Restrict container runtime using LSM
Restrict the running environment of the containers using Linux security modules, such as AppArmor, SELinux, Seccomp and others. Linux security modules can restrict access to files, running processes, certain system calls and others. Also, dropping unnecessary Linux capabilities from the container runtime environment helps reduce the attack surface of such container.
Techniques Addressed by Mitigation
| ID | Name | Use |
|---|---|---|
| MS-TA9006 | Exec into container | Restrict container runtime capabilities using LSM. |
| MS-TA9007 | Bash or Cmd inside container | Restrict container runtime capabilities using LSM. |
| MS-TA9009 | Application exploit (RCE) | Restrict container runtime capabilities using LSM. |
| MS-TA9010 | SSH server running inside container | Limit which process can open network socket on a container. |
| MS-TA9013 | Writable hostPath mount | Use AppArmor to restrict file writing. |
| MS-TA9039 | Resource hijacking | Restrict execution of unwanted processes in containers. |
| MS-TA9040 | Denial of service | Restrict execution of unwanted processes in containers. |