Docker CIS 5.16: Ensure that the host's IPC namespace is not shared
No violationsstackroxmediumdeployIPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated.
- Rationale
- The IPC namespace provides separation of IPC between the host and containers. If the host's IPC namespace is shared with the container, it would allow processes within the container to see all of IPC communications on the host system. This would remove the benefit of IPC level isolation between host and containers. An attacker with access to a container could get access to the host at this level with major consequences. The IPC namespace should therefore not be shared between the host and its containers.
- Remediation
- You should not create a deployment with `hostIPC: true`
CategoriesDocker CIS
Compliance mappingsView coverage →
- CIS Kubernetes Benchmark v1.8
- 5.2.3
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.9
- NIST SP 800-53 rev. 5
- CM-2
- PCI DSS 4.0
- 2.2.1
Generated artifacts
3 of 5 targets supporteddocker-cis-5-16-ensure-that-the-host-s-ipc-namespace-is-not-sha.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: docker-cis-5-16-ensure-that-the-host-s-ipc-namespace-is-not-sha
annotations:
policies.kyverno.io/title: "Docker CIS 5.16: Ensure that the host's IPC namespace is not shared"
policies.kyverno.io/category: Docker CIS
policies.kyverno.io/severity: medium
policies.kyverno.io/description: IPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated.
policies.kyverno.io/remediation: "You should not create a deployment with `hostIPC: true`"
policies.kyverno.io/rationale: The IPC namespace provides separation of IPC between the host and containers. If the host's IPC namespace is shared with the container, it would allow processes within the container to see all of IPC communications on the host system. This would remove the benefit of IPC level isolation between host and containers. An attacker with access to a container could get access to the host at this level with major consequences. The IPC namespace should therefore not be shared between the host and its containers.
policies.io/source: stackrox
policies.io/source-id: 47cb9e0a-879a-417b-9a8f-de644d7c8a77
spec:
validationFailureAction: Audit
background: true
rules:
- name: docker-cis-5-16-ensure-that-the-host-s-ipc-namespa
match:
any:
- resources:
kinds:
- Pod
validate:
message: "Policy \"Docker CIS 5.16: Ensure that the host's IPC namespace is not shared\" violated: IPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated."
deny:
conditions:
all:
- key: "{{ request.object.spec.hostIPC || `false` }}"
operator: Equals
value: true
exclude:
any:
- resources:
namespaces:
- openshift-cluster-node-tuning-operator
IR (canonical)
{
"id": "47cb9e0a-879a-417b-9a8f-de644d7c8a77",
"name": "Docker CIS 5.16: Ensure that the host's IPC namespace is not shared",
"description": "IPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated.",
"rationale": "The IPC namespace provides separation of IPC between the host and containers. If the host's IPC namespace is shared with the container, it would allow processes within the container to see all of IPC communications on the host system. This would remove the benefit of IPC level isolation between host and containers. An attacker with access to a container could get access to the host at this level with major consequences. The IPC namespace should therefore not be shared between the host and its containers.",
"remediation": "You should not create a deployment with `hostIPC: true`",
"severity": "medium",
"categories": [
"Docker CIS"
],
"lifecycle": [
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [
{
"name": "tuned",
"namespace": "openshift-cluster-node-tuning-operator"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "host-ipc",
"values": [
"true"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "47cb9e0a-879a-417b-9a8f-de644d7c8a77",
"name": "Docker CIS 5.16: Ensure that the host's IPC namespace is not shared",
"description": "IPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated.",
"rationale": "The IPC namespace provides separation of IPC between the host and containers. If the host's IPC namespace is shared with the container, it would allow processes within the container to see all of IPC communications on the host system. This would remove the benefit of IPC level isolation between host and containers. An attacker with access to a container could get access to the host at this level with major consequences. The IPC namespace should therefore not be shared between the host and its containers.",
"remediation": "You should not create a deployment with `hostIPC: true`",
"disabled": false,
"categories": [
"Docker CIS"
],
"lifecycleStages": [
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [
{
"name": "Don't alert on deployment tuned in openshift-cluster-node-tuning-operator namespace",
"deployment": {
"name": "tuned",
"scope": {
"cluster": "",
"namespace": "openshift-cluster-node-tuning-operator",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "MEDIUM_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "Section 1",
"policyGroups": [
{
"fieldName": "Host IPC",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "true"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}