5.26 Ensure container health is checked at runtime

Information

If the container image does not have an HEALTHCHECK instruction defined, use --health-cmd parameter at container runtime for checking container health.
Rationale:
One of the important security triads is availability. If the container image you are using does not have a pre-defined HEALTHCHECK instruction, use the --health-cmd parameter to check container health at runtime.
Based on the reported health status, you could take necessary actions.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Run the container using --health-cmd and the other parameters.
For example,
docker run -d --health-cmd='stat /etc/passwd || exit 1' nginx
Impact:
None.
Default Value:
By default, health checks are not done at container runtime.

See Also

https://workbench.cisecurity.org/files/1726

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CSCv6|18

Plugin: Unix

Control ID: 66e471f643a0fd907b9e9c44c7efac241d35e7f30c0a53ccd4c4d1248600ba5f