| SRG-APP-000014-CTR-000035 |
The container platform must use TLS 1.2 or greater for secure container image transport from trusted sources. |
| SRG-APP-000014-CTR-000040 |
The container platform must use TLS 1.2 or greater for secure communication. |
| SRG-APP-000023-CTR-000055 |
The container platform must use a centralized user management solution to support account management functions. |
| SRG-APP-000024-CTR-000060 |
The container platform must automatically remove or disable temporary user accounts after 72 hours. |
| SRG-APP-000025-CTR-000065 |
The container platform must automatically disable accounts after a 35-day period of account inactivity. |
| SRG-APP-000026-CTR-000070 |
The container platform must automatically audit account creation. |
| SRG-APP-000027-CTR-000075 |
The container platform must automatically audit account modification. |
| SRG-APP-000028-CTR-000080 |
The container platform must automatically audit account-disabling actions. |
| SRG-APP-000029-CTR-000085 |
The container platform must automatically audit account removal actions. |
| SRG-APP-000033-CTR-000090 |
Least privilege access and need to know must be required to access the container platform registry. |
| SRG-APP-000033-CTR-000095 |
Least privilege access and need to know must be required to access the container platform runtime. |
| SRG-APP-000033-CTR-000100 |
Least privilege access and need to know must be required to access the container platform keystore. |
| SRG-APP-000038-CTR-000105 |
The container platform must enforce approved authorizations for controlling the flow of information within the container platform based on organization-defined information flow control policies. |
| SRG-APP-000039-CTR-000110 |
The container platform must enforce approved authorizations for controlling the flow of information between interconnected systems and services based on organization-defined information flow control policies. |
| SRG-APP-000065-CTR-000115 |
The container platform must enforce the limit of three consecutive invalid logon attempts by a user during a 15-minute time period. |
| SRG-APP-000068-CTR-000120 |
The container platform must display the Standard Mandatory DoD Notice and Consent Banner before granting access to platform components. |
| SRG-APP-000069-CTR-000125 |
The container platform must retain the Standard Mandatory DoD Notice and Consent Banner on the screen until users acknowledge the usage and conditions and take explicit actions to log on for further access. |
| SRG-APP-000089-CTR-000150 |
The container platform must generate audit records for all DoD-defined auditable events within all components in the platform. |
| SRG-APP-000090-CTR-000155 |
The container platform must allow only the ISSM (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited. |
| SRG-APP-000091-CTR-000160 |
The container platform must generate audit records when successful/unsuccessful attempts to access privileges occur. |
| SRG-APP-000092-CTR-000165 |
The container platform must initiate session auditing upon startup. |
| SRG-APP-000095-CTR-000170 |
All audit records must identify what type of event has occurred within the container platform. |
| SRG-APP-000096-CTR-000175 |
The container platform audit records must have a date and time association with all events. |
| SRG-APP-000097-CTR-000180 |
All audit records must identify where in the container platform the event occurred. |
| SRG-APP-000098-CTR-000185 |
All audit records must identify the source of the event within the container platform. |
| SRG-APP-000099-CTR-000190 |
All audit records must generate the event results within the container platform. |
| SRG-APP-000100-CTR-000195 |
All audit records must identify any users associated with the event within the container platform. |
| SRG-APP-000100-CTR-000200 |
All audit records must identify any containers associated with the event within the container platform. |
| SRG-APP-000101-CTR-000205 |
The container platform must generate audit records containing the full-text recording of privileged commands or the individual identities of group account users. |
| SRG-APP-000111-CTR-000220 |
The container platform components must provide the ability to send audit logs to a central enterprise repository for review and analysis. |
| SRG-APP-000116-CTR-000235 |
The container platform must use internal system clocks to generate audit record time stamps. |
| SRG-APP-000118-CTR-000240 |
The container platform must protect audit information from any type of unauthorized read access. |
| SRG-APP-000119-CTR-000245 |
The container platform must protect audit information from unauthorized modification. |
| SRG-APP-000120-CTR-000250 |
The container platform must protect audit information from unauthorized deletion. |
| SRG-APP-000121-CTR-000255 |
The container platform must protect audit tools from unauthorized access. |
