Containers should use the cgroup configured in Docker

docker

Classification:

compliance

Framework:

cis-docker

Control:

5.24

Set up the docker integration.

Description

It is possible to attach to a particular cgroup when a container is instantiated. Confirming cgroup usage would ensure that containers are running in defined cgroups.

Rationale

System administrators typically define cgroups in which containers are supposed to run. If cgroups are not explicitly defined by the system administrator, containers run in the docker cgroup by default. At run time, it is possible to attach a container to a different cgroup other than the one originally defined. This usage should be monitored and confirmed, as by attaching to a different cgroup, excess permissions and resources might be granted to the container and this can therefore prove to be a security risk.

Audit

Run this command: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}'

This command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.

Remediation

You should not use the --cgroup-parent option within the docker run command unless strictly required.

Impact

None.

Default value

By default, containers run under docker cgroup.

References

  1. https://docs.docker.com/engine/reference/run/#specify-custom-cgroups
  2. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Resource_Management_Guide/ch01.html

CIS controls

Version 6

18 Application Software Security Application Software Security

Audit

You should run the following command: docker ps –quiet –all | xargs docker inspect –format ‘{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}’ The above command returns the cgroup where the containers are running. If it is blank, it means that containers are running under the default docker cgroup. Any other return value indicates that the system is not configured in line with good security practice.