4.1 Create a user for the container

Information

Create a non-root user for the container in the Dockerfile for the container image.It is a good practice to run the container as a non-root user, if possible. Though user
namespace mapping is now available, if a user is already defined in the container image, the
container is run as that user by default and specific user namespace remapping is not
required.

Solution

Ensure that the Dockerfile for the container image contains below instruction-USER <username or ID>where username or ID refers to the user that could be found in the container base image. If
there is no specific user created in the container base image, then add a useradd command
to add the specific user before USER instruction.For example, add the below lines in the Dockerfile to create a user in the container-RUN useradd -d /home/username -m -s /bin/bash username
USER usernameNote- If there are users in the image that the containers do not need, consider deleting
them. After deleting those users, commit the image and then generate new instances of
containers for use.Impact-None.Default Value-By default, the containers are run with root privileges and as user root inside the
container.

See Also

https://workbench.cisecurity.org/files/517

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6

Plugin: Unix

Control ID: e0821b68db99059ed4da1102d599710492b6402c0c0974f4828a11965f53fba1