| SRG-APP-000122-CTR-000260 |
The container platform must protect audit tools from unauthorized modification. |
| SRG-APP-000123-CTR-000265 |
The container platform must protect audit tools from unauthorized deletion. |
| SRG-APP-000126-CTR-000275 |
The container platform must use FIPS validated cryptographic mechanisms to protect the integrity of log information. |
| SRG-APP-000131-CTR-000280 |
The container platform must be built from verified packages. |
| SRG-APP-000131-CTR-000285 |
The container platform must verify container images. |
| SRG-APP-000133-CTR-000290 |
The container platform must limit privileges to the container platform registry. |
| SRG-APP-000133-CTR-000295 |
The container platform must limit privileges to the container platform runtime. |
| SRG-APP-000133-CTR-000300 |
The container platform must limit privileges to the container platform keystore. |
| SRG-APP-000133-CTR-000305 |
Configuration files for the container platform must be protected. |
| SRG-APP-000133-CTR-000310 |
Authentication files for the container platform must be protected. |
| SRG-APP-000141-CTR-000315 |
The container platform must be configured with only essential configurations. |
| SRG-APP-000141-CTR-000320 |
The container platform registry must contain only container images for those capabilities being offered by the container platform. |
| SRG-APP-000142-CTR-000325 |
The container platform runtime must enforce ports, protocols, and services that adhere to the PPSM CAL. |
| SRG-APP-000142-CTR-000330 |
The container platform runtime must enforce the use of ports that are non-privileged. |
| SRG-APP-000148-CTR-000335 |
The container platform must uniquely identify and authenticate users. |
| SRG-APP-000148-CTR-000340 |
The container platform application program interface (API) must uniquely identify and authenticate users. |
| SRG-APP-000148-CTR-000345 |
The container platform must uniquely identify and authenticate processes acting on behalf of the users. |
| SRG-APP-000148-CTR-000350 |
The container platform application program interface (API) must uniquely identify and authenticate processes acting on behalf of the users. |
| SRG-APP-000149-CTR-000355 |
The container platform must use multifactor authentication for network access to privileged accounts. |
| SRG-APP-000150-CTR-000360 |
The container platform must use multifactor authentication for network access to non-privileged accounts. |
| SRG-APP-000151-CTR-000365 |
The container platform must use multifactor authentication for local access to privileged accounts. |
| SRG-APP-000152-CTR-000370 |
The container platform must use multifactor authentication for local access to nonprivileged accounts. |
| SRG-APP-000153-CTR-000375 |
The container platform must ensure users are authenticated with an individual authenticator prior to using a group authenticator. |
| SRG-APP-000156-CTR-000380 |
The container platform must use FIPS-validated SHA-1 or higher hash function to provide replay-resistant authentication mechanisms for network access to privileged accounts. |
| SRG-APP-000157-CTR-000385 |
The container platform must implement replay-resistant authentication mechanisms for network access to nonprivileged accounts. |
| SRG-APP-000158-CTR-000390 |
The container platform must uniquely identify all network-connected nodes before establishing any connection. |
| SRG-APP-000163-CTR-000395 |
The container platform must disable identifiers (individuals, groups, roles, and devices) after 35 days of inactivity. |
| SRG-APP-000164-CTR-000400 |
The container platform must enforce a minimum 15-character password length. |
| SRG-APP-000166-CTR-000410 |
The container platform must enforce password complexity by requiring that at least one uppercase character be used. |
| SRG-APP-000167-CTR-000415 |
The container platform must enforce password complexity by requiring that at least one lowercase character be used. |
| SRG-APP-000168-CTR-000420 |
The container platform must enforce password complexity by requiring that at least one numeric character be used. |
| SRG-APP-000169-CTR-000425 |
The container platform must enforce password complexity by requiring that at least one special character be used. |
| SRG-APP-000170-CTR-000430 |
The container platform must require the change of at least 15 of the total number of characters when passwords are changed. |
| SRG-APP-000171-CTR-000435 |
For container platform using password authentication, the application must store only cryptographic representations of passwords. |
| SRG-APP-000172-CTR-000440 |
For accounts using password authentication, the container platform must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process. |
| SRG-APP-000173-CTR-000445 |
The container platform must enforce 24 hours (one day) as the minimum password lifetime. |
| SRG-APP-000174-CTR-000450 |
