Details

Use –pids-limit flag at container runtime.

Attackers could launch a fork bomb with a single command inside the container. This fork bomb can crash the entire system and requires a restart of the host to make the system functional again. PIDs cgroup –pids-limit will prevent this kind of attacks by restricting the number of forks that can happen inside a container at a given time.

The Default value for –pids-limit is 0 which means there is no restriction on the number of forks. Also, note that PIDs cgroup limit works only for the kernel versions 4.3+.

Solution

This fix only applies to the use of Docker Engine – Enterprise on a Linux host operating system.

Use –pids-limit flag while launching the container with an appropriate value.

Example:
docker run -it –pids-limit 100
In the above example, the number of processes allowed to run at any given time is set to 100. After a limit of 100 concurrently running processes is reached, docker would restrict any new process creation.

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Docker_Enterprise_2-x_Linux-UNIX_V2R1_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.

References

• 800-53|SC-5(2)
• CAT|II
• CCI|CCI-001095
• Rule-ID|SV-235828r627611_rule
• STIG-ID|DKER-EE-002780
• STIG-Legacy|SV-104827
• STIG-Legacy|V-95689
• Vuln-ID|V-235828

Source

• Tenable.com/audits