Docker CIS 5.15: Ensure that the host's process namespace is not shared
No violationsstackroxmediumdeployThe Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host.
- Rationale
- PID namespace provides separation between processes. It prevents system processes from being visible, and allows process ids to be reused including PID 1. If the host's PID namespace is shared with containers, it would basically allow these to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them. This could allow for the host itself being shut down, which could be extremely serious, particularly in a multi-tenanted environment. You should not share the host's process namespace with the containers running on it.
- Remediation
- You should not create a deployment with `hostPID: true`
CategoriesDocker CIS
Compliance mappingsView coverage →
- CIS Kubernetes Benchmark v1.8
- 5.2.2
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.9
- NIST SP 800-53 rev. 5
- CM-2
- PCI DSS 4.0
- 2.2.1
Generated artifacts
3 of 5 targets supporteddocker-cis-5-15-ensure-that-the-host-s-process-namespace-is-not.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: docker-cis-5-15-ensure-that-the-host-s-process-namespace-is-not
annotations:
policies.kyverno.io/title: "Docker CIS 5.15: Ensure that the host's process namespace is not shared"
policies.kyverno.io/category: Docker CIS
policies.kyverno.io/severity: medium
policies.kyverno.io/description: The Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host.
policies.kyverno.io/remediation: "You should not create a deployment with `hostPID: true`"
policies.kyverno.io/rationale: PID namespace provides separation between processes. It prevents system processes from being visible, and allows process ids to be reused including PID 1. If the host's PID namespace is shared with containers, it would basically allow these to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them. This could allow for the host itself being shut down, which could be extremely serious, particularly in a multi-tenanted environment. You should not share the host's process namespace with the containers running on it.
policies.io/source: stackrox
policies.io/source-id: 436811e7-892f-4da6-a0f5-8cc459f1b954
spec:
validationFailureAction: Audit
background: true
rules:
- name: docker-cis-5-15-ensure-that-the-host-s-process-nam
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Policy \"Docker CIS 5.15: Ensure that the host's process namespace is not shared\" violated: The Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host."
deny:
conditions:
all:
- key: "{{ request.object.spec.hostPID || `false` }}"
operator: Equals
value: true
exclude:
any:
- resources:
namespaces:
- kube-system
- resources:
namespaces:
- openshift-kube-apiserver
- resources:
namespaces:
- openshift-cluster-node-tuning-operator
- resources:
namespaces:
- openshift-ovn-kubernetes
- resources:
namespaces:
- openshift-machine-config-operator
- resources:
namespaces:
- openshift-sdn
- resources:
namespaces:
- openshift-monitoring
- resources:
namespaces:
- openshift-multus
IR (canonical)
{
"id": "436811e7-892f-4da6-a0f5-8cc459f1b954",
"name": "Docker CIS 5.15: Ensure that the host's process namespace is not shared",
"description": "The Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host.",
"rationale": "PID namespace provides separation between processes. It prevents system processes from being visible, and allows process ids to be reused including PID 1. If the host's PID namespace is shared with containers, it would basically allow these to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them. This could allow for the host itself being shut down, which could be extremely serious, particularly in a multi-tenanted environment. You should not share the host's process namespace with the containers running on it.",
"remediation": "You should not create a deployment with `hostPID: true`",
"severity": "medium",
"categories": [
"Docker CIS"
],
"lifecycle": [
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [
{
"name": "apiserver-watcher-.*",
"namespace": "kube-system"
},
{
"name": "Don't alert on deployment in openshift-kube-apiserver namespace",
"namespace": "openshift-kube-apiserver"
},
{
"name": "tuned",
"namespace": "openshift-cluster-node-tuning-operator"
},
{
"name": "ovnkube-node",
"namespace": "openshift-ovn-kubernetes"
},
{
"name": "machine-config-daemon",
"namespace": "openshift-machine-config-operator"
},
{
"name": "Don't alert on the openshift-sdn namespace",
"namespace": "openshift-sdn"
},
{
"name": "node-exporter",
"namespace": "openshift-monitoring"
},
{
"name": "multus",
"namespace": "openshift-multus"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "host-pid",
"values": [
"true"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "436811e7-892f-4da6-a0f5-8cc459f1b954",
"name": "Docker CIS 5.15: Ensure that the host's process namespace is not shared",
"description": "The Process ID (PID) namespace isolates the process ID space, meaning that processes in different PID namespaces can have the same PID. This creates process level isolation between the containers and the host.",
"rationale": "PID namespace provides separation between processes. It prevents system processes from being visible, and allows process ids to be reused including PID 1. If the host's PID namespace is shared with containers, it would basically allow these to see all of the processes on the host system. This reduces the benefit of process level isolation between the host and the containers. Under these circumstances a malicious user who has access to a container could get access to processes on the host itself, manipulate them, and even be able to kill them. This could allow for the host itself being shut down, which could be extremely serious, particularly in a multi-tenanted environment. You should not share the host's process namespace with the containers running on it.",
"remediation": "You should not create a deployment with `hostPID: true`",
"disabled": false,
"categories": [
"Docker CIS"
],
"lifecycleStages": [
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [
{
"name": "Don't alert on deployment apiserver-watcher-* in kube-system namespace",
"deployment": {
"name": "apiserver-watcher-.*",
"scope": {
"cluster": "",
"namespace": "kube-system",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment in openshift-kube-apiserver namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "openshift-kube-apiserver",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment tuned in openshift-cluster-node-tuning-operator namespace",
"deployment": {
"name": "tuned",
"scope": {
"cluster": "",
"namespace": "openshift-cluster-node-tuning-operator",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment ovnkube-node in openshift-ovn-kubernetes namespace",
"deployment": {
"name": "ovnkube-node",
"scope": {
"cluster": "",
"namespace": "openshift-ovn-kubernetes",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment machine-config-daemon in openshift-machine-config-operator namespace",
"deployment": {
"name": "machine-config-daemon",
"scope": {
"cluster": "",
"namespace": "openshift-machine-config-operator",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on the openshift-sdn namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "openshift-sdn",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment node-exporter in namespace openshift-monitoring",
"deployment": {
"name": "node-exporter",
"scope": {
"cluster": "",
"namespace": "openshift-monitoring",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on deployment multus in namespace openshift-multus",
"deployment": {
"name": "multus",
"scope": {
"cluster": "",
"namespace": "openshift-multus",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "MEDIUM_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "Section 1",
"policyGroups": [
{
"fieldName": "Host PID",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "true"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}