Container using read-write root filesystem
No violationsstackroxmediumdeployAlert on deployments with containers with read-write root filesystem
- Rationale
- Containers running with read-write root filesystem represent greater post-exploitation risk by allowing an attacker to modify important files in the container.
- Remediation
- Use a read-only root filesystem, and use volume mounts to allow writes to specific sub-directories depending on your application's needs.
CategoriesDocker CISPrivileges
Compliance mappingsView coverage →
- CIS Kubernetes Benchmark v1.8
- 5.7.2
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.2A.8.9
- NIST SP 800-53 rev. 5
- AC-6CM-2CM-6
- PCI DSS 4.0
- 2.2.12.2.67.2.1
- SOC 2 2017 TSC
- CC6.1
Generated artifacts
3 of 5 targets supportedcontainer-using-read-write-root-filesystem.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: container-using-read-write-root-filesystem
annotations:
policies.kyverno.io/title: Container using read-write root filesystem
policies.kyverno.io/category: Docker CIS, Privileges
policies.kyverno.io/severity: medium
policies.kyverno.io/description: Alert on deployments with containers with read-write root filesystem
policies.kyverno.io/remediation: Use a read-only root filesystem, and use volume mounts to allow writes to specific sub-directories depending on your application's needs.
policies.kyverno.io/rationale: Containers running with read-write root filesystem represent greater post-exploitation risk by allowing an attacker to modify important files in the container.
policies.io/source: stackrox
policies.io/source-id: 8ac93556-4ad4-4220-a275-3f518db0ceb9
spec:
validationFailureAction: Audit
background: true
rules:
- name: container-using-read-write-root-filesystem
match:
any:
- resources:
kinds:
- Pod
validate:
message: 'Policy "Container using read-write root filesystem" violated: Alert on deployments with containers with read-write root filesystem'
deny:
conditions:
all:
- key: "{{ request.object.spec.containers[].securityContext.readOnlyRootFilesystem || `[]` }}"
operator: AnyNotIn
value:
- true
exclude:
any:
- resources:
namespaces:
- kube-system
- resources:
namespaces:
- istio-system
- resources:
namespaces:
- openshift-node
- resources:
namespaces:
- openshift-sdn
IR (canonical)
{
"id": "8ac93556-4ad4-4220-a275-3f518db0ceb9",
"name": "Container using read-write root filesystem",
"description": "Alert on deployments with containers with read-write root filesystem",
"rationale": "Containers running with read-write root filesystem represent greater post-exploitation risk by allowing an attacker to modify important files in the container.",
"remediation": "Use a read-only root filesystem, and use volume mounts to allow writes to specific sub-directories depending on your application's needs.",
"severity": "medium",
"categories": [
"Docker CIS",
"Privileges"
],
"lifecycle": [
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [
{
"name": "Don't alert on kube-system namespace",
"namespace": "kube-system"
},
{
"name": "Don't alert on istio-system namespace",
"namespace": "istio-system"
},
{
"name": "Don't alert on openshift-node namespace",
"namespace": "openshift-node"
},
{
"name": "Don't alert on openshift-sdn namespace",
"namespace": "openshift-sdn"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "read-only-root-fs",
"values": [
"false"
],
"valuesOp": "or",
"negate": false
},
"disabled": true
}Original StackRox JSON
{
"id": "8ac93556-4ad4-4220-a275-3f518db0ceb9",
"name": "Container using read-write root filesystem",
"description": "Alert on deployments with containers with read-write root filesystem",
"rationale": "Containers running with read-write root filesystem represent greater post-exploitation risk by allowing an attacker to modify important files in the container.",
"remediation": "Use a read-only root filesystem, and use volume mounts to allow writes to specific sub-directories depending on your application's needs.",
"disabled": true,
"categories": [
"Docker CIS",
"Privileges"
],
"lifecycleStages": [
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [
{
"name": "Don't alert on kube-system namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "kube-system",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on istio-system namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "istio-system",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on openshift-node namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "openshift-node",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on openshift-sdn namespace",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "openshift-sdn",
"label": null
}
},
"image": null
}
],
"scope": [],
"severity": "MEDIUM_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Read-Only Root Filesystem",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "false"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}