The container platform must enforce a 60-day maximum password lifetime restriction. |
| SRG-APP-000177-CTR-000465 |
The container platform must map the authenticated identity to the individual user or group account for PKI-based authentication. |
| SRG-APP-000178-CTR-000470 |
The container platform must obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. |
| SRG-APP-000181-CTR-000485 |
The container platform must provide an audit reduction capability that supports on-demand reporting requirements. |
| SRG-APP-000185-CTR-000490 |
The container platform must employ strong authenticators in the establishment of non-local maintenance and diagnostic sessions. |
| SRG-APP-000190-CTR-000500 |
The application must terminate all network connections associated with a communications session at the end of the session, or as follows: for in-band management sessions (privileged sessions), the session must be terminated after 10 minutes of inactivity. |
| SRG-APP-000211-CTR-000530 |
The container platform must separate user functionality (including user interface services) from information system management functionality. |
| SRG-APP-000219-CTR-000550 |
The container platform must protect authenticity of communications sessions with the use of FIPS-validated 140-2 or 140-3 security requirements for cryptographic modules. |
| SRG-APP-000225-CTR-000570 |
The container platform runtime must fail to a secure state if system initialization fails, shutdown fails, or aborts fail. |
| SRG-APP-000226-CTR-000575 |
The container platform must preserve any information necessary to determine the cause of the disruption or failure. |
| SRG-APP-000233-CTR-000585 |
The container platform runtime must isolate security functions from non-security functions. |
| SRG-APP-000234-CTR-000590 |
The container platform must never automatically remove or disable emergency accounts. |
| SRG-APP-000243-CTR-000595 |
The container platform must prohibit containers from accessing privileged resources. |
| SRG-APP-000243-CTR-000600 |
The container platform must prevent unauthorized and unintended information transfer via shared system resources. |
| SRG-APP-000246-CTR-000605 |
The container platform must restrict individuals' ability to launch organizationally defined denial-of-service (DoS) attacks against other information systems. |
| SRG-APP-000266-CTR-000625 |
The container platform must generate error messages that provide information necessary for corrective actions without revealing information that could be exploited by adversaries. |
| SRG-APP-000290-CTR-000670 |
The container platform must use cryptographic mechanisms to protect the integrity of audit tools. |
| SRG-APP-000291-CTR-000675 |
The container platform must notify system administrators (SAs) and the information system security officer (ISSO) when accounts are created. |
| SRG-APP-000292-CTR-000680 |
The container platform must notify system administrators (SAs) and the information system security officer (ISSO) when accounts are modified. |
| SRG-APP-000293-CTR-000685 |
The container platform must notify system administrators and ISSO for account disabling actions. |
| SRG-APP-000294-CTR-000690 |
The container platform must notify system administrators and ISSO for account removal actions. |
| SRG-APP-000297-CTR-000705 |
Access to the container platform must display an explicit logout message to user indicating the reliable termination of authenticated communication sessions. |
| SRG-APP-000317-CTR-000735 |
The container platform must terminate shared/group account credentials when members leave the group. |
| SRG-APP-000319-CTR-000745 |
The container platform must automatically audit account-enabling actions. |
| SRG-APP-000320-CTR-000750 |
The container platform must notify the system administrator (SA) and information system security officer (ISSO) of account enabling actions. |
| SRG-APP-000340-CTR-000770 |
The container platform must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |
| SRG-APP-000342-CTR-000775 |
Container images instantiated by the container platform must execute using least privileges. |
| SRG-APP-000343-CTR-000780 |
The container platform must audit the execution of privileged functions. |
| SRG-APP-000345-CTR-000785 |
The container platform must automatically lock an account until the locked account is released by an administrator when three unsuccessful login attempts in 15 minutes are exceeded. |
| SRG-APP-000516-CTR-000790 |
The container platform must provide the configuration for organization-identified individuals or roles to change the auditing to be performed on all components, based on all selectable event criteria within organization-defined time thresholds. |
| SRG-APP-000357-CTR-000800 |
The container platform must allocate audit record storage capacity in accordance with organization-defined audit record storage requirements. |
