Cgroup Not Default

  • Query id: 4d9f44c6-2f4a-4317-9bb5-267adbea0232
  • Query name: Cgroup Not Default
  • Platform: DockerCompose
  • Severity: Medium
  • Category: Build Process
  • CWE: 400
  • URL: Github

Description

Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
version: '2'

services:
  iperfclient:
    build:
      context: .
      dockerfile: client.Dockerfile
    container_name: ipc
    cgroup_parent: nat-docker
    volumes:
      - ./host:container.yaml
    networks:
      - netnet
    expose:
      - 1234

networks:
  netnet:

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
version: '2'

services:
  iperfclient:
    build:
      context: .
      dockerfile: client.Dockerfile
    container_name: ipc
    volumes:
      - ./host:container.yaml
    networks:
      - netnet
    expose:
      - 1234

networks:
  netnet: