Control: 5.21 Ensure that the host's UTS namespace is not shared
UTS namespaces provide isolation between two system identifiers: the hostname and the NIS domain name. It is used to set the hostname and the domain which are visible to running processes in that namespace. Processes running within containers do not typically require to know either the hostname or the domain name. The UTS namespace should therefore not be shared with the host.
Sharing the UTS namespace with the host provides full permission for each container to change the hostname of the host. This is not in line with good security practice and should not be permitted.
You should not start a container with the --uts=host argument. For example, do not start a container using the command below:
docker run --rm --interactive --tty --uts=host rhel7.2
Default Value
By default, all containers have the UTS namespace enabled and the host UTS namespace is not shared with any containers.
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_5_21
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_5_21 --share
This control uses a named query:
select id as resource, case when inspect -> 'HostConfig' ->> 'UTSMode' = 'host' then 'alarm' else 'ok' end as status, case when inspect -> 'HostConfig' ->> 'UTSMode' = 'host' then (names ->> 0) || ' host UTS namespace shared.' else (names ->> 0) || ' host UTS namespace not shared.' end as reason , _ctx ->> 'connection_name' as connection_namefrom docker_container;