-
Feature Request
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
-
False
-
None
-
None
-
None
-
None
Problem Statement
Currently all Lightspeed in Satellite containers run as root. Example from my lab (no customer data included):
sat618 ~]# podman ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 7470d2ac3b24 registry.redhat.io/satellite/iop-host-inventory-rhel9:6.18 python run_gunico... 25 hours ago Up 25 hours iop-core-host-inventory-api 553a90235828 registry.redhat.io/satellite/iop-ingress-rhel9:6.18 /insights-ingress... 25 hours ago Up 25 hours iop-core-ingress 9e51ef0fd57a registry.redhat.io/amq-streams/kafka-39-rhel9:2.9.1-1 sh bin/init-start... 25 hours ago Up 25 hours iop-core-kafka 77ef0b969cc3 registry.redhat.io/satellite/iop-gateway-rhel9:6.18 nginx -g daemon o... 25 hours ago Up 25 hours 127.0.0.1:24443->8443/tcp, 8080/tcp iop-core-gateway 1220bf500c77 registry.redhat.io/satellite/iop-yuptoo-rhel9:6.18 python -m main 25 hours ago Up 25 hours iop-core-yuptoo c4090a66eb3b registry.redhat.io/satellite/iop-puptoo-rhel9:6.18 puptoo 25 hours ago Up 25 hours iop-core-puptoo d1a1a745179c registry.redhat.io/satellite/iop-vmaas-rhel9:6.18 /vmaas/entrypoint... 25 hours ago Up 25 hours iop-service-vmaas-reposcan d90f23b6df4a registry.redhat.io/satellite/iop-vmaas-rhel9:6.18 /vmaas/entrypoint... 25 hours ago Up 25 hours iop-service-vmaas-webapp-go e28b5b163711 registry.redhat.io/satellite/iop-insights-engine-rhel9:6.18 insights-core-eng... 25 hours ago Up 25 hours iop-core-engine fa67b767ba06 registry.redhat.io/satellite/iop-remediations-rhel9:6.18 sh -c npm run db:... 25 hours ago Up 25 hours 9002/tcp iop-service-remediations-api fec5c4955508 registry.redhat.io/satellite/iop-vulnerability-engine-rhel9:6.18 /engine/entrypoin... 25 hours ago Up 25 hours iop-service-vuln-manager 67b5741bf510 registry.redhat.io/satellite/iop-vulnerability-engine-rhel9:6.18 /engine/entrypoin... 25 hours ago Up 25 hours iop-service-vuln-listener 47870d06d495 registry.redhat.io/satellite/iop-vulnerability-engine-rhel9:6.18 /engine/entrypoin... 25 hours ago Up 25 hours iop-service-vuln-evaluator-recalc 085731ee95a8 registry.redhat.io/satellite/iop-vulnerability-engine-rhel9:6.18 /engine/entrypoin... 25 hours ago Up 25 hours iop-service-vuln-grouper fcec53fdd128 registry.redhat.io/satellite/iop-vulnerability-engine-rhel9:6.18 /engine/entrypoin... 25 hours ago Up 25 hours iop-service-vuln-taskomatic 890e73dd99ef registry.redhat.io/satellite/iop-vulnerability-engine-rhel9:6.18 /engine/entrypoin... 25 hours ago Up 25 hours iop-service-vuln-evaluator-upload 970393b430c9 registry.redhat.io/satellite/iop-host-inventory-rhel9:6.18 make run_inv_mq_s... 25 hours ago Up 25 hours iop-core-host-inventory 56907a057b8e registry.redhat.io/satellite/iop-advisor-backend-rhel9:6.18 sh -c ./container... 5 seconds ago Up 6 seconds 8000/tcp iop-service-advisor-backend-api 0c427744ab96 registry.redhat.io/satellite/iop-advisor-backend-rhel9:6.18 pipenv run python... 5 seconds ago Up 6 seconds 8000/tcp iop-service-advisor-backend-service
Various compliance frameworks demand that containers are run with least privileges:
- NIST 800-53 AC-6 (Least Privilege)
- PCI DSS v4.0 Req2.2
- BSI SYS.1.6.A17 Execution of containers without privileges
To comply all instantiated containers SHOULD only be run by a non-privileged system account that does not have or can obtain elevated rights to the container service or the host system's operating system.
Requirements
- All instantiated containers run by a non-privileged system account that does not have or can obtain elevated rights to the container service.
Business Impact
- If the feature is not delivered the customer is not able to comply to regulatory standards.
- Not complying results in negative customer experience as the customer needs to do a risk assessment for this service.
- It's considered best practice to run services with least privileges. Not doing so could damage Red Hat's reputation as an leader in following security best practices.