The container root filesystem must be mounted as read-only.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-270876	SRG-APP-000380-CTR-000340	SV-270876r1050649_rule		Medium

Description

Any changes to a container must be made by rebuilding the image and redeploying the new container image. Once a container is running, changes to the root filesystem should not be needed, thus preserving the immutable nature of the container. Any attempts to change the root filesystem are usually malicious in nature and can be prevented by making the root filesystem read-only.

STIG	Date
Container Platform Security Requirements Guide	2025-05-15

Details

Check Text (C-74911r1050647_chk)

Review the container platform configuration to determine that the root filesystem is mounted as read-only.

If the container platform does not enforce such access restrictions, this is a finding.

Fix Text (F-74812r1050648_fix)

Review and remove nonsystem containers previously created with read-write permissions. Configure the container platform to force the root filesystem to be mounted as read-only.