Container images instantiated by OpenShift must execute using least privileges.
An XCCDF Rule
Description
<VulnDiscussion>Container images running on OpenShift must support running as any arbitrary UID. OpenShift will then assign a random, nonprivileged UID to the running container instance. This avoids the risk from containers running with specific UIDs that could map to host service accounts, or an even greater risk of running as root level service. OpenShift uses the default security context constraints (SCC), restricted, to prevent containers from running as root or other privileged user IDs. Pods must be configured to use an SCC policy that allows the container to run as a specific UID, including root(0) when approved. Only a cluster administrator may grant the change of an SCC policy. https://docs.openshift.com/container-platform/4.8/openshift_images/create-images.html#images-create-guide-openshift_create-images Satisfies: SRG-APP-000342-CTR-000775, SRG-APP-000142-CTR-000330, SRG-APP-000243-CTR-000595</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-257557r921614_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
For users and groups that are defined in the SCC policy, execute the following to remove the users or groups by editing the corresponding SCC policy.
oc edit scc <SCC>
The following instructions will remove the user or group from the cluster role binding for the SCC policy.