Details
Containers tend to be minimal and slim down versions of the Operating System. Do not
install anything that does not justify the purpose of container.
Bloating containers with unnecessary software could possibly increase the attack surface
of the container. This also voids the concept of minimal and slim down versions of
container images. Hence, do not install anything else apart from what is truly needed for
the purpose of the container.
Solution
At the outset, do not install anything on the container that does not justify the purpose. If
the image had some packages that your container does not use, uninstall them.Consider using a minimal base image rather than the standard Redhat/Centos/Debian
images if you can. Some of the options include BusyBox and Alpine.
Not only does this trim your image size from >150Mb to ~20 Mb, there are also fewer tools
and paths to escalate privileges. You can even remove the package installer as a final
hardening measure for leaf/production containers.
Impact-None.
Default Value-Not Applicable.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.