Check: CNTR-MK-001010
Mirantis Kubernetes Engine STIG:
CNTR-MK-001010
(in version v1 r1)
Title
All containers must be restricted from acquiring additional privileges. (Cat II impact)
Discussion
To limit the attack surface of MKE, it is important that the nonessential services are not installed and access to the host system uses the concept of least privilege. Restrict the container from acquiring additional privileges via suid or sgid bits. A process can set the no_new_priv bit in the kernel. It persists across fork, clone, and execve. The no_new_priv bit ensures that the process or its children processes do not gain any additional privileges via suid or sgid bits. This way, many dangerous operations become a lot less dangerous because there is no possibility of subverting privileged binaries. no_new_priv prevents LSMs like SELinux from transitioning to process labels that have access not allowed to the current process.
Check Content
This check must be executed on all nodes in an MKE cluster to ensure all containers are restricted from acquiring additional privileges. Via CLI: Linux: As an MKE Admin, execute the following command using a Universal Control Plane (MKE) client bundle: docker ps --quiet --all | xargs -L 1 docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}' The above command returns the security options currently configured for the running containers. If the "SecurityOpt=" setting does not include the "no-new-privileges" flag, this is a finding.
Fix Text
Start the containers using the following: docker run --rm -it --security-opt=no-new-privileges <image> A reference for the Docker run command can be found at https://docs.docker.com/engine/reference/run/. no-new-privileges command information can be found here: https://docs.mirantis.com/mke/3.7/install/plan-deployment/mcr-considerations/no-new-privileges.html.
Additional Identifiers
Rule ID: SV-260934r966159_rule
Vulnerability ID: V-260934
Group Title: SRG-APP-000243-CTR-000595
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001090 |
The information system prevents unauthorized and unintended information transfer via shared system resources. |
CCI-002233 |
The information system prevents organization-defined software from executing at higher privilege levels than users executing the software. |