STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Container Platform Security Requirements Guide

V-270876

CAT II (Medium)

The container root filesystem must be mounted as read-only.

Rule ID

SV-270876r1050649_rule

STIG

Container Platform Security Requirements Guide

Version

V2R4

CCIs

CCI-001813

Discussion

Any changes to a container must be made by rebuilding the image and redeploying the new container image. Once a container is running, changes to the root filesystem should not be needed, thus preserving the immutable nature of the container. Any attempts to change the root filesystem are usually malicious in nature and can be prevented by making the root filesystem read-only.

Check Content

Review the container platform configuration to determine that the root filesystem is mounted as read-only.

If the container platform does not enforce such access restrictions, this is a finding.

Fix Text

Review and remove nonsystem containers previously created with read-write permissions. Configure the container platform to force the root filesystem to be mounted as read-only.