Back to catalog

Mount Container Runtime Socket

No violationsstackroxmediumdeploy

Alert on deployments with a volume mount on the container runtime socket

Rationale
Mounting the container runtime socket implies container access to the runtime daemon. With direct access to the runtime daemon, a user can schedule containers and collect information about the running containers. This can be used as a method of discovery or persistence in an attack. Depending on the container runtime configuration, this may also be used as a method of privilege escalation to the host operating system. Since this can be used as an attack, deployments that mount the container runtime socket should be minimized to those absolutely necessary.
Remediation
Investigate if this deployment is being deployed for legitimate business purposes, and if so, that mounting the container runtime socket is required. Perform one of the following actions based on this investigation: 1. Exclude the deployment in this policy because it is being deployed for legitimate use cases. 2. Do not mount the container runtime socket in the deployment and redeploy. 3. Launch an investigation into why a deployment with this insecure configuration useful to attackers was deployed.
CategoriesSecurity Best Practices
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.9
NIST SP 800-53 rev. 5
CM-2CM-7
PCI DSS 4.0
2.2.12.2.4

Generated artifacts

3 of 5 targets supported
mount-container-runtime-socket.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: mount-container-runtime-socket
  annotations:
    policies.kyverno.io/title: Mount Container Runtime Socket
    policies.kyverno.io/category: Security Best Practices
    policies.kyverno.io/severity: medium
    policies.kyverno.io/description: Alert on deployments with a volume mount on the container runtime socket
    policies.kyverno.io/remediation: "Investigate if this deployment is being deployed for legitimate business purposes, and if so, that mounting the container runtime socket is required. Perform one of the following actions based on this investigation: 1. Exclude the deployment in this policy because it is being deployed for legitimate use cases. 2. Do not mount the container runtime socket in the deployment and redeploy. 3. Launch an investigation into why a deployment with this insecure configuration useful to attackers was deployed."
    policies.kyverno.io/rationale: Mounting the container runtime socket implies container access to the runtime daemon. With direct access to the runtime daemon, a user can schedule containers and collect information about the running containers. This can be used as a method of discovery or persistence in an attack. Depending on the container runtime configuration, this may also be used as a method of privilege escalation to the host operating system. Since this can be used as an attack, deployments that mount the container runtime socket should be minimized to those absolutely necessary.
    policies.io/source: stackrox
    policies.io/source-id: ccd66f67-0b69-4081-9d01-da692f7db3b4
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: mount-container-runtime-socket
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: 'Policy "Mount Container Runtime Socket" violated: Alert on deployments with a volume mount on the container runtime socket'
        deny:
          conditions:
            all:
              - key: "{{ request.object.spec.volumes[].keys(@)[] || `[]` }}"
                operator: AnyIn
                value:
                  - /var/run/docker.sock
                  - /var/run/crio/crio.sock
                  - /run/crio/crio.sock
      exclude:
        any:
          - resources:
              namespaces:
                - stackrox
          - resources:
              namespaces:
                - stackrox
              selector:
                matchLabels:
                  app: stackrox-compliance
IR (canonical)
{
  "id": "ccd66f67-0b69-4081-9d01-da692f7db3b4",
  "name": "Mount Container Runtime Socket",
  "description": "Alert on deployments with a volume mount on the container runtime socket",
  "rationale": "Mounting the container runtime socket implies container access to the runtime daemon. With direct access to the runtime daemon, a user can schedule containers and collect information about the running containers. This can be used as a method of discovery or persistence in an attack. Depending on the container runtime configuration, this may also be used as a method of privilege escalation to the host operating system. Since this can be used as an attack, deployments that mount the container runtime socket should be minimized to those absolutely necessary.",
  "remediation": "Investigate if this deployment is being deployed for legitimate business purposes, and if so, that mounting the container runtime socket is required. Perform one of the following actions based on this investigation: 1. Exclude the deployment in this policy because it is being deployed for legitimate use cases. 2. Do not mount the container runtime socket in the deployment and redeploy. 3. Launch an investigation into why a deployment with this insecure configuration useful to attackers was deployed.",
  "severity": "medium",
  "categories": [
    "Security Best Practices"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [
    {
      "name": "collector",
      "namespace": "stackrox"
    },
    {
      "name": "ucp-agent"
    },
    {
      "name": "ucp-agent-s390x"
    },
    {
      "name": "Don't alert on StackRox compliance",
      "namespace": "stackrox",
      "labelKey": "app",
      "labelValue": "stackrox-compliance"
    }
  ],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "volume-source",
    "values": [
      "/var/run/docker.sock",
      "/var/run/crio/crio.sock",
      "/run/crio/crio.sock"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "ccd66f67-0b69-4081-9d01-da692f7db3b4",
  "name": "Mount Container Runtime Socket",
  "description": "Alert on deployments with a volume mount on the container runtime socket",
  "rationale": "Mounting the container runtime socket implies container access to the runtime daemon. With direct access to the runtime daemon, a user can schedule containers and collect information about the running containers. This can be used as a method of discovery or persistence in an attack. Depending on the container runtime configuration, this may also be used as a method of privilege escalation to the host operating system. Since this can be used as an attack, deployments that mount the container runtime socket should be minimized to those absolutely necessary.",
  "remediation": "Investigate if this deployment is being deployed for legitimate business purposes, and if so, that mounting the container runtime socket is required. Perform one of the following actions based on this investigation: 1. Exclude the deployment in this policy because it is being deployed for legitimate use cases. 2. Do not mount the container runtime socket in the deployment and redeploy. 3. Launch an investigation into why a deployment with this insecure configuration useful to attackers was deployed.",
  "disabled": false,
  "categories": [
    "Security Best Practices"
  ],
  "lifecycleStages": [
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [
    {
      "name": "Don't alert on StackRox collector",
      "deployment": {
        "name": "collector",
        "scope": {
          "cluster": "",
          "namespace": "stackrox",
          "label": null
        }
      },
      "image": null
    },
    {
      "name": "Don't alert on ucp-agent",
      "deployment": {
        "name": "ucp-agent",
        "scope": null
      },
      "image": null
    },
    {
      "name": "Don't alert on ucp-agent-s390x",
      "deployment": {
        "name": "ucp-agent-s390x",
        "scope": null
      },
      "image": null
    },
    {
      "name": "Don't alert on StackRox compliance",
      "deployment": {
        "name": "",
        "scope": {
          "cluster": "",
          "namespace": "stackrox",
          "label": {
            "key": "app",
            "value": "stackrox-compliance"
          }
        }
      },
      "image": null
    }
  ],
  "scope": [],
  "severity": "MEDIUM_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Volume Source",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "/var/run/docker.sock"
            },
            {
              "value": "/var/run/crio/crio.sock"
            },
            {
              "value": "/run/crio/crio.sock"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}