| SRG-APP-000358-CTR-000805 |
Audit records must be stored at a secondary location. |
| SRG-APP-000359-CTR-000810 |
The container platform must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of repository maximum audit record storage capacity. |
| SRG-APP-000360-CTR-000815 |
The container platform must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts. |
| SRG-APP-000374-CTR-000865 |
All audit records must use UTC or GMT time stamps. |
| SRG-APP-000375-CTR-000870 |
The container platform must record time stamps for audit records that meet a granularity of one second for a minimum degree of precision. |
| SRG-APP-000378-CTR-000880 |
The container platform must prohibit the installation of patches and updates without explicit privileged status. |
| SRG-APP-000378-CTR-000885 |
The container platform runtime must prohibit the instantiation of container images without explicit privileged status. |
| SRG-APP-000378-CTR-000890 |
The container platform registry must prohibit installation or modification of container images without explicit privileged status. |
| SRG-APP-000380-CTR-000900 |
The container platform must enforce access restrictions for container platform configuration changes. |
| SRG-APP-000381-CTR-000905 |
The container platform must enforce access restrictions and support auditing of the enforcement actions. |
| SRG-APP-000383-CTR-000910 |
All non-essential, unnecessary, and unsecure DoD ports, protocols, and services must be disabled in the container platform. |
| SRG-APP-000384-CTR-000915 |
The container platform must prevent component execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage. |
| SRG-APP-000386-CTR-000920 |
The container platform registry must employ a deny-all, permit-by-exception (whitelist) policy to allow only authorized container images in the container platform. |
| SRG-APP-000389-CTR-000925 |
The container platform must require users to reauthenticate when organization-defined circumstances or situations require reauthentication. |
| SRG-APP-000391-CTR-000935 |
The container platform must be configured to use multi-factor authentication for user authentication. |
| SRG-APP-000400-CTR-000960 |
The container platform must prohibit the use of cached authenticators after an organization-defined time period. |
| SRG-APP-000401-CTR-000965 |
The container platform, for PKI-based authentication, must implement a local cache of revocation data to support path discovery and validation in case of the inability to access revocation information via the network. |
| SRG-APP-000402-CTR-000970 |
The container platform must accept Personal Identity Verification (PIV) credentials from other federal agencies. |
| SRG-APP-000409-CTR-000990 |
The container platform must audit non-local maintenance and diagnostic sessions' organization-defined audit events associated with non-local maintenance. |
| SRG-APP-000411-CTR-000995 |
Container platform applications and Application Program Interfaces (API) used for nonlocal maintenance sessions must use FIPS-validated keyed-hash message authentication code (HMAC) to protect the integrity of nonlocal maintenance and diagnostic communications. |
| SRG-APP-000412-CTR-001000 |
The container platform must configure web management tools and Application Program Interfaces (API) with FIPS-validated Advanced Encryption Standard (AES) cipher block algorithm to protect the confidentiality of maintenance and diagnostic communications for nonlocal maintenance sessions. |
| SRG-APP-000414-CTR-001010 |
Vulnerability scanning applications must implement privileged access authorization to all container platform components, containers, and container images for selected organization-defined vulnerability scanning activities. |
| SRG-APP-000416-CTR-001015 |
The container platform must implement NSA-approved cryptography to protect classified information in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
| SRG-APP-000429-CTR-001060 |
The container platform keystore must implement encryption to prevent unauthorized disclosure of information at rest within the container platform. |
| SRG-APP-000431-CTR-001065 |
The container platform runtime must maintain separate execution domains for each container by assigning each container a separate address space. |
| SRG-APP-000435-CTR-001070 |
The container platform must protect against or limit the effects of all types of denial-of-service (DoS) attacks by employing organization-defined security safeguards. |
| SRG-APP-000439-CTR-001080 |
The application must protect the confidentiality and integrity of transmitted information. |
| SRG-APP-000441-CTR-001090 |
The container platform must maintain the confidentiality and integrity of information during preparation for transmission. |
| SRG-APP-000442-CTR-001095 |
