Title

Host IPC namespace must not be shared. (Cat II impact)

Discussion

IPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores, and message queues. IPC namespace on the host must not be shared with the containers and remain isolated unless required. If the host's IPC namespace is shared with the container, it would allow processes within the container to view all of the IPC on the host system. This breaks the benefit of IPC level isolation between the host and the containers. Having access to the container can eventually manipulate the host IPC. Do not share the host's IPC namespace with the containers. Only containers with the proper label will share IPC namespace and this access must be documented.

Check Content

Check if the "IpcMode" is set to "host" for a running or stopped container. Log in to the MKE WebUI and Navigate to admin >> Admin Settings >> Privileges. If hostIPC is checked for User account privileges or Service account privileges, consult the System Security Plan (SSP). If hostIPC is not allowed per the SSP, this is a finding.

Fix Text

Modify IpcMode for a container by logging in to the MKE WebUI and navigating to admin >> Admin Settings >> Privileges. - Uncheck hostIPC. - Click "Save".

Additional Identifiers

Rule ID: SV-260935r966162_rule

Vulnerability ID: V-260935

Group Title: SRG-APP-000243-CTR-000600

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.