Immutable (read-only) root filesystem should be enforced for containers

What does this mean?

This recommendation ensures containers run with a read-only root filesystem. This prevents attackers or malicious processes from modifying system binaries, writing malware to disk, or tampering with application files at runtime.

Benefits of implementation

• Prevents malware from writing to the container filesystem
• Blocks tampering with application binaries
• Reduces the attack surface for post-exploitation activities

Drawbacks and considerations

• Applications that write to the filesystem need writable volume mounts
• Requires refactoring of apps that write temp files to the root filesystem
• May break logging if logs are written to local disk

Implementation

Implementation guidance coming soon.

Related recommendations

Related recommendations will be linked here.