Root containers minimized
Description
Containers should not run as root user (runAsUser != 0).
⚠️ Risk Impact
Root in container = capability for kernel-level privileges if container-escape succeeds. Non-root user limits damage from container compromise.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Set securityContext.runAsUser to non-zero. Use distroless base images. Rebuild legacy images with non-root user.
💀 Real-World Attack Scenario
A web application container ran as root (default in many Dockerfiles). Compromised via dependency CVE, attacker had root within container. Combined with a container-escape CVE, the attacker had root on the host.
💰 Cost of Non-Compliance
Root-container breaches: avg $4.45M (IBM 2024).
📋 Audit Questions
- 1.Containers with runAsUser=0?
- 2.Migration plan?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Legacy Dockerfiles default to root
- ⛔Migration breaks file ownership
- ⛔Distroless adoption delayed
📈 Business Value
Non-root containers limit container-compromise impact.
⏱️ Effort Estimate
Per-image rebuild
EchelonGraph identifies root containers
🔗 Cross-Framework References
Automate CIS Kubernetes 5.2.7 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →