Back to catalog

Docker CIS 5.7: Ensure privileged ports are not mapped within containers

No violationsstackroxmediumdeploy

The TCP/IP port numbers below 1024 are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Containers are, however, allowed to map their ports to privileged ports.

Rationale
By default, if the user does not specifically declare a container port to host port mapping, the containers ports will be mapped to available non-privileged host ports. Containers are, however, allow to map their ports to a privileged ports on the host if the user explicitly declares it. In Docker this is because containers are executed with NET_BIND_SERVICE Linux kernel capability which does not restrict privileged port mapping. The privileged ports receive and transmit various pieces of data which are security sensitive and allowing containers to use them is not in line with good security practice.
Remediation
You should not map container ports to privileged host ports when starting a container. You should also, ensure that there is no such container to host privileged port mapping declarations in the Dockerfile.
CategoriesDocker CIS
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 9.2Art. 9.4(b)
ISO/IEC 27001 2022
A.8.20A.8.9
NIST SP 800-53 rev. 5
CM-2SC-7
PCI DSS 4.0
1.3.12.2.1
SOC 2 2017 TSC
CC6.6

Generated artifacts

3 of 5 targets supported
docker-cis-5-7-ensure-privileged-ports-are-not-mapped-within-co.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: docker-cis-5-7-ensure-privileged-ports-are-not-mapped-within-co
  annotations:
    policies.kyverno.io/title: "Docker CIS 5.7: Ensure privileged ports are not mapped within containers"
    policies.kyverno.io/category: Docker CIS
    policies.kyverno.io/severity: medium
    policies.kyverno.io/description: The TCP/IP port numbers below 1024 are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Containers are, however, allowed to map their ports to privileged ports.
    policies.kyverno.io/remediation: You should not map container ports to privileged host ports when starting a container. You should also, ensure that there is no such container to host privileged port mapping declarations in the Dockerfile.
    policies.kyverno.io/rationale: By default, if the user does not specifically declare a container port to host port mapping, the containers ports will be mapped to available non-privileged host ports. Containers are, however, allow to map their ports to a privileged ports on the host if the user explicitly declares it. In Docker this is because containers are executed with NET_BIND_SERVICE Linux kernel capability which does not restrict privileged port mapping. The privileged ports receive and transmit various pieces of data which are security sensitive and allowing containers to use them is not in line with good security practice.
    policies.io/source: stackrox
    policies.io/source-id: 6abcaa13-9ed6-4109-a1a7-be2e8280e49e
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: docker-cis-5-7-ensure-privileged-ports-are-not-map
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: 'Policy "Docker CIS 5.7: Ensure privileged ports are not mapped within containers" violated: The TCP/IP port numbers below 1024 are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Containers are, however, allowed to map their ports to privileged ports.'
        deny:
          conditions:
            all:
              - key: "{{ request.object.spec.ports[].nodePort || `[]` }}"
                operator: AnyIn
                value: []
      exclude:
        any:
          - resources:
              namespaces:
                - openshift-ingress
IR (canonical)
{
  "id": "6abcaa13-9ed6-4109-a1a7-be2e8280e49e",
  "name": "Docker CIS 5.7: Ensure privileged ports are not mapped within containers",
  "description": "The TCP/IP port numbers below 1024 are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Containers are, however, allowed to map their ports to privileged ports.",
  "rationale": "By default, if the user does not specifically declare a container port to host port mapping, the containers ports will be mapped to available non-privileged host ports. Containers are, however, allow to map their ports to a privileged ports on the host if the user explicitly declares it. In Docker this is because containers are executed with NET_BIND_SERVICE Linux kernel capability which does not restrict privileged port mapping. The privileged ports receive and transmit various pieces of data which are security sensitive and allowing containers to use them is not in line with good security practice.",
  "remediation": "You should not map container ports to privileged host ports when starting a container. You should also, ensure that there is no such container to host privileged port mapping declarations in the Dockerfile.",
  "severity": "medium",
  "categories": [
    "Docker CIS"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [
    {
      "name": "router-default",
      "namespace": "openshift-ingress"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "exposed-node-port",
    "values": [
      "<= 1024",
      "> 0"
    ],
    "valuesOp": "and",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "6abcaa13-9ed6-4109-a1a7-be2e8280e49e",
  "name": "Docker CIS 5.7: Ensure privileged ports are not mapped within containers",
  "description": "The TCP/IP port numbers below 1024 are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Containers are, however, allowed to map their ports to privileged ports.",
  "rationale": "By default, if the user does not specifically declare a container port to host port mapping, the containers ports will be mapped to available non-privileged host ports. Containers are, however, allow to map their ports to a privileged ports on the host if the user explicitly declares it. In Docker this is because containers are executed with NET_BIND_SERVICE Linux kernel capability which does not restrict privileged port mapping. The privileged ports receive and transmit various pieces of data which are security sensitive and allowing containers to use them is not in line with good security practice.",
  "remediation": "You should not map container ports to privileged host ports when starting a container. You should also, ensure that there is no such container to host privileged port mapping declarations in the Dockerfile.",
  "disabled": false,
  "categories": [
    "Docker CIS"
  ],
  "lifecycleStages": [
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [
    {
      "name": "Don't alert on the router-default deployment in namespace openshift-ingress",
      "deployment": {
        "name": "router-default",
        "scope": {
          "cluster": "",
          "namespace": "openshift-ingress",
          "label": null
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "MEDIUM_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Exposed Node Port",
          "booleanOperator": "AND",
          "negate": false,
          "values": [
            {
              "value": "<= 1024"
            },
            {
              "value": "> 0"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}