Default ulimit is configured appropriately

Docs > Datadog Security > OOTB Rules > Default ulimit is configured appropriately

Classification:

compliance

Framework:

cis-docker

Control:

2.7

Set up the docker integration.

Description

Set the default ulimit options as appropriate in your environment.

Rationale

ulimit provides control over the resources available to the shell and to processes which it starts. Setting system resource limits judiciously can save you from disasters such as a fork bomb. On occasion, even friendly users and legitimate processes can overuse system resources and can make the system unusable. Setting the default ulimit for the Docker daemon enforces the ulimit for all container instances, so that you do not need to set up ulimit for each container instance. However, the default ulimit can be overridden during container runtime. Therefore, in order to have proper control over system resources, define a default-ulimit as is needed in your environment.

Audit

To confirm the default-ulimit setting, review the dockerd startup options and settings in /etc/docker/daemon.json. To review the dockerd startup options, run:

ps -ef | grep dockerd

Ensure that the --default-ulimit parameter is set as appropriate.

Also review the /etc/docker/daemon.json file for this setting.

Remediation

Run Docker in daemon mode and pass --default-ulimit as argument with respective ulimits as appropriate in your environment and in line with your security policy.

For example, dockerd --default-ulimit nproc=1024:2048 --default-ulimit nofile=100:200

Impact

If ulimits are set incorrectly this could cause issues with system resources, possibly causing a denial of service condition.

Default value

By default, no ulimit is set.

References

https://docs.docker.com/edge/engine/reference/commandline/dockerd/#default-ulimits

CIS controls

Version 6

18 Application Software Security Application Software Security