The primary way to shrink a container’s privilege-escalation attack surface is to ensure the containerized process does NOT run as root. Option A builds the image so it contains only a non-root account (UID 1000) that has /dev/null as its shell; subsequent Dockerfile instructions would then use USER 1000. By removing root inside the container, any compromise is confined to an unprivileged context, blocking escalation to host or kernel privileges. This aligns with the least-privilege guidance in NIST SP 800-190 and the CIS Docker Benchmark.

B. EDR + SIEM improves detection but does not change the privileges the container holds; attack surface remains.

C. Auto-replacing compromised containers improves resiliency, not initial privilege-escalation surface within each container.

D. Network isolation and ACLs mitigate exposure paths, not internal privilege levels; root in the container is still available to attackers.

1. NIST SP 800-190 “Application Container Security Guide

” §5.1 Principle of Least Privilege

pp. 13-14.

2. Center for Internet Security (CIS) Docker Benchmark v1.4.0

Control 1.2 “Ensure that containers do not run as root

” pp. 27-28.

3. Kubernetes Documentation

“SecurityContext—runAsNonRoot

” v1.29

para. 1-2 (mirrors container least-privilege best practice).

4. Red Hat Container Security Guide

Ch. 3 “Running as Non-root

” pp. 31-33.