A security assessor is reviewing a containerized application. Which three of the following practices help secure the container runtime environment? (Select the three best options.)
Why this answer
Running a container with a read-only root filesystem (option A) prevents any writes to the container's filesystem layer, which blocks malware from dropping files, modifying binaries, or persisting changes. This is enforced by the container runtime (e.g., Docker, containerd) by mounting the root filesystem as read-only, typically using the `--read-only` flag. Even if an attacker gains code execution inside the container, they cannot alter system files or install tools, significantly reducing the blast radius of a compromise.
Exam trap
CompTIA often tests the distinction between image security (e.g., using latest images) and runtime security (e.g., read-only filesystem, capability dropping, non-root user), and the trap here is that candidates may incorrectly select 'use the latest base image' because they conflate image freshness with runtime hardening.
Why the other options are wrong
This is important for image security, not runtime configuration.