Title

The container platform must prohibit the installation of patches and updates without explicit privileged status. (Cat II impact)

Discussion

Controlling access to those users and roles responsible for patching and updating the container platform reduces the risk of untested or potentially malicious software from being installed within the platform. This access may be separate from the access required to install container images into the registry and those access requirements required to instantiate an image into a service. Explicit privileges (escalated or administrative privileges) provide the regular user with explicit capabilities and control that exceeds the rights of a regular user.

Check Content

Review the container platform configuration to determine if patches and updates can only be installed through accounts with privileged status. Attempt to install a patch or upgrade using a nonprivileged user account. If patches or updates can be installed using a nonprivileged account or the container platform is not configured to stop the installation using a nonprivileged account, this is a finding.

Fix Text

Configure the container platform to only allow patch installation and upgrades using privileged accounts.

Additional Identifiers

Rule ID: SV-233184r981884_rule

Vulnerability ID: V-233184

Group Title: SRG-APP-000378

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.