5.24 Confirm cgroup usage

Information

It is possible to attach to a particular cgroup on container run. Confirming cgroup usage
would ensure that containers are running under defined cgroups.System administrators typically define cgroups under which containers are supposed to
run. Even if cgroups are not explicitly defined by the system administrators, containers run
under docker cgroup by default.At run-time, it is possible to attach to a different cgroup other than the one that was
expected to be used. This usage should be monitored and confirmed. By attaching to a
different cgroup than the one that is expected, excess permissions and resources might be
granted to the container and thus, can prove to be unsafe.

Solution

Do not use --cgroup-parent option in docker run command unless needed.Impact-None.Default Value-By default, containers run under docker cgroup.

See Also

https://workbench.cisecurity.org/files/517

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-39

Plugin: Unix

Control ID: 476d78b8131b94697e769b1cc570f1809e1b0552d528a7893a0e77889f4df597