DISA’s container image creation and deployment guide
The Defense Information Systems Agency (DISA), a crucial U.S. Department of Defense agency, ensures secure IT and communication services for military operations. It safeguards information integrity on the Defense Information System Network, the primary military IT infrastructure. DISA security guidelines have become a reference to follow not only for DoD but for the enterprise. Tanzu Application Catalog container images are configured following the DISA’s Container Image Creation and Deployment Guide Version 2, Release 0.6, helping enterprises to reduce attack surface and enhance their overall security posture with a particular focus on meeting the stringent requirements of federal and defense customers.
| ID | Description |
|---|---|
| DISA: CONTAINER IMAGE CREATION | |
| CCI-000366 | The Container Image Must Be Created Without Confidential Data in the Build Files |
| CCI-000381 | The Container Image Must Be Built with the SSH Server Daemon Disabled |
| CCI-000381 | The Container Image Must Be Created with Only Essential Capabilities |
| CCI-001762 | The Container Image Must Only Expose Non-Privileged Ports |
| CCI-001762 | The Container Image Must Only Enable Ports Used for the Service Being Implemented |
| CCI-002235 | The Container Image Must Be Created to Execute as a Non-Privileged User |
| CCI-002235 | The Container Image Must Have Permissions Removed from Executables that Allow a User to Execute Software at Higher Privileges |
| CCI-002418 | Container Image Creation Must Use TLS 1.2 or Higher for Secure Container Image Registry Pulls |
| CCI-002367 | The Container Image Must Be Clear of Embedded Credentials |
| CCI-002617 | The Container Image Should Be Built with Minimal Cached Layers |
| DISA: CONTAINER DEPLOYMENT | |
| CCI-000109 | Sensitive Directories on the Host System Must Not Be Mounted by Containers |
| CCI-001090 | A Container Must Not Mount the Container Platform’s Registry Endpoint |
| CCI-001094 | The Container Should Have Resource Limits Set |
| CCI-001095 | The Container Should Have Resource Request Set |
| CCI-001813 | The Container root filesystem Must Be Mounted as Read-Only |
| CCI-002385 | The Container Must Have a Liveness Probe |
| CCI-002385 | The Container Must Have a Readiness Probe |
| CCI-002530 | The Container Should Be Given Label Selectors to Help Define Container Execution Location and Type |
Exceptions
| Application | IDs | Reason |
|---|---|---|
| Concourse | CCI-002235 | Workers require privilege access to the system due to the necessary runtimes it needs to execute |
| Deepspeed | CCI-000381 | Application requires sshd for communication between nodes |
| Discourse | CCI-001813 | Application persistence logic is not compatible with read-only root filesystems |
| Fluentd | CCI-002235 | Nodes require accessing the host filesystem to obtain the container logs, this also requires root access |
| Joomla | CCI-001813 | Application persistence logic is not compatible with read-only root filesystems |
| Kiam | CCI-002235 | Application requires privileged access to modify the host networking system |
| Magento | CCI-001813 | Application persistence logic is not compatible with read-only root filesystems |
| MetalLB | CCI-002235 | Application requires privileged access to modify the host networking system |
| Moodle | CCI-001813, CCI-002235 | Application persistence logic is not compatible with read-only root filesystems. Additionally, it requires root access for certain operations like cron jobs |
| Multus CNI | CCI-002235 | Application requires privileged access to modify the host networking system |
| Node Exporter | CCI-000381 | Application requires hostNetwork access to obtain the Kubernetes node metrics |
| Odoo | CCI-001813, CCI-002235 | Application persistence logic is not compatible with read-only root filesystems. Additionally, it requires root access for certain operations |
| Prestashop | CCI-001813 | Application persistence logic is not compatible with read-only root filesystems |
| Redmine | CCI-001813 | Application persistence logic is not compatible with read-only root filesystems |
| Whereabouts | CCI-002235 | Application requires privileged access to modify the host networking system |
