Back

Configure the "runAsUser.rule" to organizational standards.


CONTROL ID
14651
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Configure "Kubernetes" to organizational standards., CC ID: 14528

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Minimize the admission of root containers Description: Do not generally permit containers to be run as the root user. Rationale: Containers may run as any Linux user. Containers which run as the root user, whilst constrained by Container Runtime security features still have a escalated likelihood of… (5.2.6, The Center for Internet Security Kubernetes Level 2 Master Node Benchmark, v 1.6.0)
  • Secure computing (seccomp) profiles are another mechanism that can be used to constrain the system-level capabilities containers are allocated at runtime. Common container runtimes like Docker include default seccomp profiles that drop system calls that are unsafe and typically unnecessary for conta… (4.4.3 ΒΆ 3, NIST SP 800-190, Application Container Security Guide)