The container root filesystem must be mounted as read-only.
An XCCDF Rule
Description
Any changes to a container must be made by rebuilding the image and redeploying the new container image. Once a container is running, changes to the root filesystem should not be needed, thus preserving the immutable nature of the container. Any attempts to change the root filesystem are usually malicious in nature and can be prevented by making the root filesystem read-only.
- ID
- SV-270876r1050649_rule
- Version
- SRG-APP-000380-CTR-000340
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
Review and remove nonsystem containers previously created with read-write permissions. Configure the container platform to force the root filesystem to be mounted as read-only.