6.2 Ensure that container sprawl is avoided

Information

You should not keep a large number of containers on the same host.

Rationale:

The flexibility of containers makes it easy to run multiple instances of applications and therefore indirectly leads to Docker images that can exist at varying security patch levels. It also means that you are consuming host resources that otherwise could have been used for running 'useful' containers. Having more than just an essential number of containers on a particular host makes the system vulnerable to mishandling, misconfiguration and fragmentation. You should therefore keep the number of containers on a given host to the minimum number commensurate with serving production applications.

Impact:

You should retain containers that are actively in use, and delete ones which are no longer needed.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

You should periodically check your container inventory on each host and clean up containers which are not in active use with the command below:

docker container prune

Default Value:

By default, Docker does not restrict the number of containers you may have on a host.

See Also

https://workbench.cisecurity.org/files/4532

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-4, CSCv7|5.1

Plugin: Unix

Control ID: 435a71111361eae1f59cbd94280742eed042db154179a08ef4e741e4696ea81f