turbot/docker_compliance

Control: 5.29 Ensure that the PIDs cgroup limit is used

Description

You should use the --pids-limit flag at container runtime.

Attackers could launch a fork bomb with a single command inside the container. This fork bomb could crash the entire system and would require a restart of the host to make the system functional again. Using the PIDs cgroup parameter --pids-limit would prevent this kind of attack by restricting the number of forks that can happen inside a container within a specified time frame.

Remediation

Use --pids-limit flag with an appropriate value when launching the container. For example:

docker run -it --pids-limit 100 <Image ID>

In the above example, the number of processes allowed to run at any given time is set to 100. After a limit of 100 concurrently running processes is reached, Docker would restrict any new process creation.

Default Value

The Default value for --pids-limit is 0 which means there is no restriction on thenumber of forks. Note that the PIDs cgroup limit works only for kernel versions 4.3 and higher.

Usage

Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_5_29

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_5_29 --share

SQL

This control uses a named query:

docker_container_pid_cgroup_limit_used

Tags