Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-260939 | CNTR-MK-001200 | SV-260939r966174_rule | Medium |
Description |
---|
To limit the attack surface of MKE, it is important that the nonessential services are not installed and access to the host system uses the concept of least privilege. User namespaces ensure that a root process inside the container will be mapped to a nonroot process outside the container. Sharing the user namespaces of the host with the container thus does not isolate users on the host with users on the containers. By default, the host user namespace is shared with the containers until user namespace support is enabled. |
STIG | Date |
---|---|
Mirantis Kubernetes Engine Security Technical Implementation Guide | 2024-04-10 |
Check Text ( C-64668r966172_chk ) |
---|
When using Kubernetes orchestration, this check is Not Applicable. When using Swarm orchestration, ensure that the PIDs cgroup limit is used. Log in to the CLI as an MKE Admin and execute the following command using a Universal Control Plane (MKE) client bundle: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UsernsMode={{ .HostConfig.UsernsMode }}' Ensure it does not return any value for UsernsMode. If it returns a value of "host", that means the host user namespace is shared with the containers, and this is a finding. |
Fix Text (F-64576r966173_fix) |
---|
When using Kubernetes orchestration, this check is Not Applicable. When using Swarm orchestration, review and remove nonsystem containers previously created by these users without the runAsGroup using: docker container rm [container] |