Rule ID
SV-235844r961620_rule
Version
V2R2
CCIs
The default ulimit is set at the Docker daemon level. However, override the default ulimit setting, if needed, during container runtime. ulimit provides control over the resources available to the shell and to processes started by it. Setting system resource limits judiciously prevents many disasters such as a fork bomb. Sometimes, even friendly users and legitimate processes can overuse system resources and in-turn can make the system unusable. The default ulimit set at the Docker daemon level should be honored. If the default ulimit settings are not appropriate for a particular container instance, override them as an exception. But, do not make this a practice. If most of the container instances are overriding default ulimit settings, consider changing the default ulimit settings to something that is appropriate for your needs. If the ulimits are not set properly, the desired resource control might not be achieved and might even make the system unusable. Container instances inherit the default ulimit settings set at the Docker daemon level.
This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system.
Ensure the default ulimit is not overwritten at runtime unless approved in the SSP.
via CLI:
Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Ulimits={{ .HostConfig.Ulimits }}'
If each container instance returns Ulimits=<no value>, this is not a finding.
If a container sets a Ulimit and the setting is not approved in the SSP, this is a finding.This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system. Only override the default ulimit settings if needed and if so, document these settings in the SSP. For example, to override default ulimit settings start a container as below: docker run --ulimit nofile=1024:1024 --interactive --tty [image] [command]