6.2 Ensure container sprawl is avoided

Information

Do not keep a large number of containers on the same host.
Rationale:
The flexibility of containers makes it easy to run multiple instances of applications and indirectly leads to Docker images that exist at varying security patch levels. It also means that you are consuming host resources that otherwise could have been used for running 'useful' containers. Having more than just the manageable number of containers on a particular host makes the situation vulnerable to mishandling, misconfiguration and fragmentation. Thus, avoid container sprawl and keep the number of containers on a host to a manageable total.

Solution

Periodically check your container inventory per host and clean up the stopped containers using the below command:
docker container prune

Impact:
If you keep way too few number of containers per host, then perhaps you are not utilizing your host resources very adequately.
Default Value:
By default, Docker does not restrict the number of containers you may have on a host.

See Also

https://workbench.cisecurity.org/files/1726

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-2c., CSCv6|18

Plugin: Unix

Control ID: f5c41f16fad964c0485326b9ece08de83008ef2cea2d5fa191f8f91aff1314c2