Cgroup Not Default

• Query id: 4d9f44c6-2f4a-4317-9bb5-267adbea0232
• Query name: Cgroup Not Default
• Platform: DockerCompose
• Severity: Medium
• Category: Build Process
• CWE: 400
• URL: Github

Description

Control groups restrict the access processes and containers have to system resources such as CPU, RAM, IOPS and network. Not having a cgroup well configured may prove to be a security fault.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

version: '2'

services:
  iperfclient:
    build:
      context: .
      dockerfile: client.Dockerfile
    container_name: ipc
    cgroup_parent: nat-docker
    volumes:
      - ./host:container.yaml
    networks:
      - netnet
    expose:
      - 1234

networks:
  netnet:

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

version: '2'

services:
  iperfclient:
    build:
      context: .
      dockerfile: client.Dockerfile
    container_name: ipc
    volumes:
      - ./host:container.yaml
    networks:
      - netnet
    expose:
      - 1234

networks:
  netnet: