4.3 Ensure that unnecessary packages are not installed in the container

Information

Containers should have as small a footprint as possible, and should not contain unnecessary software packages which could increase their attack surface.

Rationale:

Unnecessary software should not be installed into containers, as doing so increases their attack surface. Only packages strictly necessary for the correct operation of the application being deployed should be installed.

Impact:

None.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

You should not install anything within the container that is not required.
You should consider using a minimal base image rather than the standard Centos, Debian, or Red Hat images if you can. Some of the options available include BusyBox and Alpine.
Not only can this trim your image size considerably, but there would also be fewer pieces of software which could contain vectors for attack.

Default Value:

Not Applicable.

See Also

https://workbench.cisecurity.org/files/4532

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|5.2

Plugin: Unix

Control ID: 32b7bcce99a8560d90438fcb549b75f6b5be9d0a9ab6fc0bfaf8bfb92779a004