Back to catalog

Docker CIS 5.15: Ensure that the host's process namespace is not shared

No violationsstackroxmediumdeploy

The Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host.

Rationale
PID namespace provides separation between processes. It prevents system processes from being visible, and allows process ids to be reused including PID 1. If the host's PID namespace is shared with containers, it would basically allow these to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them. This could allow for the host itself being shut down, which could be extremely serious, particularly in a multi-tenanted environment. You should not share the host's process namespace with the containers running on it.
Remediation
You should not create a deployment with `hostPID: true`
CategoriesDocker CIS
Compliance mappingsView coverage →
CIS Kubernetes Benchmark v1.8
5.2.2
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.9
NIST SP 800-53 rev. 5
CM-2
PCI DSS 4.0
2.2.1

Generated artifacts

3 of 5 targets supported
docker-cis-5-15-ensure-that-the-host-s-process-namespace-is-not.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: docker-cis-5-15-ensure-that-the-host-s-process-namespace-is-not
  annotations:
    policies.kyverno.io/title: "Docker CIS 5.15: Ensure that the host's process namespace is not shared"
    policies.kyverno.io/category: Docker CIS
    policies.kyverno.io/severity: medium
    policies.kyverno.io/description: The Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host.
    policies.kyverno.io/remediation: "You should not create a deployment with `hostPID: true`"
    policies.kyverno.io/rationale: PID namespace provides separation between processes. It prevents system processes from being visible, and allows process ids to be reused including PID 1. If the host's PID namespace is shared with containers, it would basically allow these to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them. This could allow for the host itself being shut down, which could be extremely serious, particularly in a multi-tenanted environment. You should not share the host's process namespace with the containers running on it.
    policies.io/source: stackrox
    policies.io/source-id: 436811e7-892f-4da6-a0f5-8cc459f1b954
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: docker-cis-5-15-ensure-that-the-host-s-process-nam
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: "Policy \"Docker CIS 5.15: Ensure that the host's process namespace is not shared\" violated: The Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host."
        deny:
          conditions:
            all:
              - key: "{{ request.object.spec.hostPID || `false` }}"
                operator: Equals
                value: true
      exclude:
        any:
          - resources:
              namespaces:
                - kube-system
          - resources:
              namespaces:
                - openshift-kube-apiserver
          - resources:
              namespaces:
                - openshift-cluster-node-tuning-operator
          - resources:
              namespaces:
                - openshift-ovn-kubernetes
          - resources:
              namespaces:
                - openshift-machine-config-operator
          - resources:
              namespaces:
                - openshift-sdn
          - resources:
              namespaces:
                - openshift-monitoring
          - resources:
              namespaces:
                - openshift-multus
IR (canonical)
{
  "id": "436811e7-892f-4da6-a0f5-8cc459f1b954",
  "name": "Docker CIS 5.15: Ensure that the host's process namespace is not shared",
  "description": "The Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host.",
  "rationale": "PID namespace provides separation between processes. It prevents system processes from being visible, and allows process ids to be reused including PID 1. If the host's PID namespace is shared with containers, it would basically allow these to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them. This could allow for the host itself being shut down, which could be extremely serious, particularly in a multi-tenanted environment. You should not share the host's process namespace with the containers running on it.",
  "remediation": "You should not create a deployment with `hostPID: true`",
  "severity": "medium",
  "categories": [
    "Docker CIS"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [
    {
      "name": "apiserver-watcher-.*",
      "namespace": "kube-system"
    },
    {
      "name": "Don't alert on deployment in openshift-kube-apiserver namespace",
      "namespace": "openshift-kube-apiserver"
    },
    {
      "name": "tuned",
      "namespace": "openshift-cluster-node-tuning-operator"
    },
    {
      "name": "ovnkube-node",
      "namespace": "openshift-ovn-kubernetes"
    },
    {
      "name": "machine-config-daemon",
      "namespace": "openshift-machine-config-operator"
    },
    {
      "name": "Don't alert on the openshift-sdn namespace",
      "namespace": "openshift-sdn"
    },
    {
      "name": "node-exporter",
      "namespace": "openshift-monitoring"
    },
    {
      "name": "multus",
      "namespace": "openshift-multus"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "host-pid",
    "values": [
      "true"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "436811e7-892f-4da6-a0f5-8cc459f1b954",
  "name": "Docker CIS 5.15: Ensure that the host's process namespace is not shared",
  "description": "The Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host.",
  "rationale": "PID namespace provides separation between processes. It prevents system processes from being visible, and allows process ids to be reused including PID 1. If the host's PID namespace is shared with containers, it would basically allow these to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them. This could allow for the host itself being shut down, which could be extremely serious, particularly in a multi-tenanted environment. You should not share the host's process namespace with the containers running on it.",
  "remediation": "You should not create a deployment with `hostPID: true`",
  "disabled": false,
  "categories": [
    "Docker CIS"
  ],
  "lifecycleStages": [
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [
    {
      "name": "Don't alert on deployment apiserver-watcher-* in kube-system namespace",
      "deployment": {
        "name": "apiserver-watcher-.*",
        "scope": {
          "cluster": "",
          "namespace": "kube-system",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment in openshift-kube-apiserver namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "openshift-kube-apiserver",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment tuned in openshift-cluster-node-tuning-operator namespace",
      "deployment": {
        "name": "tuned",
        "scope": {
          "cluster": "",
          "namespace": "openshift-cluster-node-tuning-operator",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment ovnkube-node in openshift-ovn-kubernetes namespace",
      "deployment": {
        "name": "ovnkube-node",
        "scope": {
          "cluster": "",
          "namespace": "openshift-ovn-kubernetes",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment machine-config-daemon in openshift-machine-config-operator namespace",
      "deployment": {
        "name": "machine-config-daemon",
        "scope": {
          "cluster": "",
          "namespace": "openshift-machine-config-operator",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on the openshift-sdn namespace",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "openshift-sdn",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment node-exporter in namespace openshift-monitoring",
      "deployment": {
        "name": "node-exporter",
        "scope": {
          "cluster": "",
          "namespace": "openshift-monitoring",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on deployment multus in namespace openshift-multus",
      "deployment": {
        "name": "multus",
        "scope": {
          "cluster": "",
          "namespace": "openshift-multus",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "MEDIUM_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "Section 1",
      "policyGroups": [
        {
          "fieldName": "Host PID",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "true"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}