Impact & Risk Analysis
- Severity: Medium
- CIS Benchmark: CIS 5.21
- Impact: Hostname Modification. The UTS namespace isolates the system identifiers: hostname and NIS domain name. If a container shares the host’s UTS namespace, it has full permission to change the hostname of the host server. This can cause confusion for system administration, break hostname-based authentication, or disrupt logging systems that rely on accurate hostnames.
Common Misconfiguration
Starting a container with the--uts=host flag. This removes the isolation between the container’s hostname and the host’s hostname.
Vulnerable Example
Secure Example
Audit Procedure
Run the command below to inspect the UTS mode of all containers:- Result: Check the
UTSModevalue for each container. - Fail: If it returns
host. - Pass: If it returns an empty string (indicating private namespace).
Remediation
You should not start a container with the--uts=host argument. By default, all containers have the UTS namespace enabled, ensuring that the host’s hostname and domain name are not shared with any containers.
