1.2 Harden the container host

Information

Containers run on a Linux host. A container host can run one or more containers. It is of utmost importance to harden the host to mitigate host security misconfiguration.

Rationale:

You should follow infrastructure security best practices and harden your host OS. Keeping the host system hardened would ensure that the host vulnerabilities are mitigated. Not hardening the host system could lead to security exposures and breaches.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

You may consider various CIS Security Benchmarks for your container host. If you have other security guidelines or regulatory requirements to adhere to, please follow them as suitable in your environment.

Additionally, you can run a kernel with grsecurity and PaX. This would add many safety checks, both at compile-time and run-time. It is also designed to defeat many exploits and has powerful security features. These features do not require Docker-specific configuration, since those security features apply system-wide, independent of containers.

Impact:

None.

Default Value:

By default, host has factory settings. It is not hardened.

See Also

https://workbench.cisecurity.org/files/1476

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|5

Plugin: Unix

Control ID: 64e9a366c921fd9c03a6e0ab8be8266f1c931c96010c1bd72e15aaa0425eed05