1.4 Harden the container host

Information

Containers run on a Linux host. A container host can run one or more containers. It is of
utmost importance to harden the host to mitigate host security misconfiguration.

You should follow infrastructure security best practices and harden your host OS. Keeping
the host system hardened would ensure that the host vulnerabilities are mitigated. Not
hardening the host system could lead to security exposures and breaches.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

You may consider various CIS Security Benchmarks for your container host. If you have
other security guidelines or regulatory requirements to adhere to, please follow them as
suitable in your environment.Additionally, you can run a kernel with grsecurity and PaX. This would add many safety
checks, both at compile-time and run-time. It is also designed to defeat many exploits and
has powerful security features. These features do not require Docker-specific
configuration, since those security features apply system-wide, independent of containers.

Impact-None.

Default Value-By default, host has factory settings. It is not hardened.

See Also

https://workbench.cisecurity.org/files/514

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|5

Plugin: Unix

Control ID: 40fa61487bf979d9f5a9da1f8d301318b2a2a99b9c8a7cc06ad26d70e14ca606