The container platform must maintain the confidentiality and integrity of information during reception. |
| SRG-APP-000447-CTR-001100 |
The container platform must behave in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received. |
| SRG-APP-000450-CTR-001105 |
The container platform must implement organization-defined security safeguards to protect system CPU and memory from resource depletion and unauthorized code execution. |
| SRG-APP-000454-CTR-001110 |
The container platform must remove old components after updated versions have been installed. |
| SRG-APP-000454-CTR-001115 |
The container platform registry must remove old container images after updating versions have been made available. |
| SRG-APP-000456-CTR-001125 |
The container platform registry must contain the latest images with most recent updates and execute within the container platform runtime as authorized by IAVM, CTOs, DTMs, and STIGs. |
| SRG-APP-000456-CTR-001130 |
The container platform runtime must have updates installed within the time period directed by an authoritative source (e.g., IAVM, CTOs, DTMs, and STIGs). |
| SRG-APP-000472-CTR-001170 |
The organization-defined role must verify correct operation of security functions in the container platform. |
| SRG-APP-000473-CTR-001175 |
The container platform must perform verification of the correct operation of security functions: upon system startup and/or restart; upon command by a user with privileged access; and/or every 30 days. Security functionality includes, but is not limited to, establishing system accounts, configuring access authorizations (i.e., permissions, privileges), setting events to be audited, and setting intrusion detection parameters. |
| SRG-APP-000474-CTR-001180 |
The container platform must provide system notifications to the system administrator and operational staff when anomalies in the operation of the organization-defined security functions are discovered. |
| SRG-APP-000492-CTR-001220 |
The container platform must generate audit records when successful/unsuccessful attempts to access security objects occur. |
| SRG-APP-000493-CTR-001225 |
The container platform must generate audit records when successful/unsuccessful attempts to access security levels occur. |
| SRG-APP-000494-CTR-001230 |
The container platform must generate audit records when successful/unsuccessful attempts to access categories of information (e.g., classification levels) occur. |
| SRG-APP-000495-CTR-001235 |
The container platform must generate audit records when successful/unsuccessful attempts to modify privileges occur. |
| SRG-APP-000496-CTR-001240 |
The container platform must generate audit records when successful/unsuccessful attempts to modify security objects occur. |
| SRG-APP-000497-CTR-001245 |
The container platform must generate audit records when successful/unsuccessful attempts to modify security levels occur. |
| SRG-APP-000498-CTR-001250 |
The container platform must generate audit records when successful/unsuccessful attempts to modify categories of information (e.g., classification levels) occur. |
| SRG-APP-000499-CTR-001255 |
The container platform must generate audit records when successful/unsuccessful attempts to delete privileges occur. |
| SRG-APP-000500-CTR-001260 |
The container platform must generate audit records when successful/unsuccessful attempts to delete security levels occur. |
| SRG-APP-000501-CTR-001265 |
The container platform must generate audit records when successful/unsuccessful attempts to delete security objects occur. |
| SRG-APP-000502-CTR-001270 |
The container platform must generate audit records when successful/unsuccessful attempts to delete categories of information (e.g., classification levels) occur. |
| SRG-APP-000503-CTR-001275 |
The container platform must generate audit records when successful/unsuccessful logon attempts occur. |
| SRG-APP-000504-CTR-001280 |
The container platform must generate audit record for privileged activities. |
| SRG-APP-000505-CTR-001285 |
The container platform audit records must record user access start and end times. |
| SRG-APP-000506-CTR-001290 |
The container platform must generate audit records when concurrent logons from different workstations and systems occur. |
| SRG-APP-000507-CTR-001295 |
The container platform runtime must generate audit records when successful/unsuccessful attempts to access objects occur. |
| SRG-APP-000508-CTR-001300 |
Direct access to the container platform must generate audit records. |
| SRG-APP-000509-CTR-001305 |
The container platform must generate audit records for all account creations, modifications, disabling, and termination events. |
| SRG-APP-000510-CTR-001310 |
The container runtime must generate audit records for all container execution, shutdown, restart events, and program initiations. |
| SRG-APP-000514-CTR-001315 |
