Container runtime should include the --pids-limit flag for cgroup limit parameter

문서 > Datadog 보안 > OOTB Rules > Container runtime should include the --pids-limit flag for cgroup limit parameter

Classification:

compliance

Framework:

cis-docker

Control:

5.28

Set up the docker integration.

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

You should use the --pids-limit flag at container runtime.

Rationale

Attackers could launch a fork bomb with a single command inside the container. This fork bomb could crash the entire system and would require a restart of the host to make the system functional again. Using the PIDs cgroup parameter –pids-limit would prevent this kind of attack by restricting the number of forks that can happen inside a container within a specified time frame.

Audit

Run this command and ensure that PidsLimit is not set to 0 or -

A PidsLimit of 0 or -1 means that any number of processes can be forked concurrently inside the container.

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidsLimit={{ .HostConfig.PidsLimit }}'

Remediation

Use --pids-limit flag with an appropriate value when launching the container. For example, docker run -it --pids-limit 100 <Image_ID>

In the above example, the number of processes allowed to run at any given time is set to 100. After a limit of 100 concurrently running processes is reached, Docker would restrict any new process creation.

Impact

Set the PIDs limit value as appropriate. Incorrect values might leave containers unusable.

Default value

The Default value for --pids-limit is 0 which means there is no restriction on the number of forks. Note that the PIDs cgroup limit works only for kernel versions 4.3 and higher.

References

CIS controls

Version 6

18 Application Software Security Application Software Security