Control: 5.25 Ensure that cgroup usage is confirmed
It is possible to attach to a particular cgroup when a container is instantiated. Confirming cgroup usage would ensure that containers are running in defined cgroups.
System administrators typically define cgroups in which containers are supposed to run. If cgroups are not explicitly defined by the system administrator, containers run in the docker cgroup by default.
At run time, it is possible to attach a container to a different cgroup other than the one originally defined. This usage should be monitored and confirmed, as by attaching to a different cgroup, excess permissions and resources might be granted to the container and this can therefore prove to be a security risk.
You should not use the --cgroup-parent option within the docker run command unless strictly required.
Default Value
By default, containers run under docker cgroup.
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_5_25
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_5_25 --share
This control uses a named query:
select id as resource, case when inspect -> 'HostConfig' ->> 'CgroupParent' = '' then 'ok' else 'alarm' end as status, case when inspect -> 'HostConfig' ->> 'CgroupParent' = '' then (names ->> 0) || ' are not running under the default Docker cgroup.' else (names ->> 0) || ' are running under the default Docker cgroup.' end as reason , _ctx ->> 'connection_name' as connection_namefrom docker_container;