PIDs cgroup limits must be used in Docker Enterprise.

An XCCDF Rule

Description

<VulnDiscussion>Use --pids-limit flag at container runtime. Attackers could launch a fork bomb with a single command inside the container. This fork bomb can crash the entire system and requires a restart of the host to make the system functional again. PIDs cgroup --pids-limit will prevent this kind of attacks by restricting the number of forks that can happen inside a container at a given time. The Default value for --pids-limit is 0 which means there is no restriction on the number of forks. Also, note that PIDs cgroup limit works only for the kernel versions 4.3+.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-235828r627611_rule
Severity: Medium
References: CCI-001095
Updated: about 1 year ago

This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system.

Use --pids-limit flag while launching the container with an appropriate value.

Example:
docker run -it --pids-limit 100 <Image_ID>In the above example, the number of processes allowed to run at any given time is set to 100. After a limit of 100 concurrently running processes is reached, docker would restrict any new process creation.

PIDs cgroup limits must be used in Docker Enterprise.

Description

Remediation - Manual Procedure