Title

The container root filesystem must be mounted as read-only. (Cat II impact)

Discussion

Any changes to a container must be made by rebuilding the image and redeploying the new container image. Once a container is running, changes to the root filesystem should not be needed, thus preserving the immutable nature of the container. Any attempts to change the root filesystem are usually malicious in nature and can be prevented by making the root filesystem read-only.

Check Content

Review the container platform configuration to determine that the root filesystem is mounted as read-only. If the container platform does not enforce such access restrictions, this is a finding.

Fix Text

Review and remove nonsystem containers previously created with read-write permissions. Configure the container platform to force the root filesystem to be mounted as read-only.

Additional Identifiers

Rule ID: SV-270876r1050649_rule

Vulnerability ID: V-270876

Group Title: SRG-APP-000380

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.