The container platform must use a valid FIPS 140-2 approved cryptographic modules to generate hashes. |
| SRG-APP-000516-CTR-001325 |
Container platform components must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including SRGs, STIGs, NSA configuration guides, CTOs, and DTMs. |
| SRG-APP-000516-CTR-001330 |
The container platform must be able to store and instantiate industry standard container images. |
| SRG-APP-000516-CTR-001335 |
The container platform must continuously scan components, containers, and images for vulnerabilities. |
| SRG-APP-000560-CTR-001340 |
The container platform must prohibit communication using TLS versions 1.0 and 1.1, and SSL 2.0 and 3.0. |
| SRG-APP-000605-CTR-001380 |
The container platform must validate certificates used for Transport Layer Security (TLS) functions by performing an RFC 5280-compliant certification path validation. |
| SRG-APP-000610-CTR-001385 |
The container platform must use FIPS-validated SHA-2 or higher hash function for digital signature generation and verification (non-legacy use). |
| SRG-APP-000635-CTR-001405 |
The container platform must use a FIPS-validated cryptographic module to implement encryption services for unclassified information requiring confidentiality. |
| SRG-APP-000645-CTR-001410 |
The container platform must prohibit or restrict the use of protocols that transmit unencrypted authentication information or use flawed cryptographic algorithms for transmission. |
| SRG-APP-000318-CTR-000740 |
The container platform must enforce organization-defined circumstances and/or usage conditions for organization-defined accounts. |
| SRG-APP-000705-CTR-000110 |
The container platform must disable accounts when the accounts are no longer associated to a user. |
| SRG-APP-000745-CTR-000120 |
The container platform must implement the capability to centrally review and analyze audit records from multiple components within the system. |
| SRG-APP-000795-CTR-000130 |
The container platform must alert organization-defined personnel or roles upon detection of unauthorized access, modification, or deletion of audit information. |
| SRG-APP-000820-CTR-000170 |
The container platform must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that one of the factors is provided by a device separate from the system gaining access. |
| SRG-APP-000825-CTR-000180 |
The container platform must implement multifactor authentication for local; network; and/or remote access to privileged accounts; and/or nonprivileged accounts such that the device meets organization-defined strength of mechanism requirements. |
| SRG-APP-000830-CTR-000190 |
The container platform must for password-based authentication, maintain a list of commonly used, expected, or compromised passwords on an organization-defined frequency. |
| SRG-APP-000835-CTR-000200 |
The container platform must for password-based authentication, update the list of passwords on an organization-defined frequency. |
| SRG-APP-000840-CTR-000210 |
The container platform must for password-based authentication, update the list of passwords when organizational passwords are suspected to have been compromised directly or indirectly. |
| SRG-APP-000845-CTR-000220 |
The container platform must for password-based authentication, verify when users create or update passwords, that the passwords are not found on the list of commonly-used, expected, or compromised passwords in IA-5 (1) (a). |
| SRG-APP-000855-CTR-000240 |
The container platform must for password-based authentication, require immediate selection of a new password upon account recovery. |
| SRG-APP-000860-CTR-000250 |
The container platform must for password-based authentication, allow user selection of long passwords and passphrases, including spaces and all printable characters. |
| SRG-APP-000865-CTR-000260 |
The container platform must for password-based authentication, employ automated tools to assist the user in selecting strong password authenticators. |
| SRG-APP-000880-CTR-000290 |
The container platform must protect nonlocal maintenance sessions by separating the maintenance session from other network sessions with the system by logically separated communications paths. |
| SRG-APP-000910-CTR-000300 |
The container platform must include only approved trust anchors in trust stores or certificate stores managed by the organization. |
| SRG-APP-000915-CTR-000310 |
The container platform must provide protected storage for cryptographic keys with organization-defined safeguards and/or hardware protected key store. |
| SRG-APP-000920-CTR-000320 |
The container platform must synchronize system clocks within and between systems or system components. |
| SRG-APP-000247-CTR-000330 |
The container must have resource request limits set. |
| SRG-APP-000380-CTR-000340 |
The container root filesystem must be mounted as read-only. |