The container platform runtime must enforce the use of ports that are non-privileged.

STIG ID: SRG-APP-000142-CTR-000330  |  SRG: SRG-APP-000142 |  Severity: medium |  CCI: CCI-000382 |  Vulnerability Id: V-233074

Vulnerability Discussion

Privileged ports are those ports below 1024 and that require system privileges for their use. If containers are able to use these ports, the container must be run as a privileged user. The container platform must stop containers that try to map to these ports directly. Allowing non-privileged ports to be mapped to the container-privileged port is the allowable method when a certain port is needed. An example is mapping port 8080 externally to port 80 in the container.

Check

Review the container platform configuration and the containers within the platform by performing the following checks:

1. Verify the container platform is configured to disallow the use of privileged ports by containers.
2. Validate all containers within the container platform are using non-privileged ports.
3. Attempt to instantiate a container image that uses a privileged port.

If the container platform is not configured to disallow the use of privileged ports, this is a finding.

If the container platform has containers using privileged ports, this is a finding.

If the container platform allows containers to be instantiated that use privileged ports, this is a finding.

Fix

Configure the container platform to disallow the use of privileged ports by containers. Move any containers that are using privileged ports to non-privileged ports.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.