Mount Container Runtime Socket
No violationsstackroxmediumdeployAlert on deployments with a volume mount on the container runtime socket
- Rationale
- Mounting the container runtime socket implies container access to the runtime daemon. With direct access to the runtime daemon, a user can schedule containers and collect information about the running containers. This can be used as a method of discovery or persistence in an attack. Depending on the container runtime configuration, this may also be used as a method of privilege escalation to the host operating system. Since this can be used as an attack, deployments that mount the container runtime socket should be minimized to those absolutely necessary.
- Remediation
- Investigate if this deployment is being deployed for legitimate business purposes, and if so, that mounting the container runtime socket is required. Perform one of the following actions based on this investigation: 1. Exclude the deployment in this policy because it is being deployed for legitimate use cases. 2. Do not mount the container runtime socket in the deployment and redeploy. 3. Launch an investigation into why a deployment with this insecure configuration useful to attackers was deployed.
CategoriesSecurity Best Practices
Compliance mappingsView coverage →
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.9
- NIST SP 800-53 rev. 5
- CM-2CM-7
- PCI DSS 4.0
- 2.2.12.2.4
Generated artifacts
3 of 5 targets supportedmount-container-runtime-socket.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: mount-container-runtime-socket
annotations:
policies.kyverno.io/title: Mount Container Runtime Socket
policies.kyverno.io/category: Security Best Practices
policies.kyverno.io/severity: medium
policies.kyverno.io/description: Alert on deployments with a volume mount on the container runtime socket
policies.kyverno.io/remediation: "Investigate if this deployment is being deployed for legitimate business purposes, and if so, that mounting the container runtime socket is required. Perform one of the following actions based on this investigation: 1. Exclude the deployment in this policy because it is being deployed for legitimate use cases. 2. Do not mount the container runtime socket in the deployment and redeploy. 3. Launch an investigation into why a deployment with this insecure configuration useful to attackers was deployed."
policies.kyverno.io/rationale: Mounting the container runtime socket implies container access to the runtime daemon. With direct access to the runtime daemon, a user can schedule containers and collect information about the running containers. This can be used as a method of discovery or persistence in an attack. Depending on the container runtime configuration, this may also be used as a method of privilege escalation to the host operating system. Since this can be used as an attack, deployments that mount the container runtime socket should be minimized to those absolutely necessary.
policies.io/source: stackrox
policies.io/source-id: ccd66f67-0b69-4081-9d01-da692f7db3b4
spec:
validationFailureAction: Audit
background: true
rules:
- name: mount-container-runtime-socket
match:
any:
- resources:
kinds:
- Pod
validate:
message: 'Policy "Mount Container Runtime Socket" violated: Alert on deployments with a volume mount on the container runtime socket'
deny:
conditions:
all:
- key: "{{ request.object.spec.volumes[].keys(@)[] || `[]` }}"
operator: AnyIn
value:
- /var/run/docker.sock
- /var/run/crio/crio.sock
- /run/crio/crio.sock
exclude:
any:
- resources:
namespaces:
- stackrox
- resources:
namespaces:
- stackrox
selector:
matchLabels:
app: stackrox-compliance
IR (canonical)
{
"id": "ccd66f67-0b69-4081-9d01-da692f7db3b4",
"name": "Mount Container Runtime Socket",
"description": "Alert on deployments with a volume mount on the container runtime socket",
"rationale": "Mounting the container runtime socket implies container access to the runtime daemon. With direct access to the runtime daemon, a user can schedule containers and collect information about the running containers. This can be used as a method of discovery or persistence in an attack. Depending on the container runtime configuration, this may also be used as a method of privilege escalation to the host operating system. Since this can be used as an attack, deployments that mount the container runtime socket should be minimized to those absolutely necessary.",
"remediation": "Investigate if this deployment is being deployed for legitimate business purposes, and if so, that mounting the container runtime socket is required. Perform one of the following actions based on this investigation: 1. Exclude the deployment in this policy because it is being deployed for legitimate use cases. 2. Do not mount the container runtime socket in the deployment and redeploy. 3. Launch an investigation into why a deployment with this insecure configuration useful to attackers was deployed.",
"severity": "medium",
"categories": [
"Security Best Practices"
],
"lifecycle": [
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [
{
"name": "collector",
"namespace": "stackrox"
},
{
"name": "ucp-agent"
},
{
"name": "ucp-agent-s390x"
},
{
"name": "Don't alert on StackRox compliance",
"namespace": "stackrox",
"labelKey": "app",
"labelValue": "stackrox-compliance"
}
],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "volume-source",
"values": [
"/var/run/docker.sock",
"/var/run/crio/crio.sock",
"/run/crio/crio.sock"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "ccd66f67-0b69-4081-9d01-da692f7db3b4",
"name": "Mount Container Runtime Socket",
"description": "Alert on deployments with a volume mount on the container runtime socket",
"rationale": "Mounting the container runtime socket implies container access to the runtime daemon. With direct access to the runtime daemon, a user can schedule containers and collect information about the running containers. This can be used as a method of discovery or persistence in an attack. Depending on the container runtime configuration, this may also be used as a method of privilege escalation to the host operating system. Since this can be used as an attack, deployments that mount the container runtime socket should be minimized to those absolutely necessary.",
"remediation": "Investigate if this deployment is being deployed for legitimate business purposes, and if so, that mounting the container runtime socket is required. Perform one of the following actions based on this investigation: 1. Exclude the deployment in this policy because it is being deployed for legitimate use cases. 2. Do not mount the container runtime socket in the deployment and redeploy. 3. Launch an investigation into why a deployment with this insecure configuration useful to attackers was deployed.",
"disabled": false,
"categories": [
"Security Best Practices"
],
"lifecycleStages": [
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [
{
"name": "Don't alert on StackRox collector",
"deployment": {
"name": "collector",
"scope": {
"cluster": "",
"namespace": "stackrox",
"label": null
}
},
"image": null
},
{
"name": "Don't alert on ucp-agent",
"deployment": {
"name": "ucp-agent",
"scope": null
},
"image": null
},
{
"name": "Don't alert on ucp-agent-s390x",
"deployment": {
"name": "ucp-agent-s390x",
"scope": null
},
"image": null
},
{
"name": "Don't alert on StackRox compliance",
"deployment": {
"name": "",
"scope": {
"cluster": "",
"namespace": "stackrox",
"label": {
"key": "app",
"value": "stackrox-compliance"
}
}
},
"image": null
}
],
"scope": [],
"severity": "MEDIUM_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Volume Source",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "/var/run/docker.sock"
},
{
"value": "/var/run/crio/crio.sock"
},
{
"value": "/run/crio/crio.sock"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}