4.3 Ensure unnecessary packages are not installed in the container

Information

Containers tend to be minimal and slim down versions of the Operating System. Do not install anything that does not justify the purpose of container.
Rationale:
Bloating containers with unnecessary software could possibly increase the attack surface of the container. This also voids the concept of minimal and slim down versions of container images. Hence, do not install anything else apart from what is truly needed for the purpose of the container.

Solution

At the outset, do not install anything on the container that does not justify the purpose. If the image had some packages that your container does not use, uninstall them.
Consider using a minimal base image rather than the standard Redhat/Centos/Debian images if you can. Some of the options include BusyBox and Alpine.
Not only does this trim your image size from >150Mb to ~20 Mb, there are also fewer tools and paths to escalate privileges. You can even remove the package installer as a final hardening measure for leaf/production containers.
Impact:
None.
Default Value:
Not Applicable.

See Also

https://workbench.cisecurity.org/files/1726

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7, CSCv6|18

Plugin: Unix

Control ID: 056401e798c678f1bb30a7cf51ef9e17e01dc74fabd37ce8f35d699d3c15574c