5.29 Ensure that the PIDs cgroup limit is used

Information

You should use the --pids-limit flag at container runtime.

Rationale:

Attackers could launch a fork bomb with a single command inside the container. This fork bomb could crash the entire system and would require a restart of the host to make the system functional again. Using the PIDs cgroup parameter --pids-limit would prevent this kind of attack by restricting the number of forks that can happen inside a container within a specified time frame.

Impact:

Set the PIDs limit value as appropriate. Incorrect values might leave containers unusable.

Solution

Use --pids-limit flag with an appropriate value when launching the container.
For example:

docker run -it --pids-limit 100 <Image ID>

In the above example, the number of processes allowed to run at any given time is set to 100. After a limit of 100 concurrently running processes is reached, Docker would restrict any new process creation.

Default Value:

The Default value for --pids-limit is 0 which means there is no restriction on the number of forks. Note that the PIDs cgroup limit works only for kernel versions 4.3 and higher.

See Also

https://workbench.cisecurity.org/files/4532

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-2, CSCv7|5.2

Plugin: Unix

Control ID: 5d5e272ffe84018af5344012bb6bc04885adc13595b0db1a6d4c790db9f17446