Container images instantiated by the container platform must execute using least privileges.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-233163 | SRG-APP-000342-CTR-000775 | SV-233163r601765_rule | Medium |
| Description |
|---|
| Containers running within the container platform must execute as non-privileged. When a container can execute as a privileged container, the privileged container is also a privileged user within the hosting system, and the hosting system becomes a major security risk. It is important for the container platform runtime to validate the container user and disallow instantiation if the container is trying to execute with more privileges than required, as a privileged user, or is trying to perform a privilege escalation. When privileged access is necessary for a container, a new policy for execution should be written for the container. The default behavior must not give containers privileged execution. Examples of privileged users are root, admin, and default service accounts for the container platform. |
| STIG | Date |
|---|---|
| Container Platform Security Requirements Guide | 2021-12-14 |
Details
| Check Text ( C-36099r601764_chk ) |
|---|
| Review documentation and configuration to determine if the container platform disallows instantiation of containers trying to execute with more privileges than required or with privileged permissions. If the container platform does not block containers requesting privileged permissions, privilege escalation, or allows containers to have more privileges than required, this is a finding. |
| Fix Text (F-36067r600977_fix) |
|---|
| Configure the container platform to block instantiation with no more privileges than necessary. |