5.28 Use PIDs cgroup limit

Information

Use --pids-limit flag at container runtime.

Rationale:

Attackers could launch a fork bomb with a single command inside the container. This fork bomb can crash the entire system and requires a restart of the host to make the system functional again. PIDs cgroup --pids-limit will prevent this kind of attacks by restricting the number of forks that can happen inside a container at a given time.

Solution

Use --pids-limit flag while launching the container with an appropriate value.

For example,

docker run -it --pids-limit 100 <Image_ID>

In the above example, the number of processes allowed to run at any given time is set to 100. After a limit of 100 concurrently running processes is reached, docker would restrict any new process creation.

Impact:

Set the PIDs limit value as appropriate. Incorrect values might leave the containers unusable.

Default Value:

The Default value for --pids-limit is 0 which means there is no restriction on thenumber of forks. Also, note that PIDs cgroup limit works only for the kernel versions 4.3+.

See Also

https://workbench.cisecurity.org/files/1476

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5

Plugin: Unix

Control ID: e8d5e76194f7ab061b14c72aff13de26017e94f79815d7db91219a910580b1fd