Limit Access to the Host Process ID Namespace

An XCCDF Rule

Details
Profiles

Description

Containers should not be allowed access to the host's process ID namespace. To prevent containers from getting access to a host's process ID namespace, the appropriate Security Context Constraints (SCCs) should set allowHostPID to false.

Rationale

A container running in the host's PID namespace can inspect processes running outside the container which can be used to escalate privileges outside of the container.

ID: xccdf_org.ssgproject.content_rule_scc_limit_process_id_namespace
Severity: Medium
References: CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

Req-2.2

5.2.2

CNTR-OS-000660 SRG-APP-000516-CTR-001325

APP.4.4.A4 APP.4.4.A9 SYS.1.6.A18 SYS.1.6.A21

2.2 2.2.1

SV-257557r921614_rule
Updated: over 1 year ago