as by attaching to a different cgroup, excess permissions and resources might be granted to the container and this can therefore prove to be a security risk.

Remediation

You should not use the --cgroup-parent option within the docker run command unless strictly required.

Default Value

By default, containers run under docker cgroup.

Usage

Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_5_25

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_5_25 --share

SQL

This control uses a named query:

docker_container_cgroup_usage

Tags