Workload misconfigurations

Ensure the default ulimit is configured appropriately (Manual)

Risk Level

Informational (4)

Platform(s)

  • N/A

Compliance Frameworks

Description

ulimit provides control over the resources available to the shell and to processes which it starts. Setting system resource limits judiciously can save you from disasters such as a fork bomb. On occasion, even friendly users and legitimate processes can overuse system resources and can make the system unusable. Setting the default ulimit for the Docker daemon enforces the ulimit for all container instances. In this case you would not need to setup ulimit for each container instance. However, the default ulimit can be overridden during container runtime, if needed. Therefore, in order to have proper control over system resources, define a default ulimit as is needed in your environment.

  • Recommended Mitigation

    Run Docker in daemon mode and pass --default-ulimit as argument with respective ulimits as appropriate in your environment and in line with your security policy. For Example: 'dockerd --default-ulimit nproc=1024:2048 --default-ulimit nofile=100:200'

Need help?

Get a free Security Risk Assessment. Start today

See Orca in action See Orca in action-> View a 10 minute recorded demo or sign up for a personalized one-on-one walk-through.