Docker CIS 5.7: Ensure privileged ports are not mapped within containers
No violationsstackroxmediumdeployThe TCP/IP port numbers below 1024 are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Containers are, however, allowed to map their ports to privileged ports.
- Rationale
- By default, if the user does not specifically declare a container port to host port mapping, the containers ports will be mapped to available non-privileged host ports. Containers are, however, allow to map their ports to a privileged ports on the host if the user explicitly declares it. In Docker this is because containers are executed with NET_BIND_SERVICE Linux kernel capability which does not restrict privileged port mapping. The privileged ports receive and transmit various pieces of data which are security sensitive and allowing containers to use them is not in line with good security practice.
- Remediation
- You should not map container ports to privileged host ports when starting a container. You should also, ensure that there is no such container to host privileged port mapping declarations in the Dockerfile.
CategoriesDocker CIS
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 9.2Art. 9.4(b)
- ISO/IEC 27001 2022
- A.8.20A.8.9
- NIST SP 800-53 rev. 5
- CM-2SC-7
- PCI DSS 4.0
- 1.3.12.2.1
- SOC 2 2017 TSC
- CC6.6
Generated artifacts
3 of 5 targets supporteddocker-cis-5-7-ensure-privileged-ports-are-not-mapped-within-co.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: docker-cis-5-7-ensure-privileged-ports-are-not-mapped-within-co
annotations:
policies.kyverno.io/title: "Docker CIS 5.7: Ensure privileged ports are not mapped within containers"
policies.kyverno.io/category: Docker CIS
policies.kyverno.io/severity: medium
policies.kyverno.io/description: The TCP/IP port numbers below 1024 are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Containers are, however, allowed to map their ports to privileged ports.
policies.kyverno.io/remediation: You should not map container ports to privileged host ports when starting a container. You should also, ensure that there is no such container to host privileged port mapping declarations in the Dockerfile.
policies.kyverno.io/rationale: By default, if the user does not specifically declare a container port to host port mapping, the containers ports will be mapped to available non-privileged host ports. Containers are, however, allow to map their ports to a privileged ports on the host if the user explicitly declares it. In Docker this is because containers are executed with NET_BIND_SERVICE Linux kernel capability which does not restrict privileged port mapping. The privileged ports receive and transmit various pieces of data which are security sensitive and allowing containers to use them is not in line with good security practice.
policies.io/source: stackrox
policies.io/source-id: 6abcaa13-9ed6-4109-a1a7-be2e8280e49e
spec:
validationFailureAction: Audit
background: true
rules:
- name: docker-cis-5-7-ensure-privileged-ports-are-not-map
match:
any:
- resources:
kinds:
- Pod
validate:
message: 'Policy "Docker CIS 5.7: Ensure privileged ports are not mapped within containers" violated: The TCP/IP port numbers below 1024 are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Containers are, however, allowed to map their ports to privileged ports.'
deny:
conditions:
all:
- key: "{{ request.object.spec.ports[].nodePort || `[]` }}"
operator: AnyIn
value: []
exclude:
any:
- resources:
namespaces:
- openshift-ingress
IR (canonical)
{
"id": "6abcaa13-9ed6-4109-a1a7-be2e8280e49e",
"name": "Docker CIS 5.7: Ensure privileged ports are not mapped within containers",
"description": "The TCP/IP port numbers below 1024 are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Containers are, however, allowed to map their ports to privileged ports.",
"rationale": "By default, if the user does not specifically declare a container port to host port mapping, the containers ports will be mapped to available non-privileged host ports. Containers are, however, allow to map their ports to a privileged ports on the host if the user explicitly declares it. In Docker this is because containers are executed with NET_BIND_SERVICE Linux kernel capability which does not restrict privileged port mapping. The privileged ports receive and transmit various pieces of data which are security sensitive and allowing containers to use them is not in line with good security practice.",
"remediation": "You should not map container ports to privileged host ports when starting a container. You should also, ensure that there is no such container to host privileged port mapping declarations in the Dockerfile.",
"severity": "medium",
"categories": [
"Docker CIS"
],
"lifecycle": [
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [
{
"name": "router-default",
"namespace": "openshift-ingress"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "exposed-node-port",
"values": [
"<= 1024",
"> 0"
],
"valuesOp": "and",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "6abcaa13-9ed6-4109-a1a7-be2e8280e49e",
"name": "Docker CIS 5.7: Ensure privileged ports are not mapped within containers",
"description": "The TCP/IP port numbers below 1024 are considered privileged ports. Normal users and processes are not allowed to use them for various security reasons. Containers are, however, allowed to map their ports to privileged ports.",
"rationale": "By default, if the user does not specifically declare a container port to host port mapping, the containers ports will be mapped to available non-privileged host ports. Containers are, however, allow to map their ports to a privileged ports on the host if the user explicitly declares it. In Docker this is because containers are executed with NET_BIND_SERVICE Linux kernel capability which does not restrict privileged port mapping. The privileged ports receive and transmit various pieces of data which are security sensitive and allowing containers to use them is not in line with good security practice.",
"remediation": "You should not map container ports to privileged host ports when starting a container. You should also, ensure that there is no such container to host privileged port mapping declarations in the Dockerfile.",
"disabled": false,
"categories": [
"Docker CIS"
],
"lifecycleStages": [
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [
{
"name": "Don't alert on the router-default deployment in namespace openshift-ingress",
"deployment": {
"name": "router-default",
"scope": {
"cluster": "",
"namespace": "openshift-ingress",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "MEDIUM_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Exposed Node Port",
"booleanOperator": "AND",
"negate": false,
"values": [
{
"value": "<= 1024"
},
{
"value": "> 0"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}