Title

The container platform must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. (Cat II impact)

Discussion

Controlling what users can perform privileged functions prevents unauthorized users from performing tasks that may expose data or degrade the container platform. When users are not segregated into privileged and non-privileged users, unauthorized individuals may perform tasks such as deploying containers, pulling images into the register, and modify keys in the keystore. These actions can introduce malicious containers and cause denial-of-service (DoS) attacks and undermine the container platform integrity. The enforcement may take place at the container platform and can be implemented within each container platform component (e.g. runtime, registry, and keystore).

Check Content

Review documentation to obtain the definition of the container platform functionality considered privileged in the context of the information system in question. Review the container platform security configuration and/or other means used to protect privileged functionality from unauthorized use. If the configuration does not protect all of the actions defined as privileged, this is a finding.

Fix Text

Configure the container platform to security to protect all privileged functionality. Assigning roles that limit what actions a particular user can perform are the most common means of meeting this requirement.

Additional Identifiers

Rule ID: SV-233162r879717_rule

Vulnerability ID: V-233162

Group Title: SRG-APP-000340

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.