Limit Containers Ability to bind to privileged ports

Description

Containers should be limited to bind to non-privileged ports directly on the hosts. To prevent containers from binding to privileged ports on the host the appropriate Security Context Constraints (SCCs) should set allowHostPorts to false.

Rationale

Privileged ports are those ports below 1024 and that require system privileges for their use. If containers are able to use these ports, the container must be run as a privileged user. The container platform must stop containers that try to map to these ports directly. Allowing non-privileged ports to be mapped to the container-privileged port is the allowable method when a certain port is needed. An example is mapping port 8080 externally to port 80 in the container.

ID: xccdf_org.ssgproject.content_rule_scc_limit_host_ports
Severity: Medium
References: CM-6 CM-6(1)

SRG-APP-000142-CTR-000330

CCE-86205-2
Updated: about 1 year ago