Limit Access to the Host IPC Namespace

Description

Containers should not be allowed access to the host's Interprocess Communication (IPC) namespace. To prevent containers from getting access to a host's IPC namespace, the appropriate Security Context Constraints (SCCs) should set allowHostIPC to false.

Rationale

A container running in the host's IPC namespace can use IPC to interact with processes outside the container potentially allowing an attacker to exploit a host process thereby enabling an attacker to exploit other services.

ID: xccdf_org.ssgproject.content_rule_scc_limit_ipc_namespace
Severity: Medium
References: CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

Req-2.2

SRG-APP-000516-CTR-001325

5.2.3

CCE-84042-1
Updated: about 1 year ago