Limit Containers Ability to use the HostDir volume plugin

Description

Containers should be allowed to use the hostPath volume type unless necessary. To prevent containers from using the host filesystem the appropriate Security Context Constraints (SCCs) should set allowHostDirVolumePlugin to false.

Rationale

hostPath volumes allow workloads to access the host filesystem from the workload. Access to the host filesystem can be used to escalate privileges and access resources such as keys or access tokens.

ID: xccdf_org.ssgproject.content_rule_scc_limit_host_dir_volume_plugin
Severity: Medium
References: AC-6 AC-6(1)

SRG-APP-000142-CTR-000330

5.2.12

CCE-86255-7
Updated: about 1 year ago