Control: 5.17 Ensure that the host's IPC namespace is not shared
IPC (POSIX/SysV IPC) namespace provides separation of named shared memory segments, semaphores and message queues. The IPC namespace on the host should therefore not be shared with containers and should remain isolated.
The IPC namespace provides separation of IPC between the host and containers. If the host's IPC namespace is shared with the container, it would allow processes within the container to see all of IPC communications on the host system. This would remove the benefit of IPC level isolation between host and containers. An attacker with access to a container could get access to the host at this level with major consequences. The IPC namespace should therefore not be shared between the host and its containers.
You should not start a container with the --ipc=host argument. For example, do not start a container as below:
docker run --interactive --tty --ipc=host centos /bin/bash
By default, all containers have their IPC namespace enabled and host IPC namespace is not shared with any container.
Run the control in your terminal:
steampipe check docker_compliance.control.cis_v160_5_17
Snapshot and share results via Steampipe Cloud:
steampipe loginsteampipe check --share docker_compliance.control.cis_v160_5_17
This control uses a named query:docker_container_host_ipc_namespace_shared