5.3 Restrict Linux Kernel Capabilities within containers

Information

By default, Docker starts containers with a restricted set of Linux Kernel Capabilities. It
means that any process may be granted the required capabilities instead of root access.
Using Linux Kernel Capabilities, the processes do not have to run as root for almost all the
specific areas where root privileges are usually needed.Docker supports the addition and removal of capabilities, allowing use of a non-default
profile. This may make Docker more secure through capability removal, or less secure
through the addition of capabilities. It is thus recommended to remove all capabilities
except those explicitly required for your container process.For example, capabilities such as below are usually not needed for container process:NET_ADMIN
SYS_ADMIN
SYS_MODULE

Solution

Execute the below command to add needed capabilities-$> docker run --cap-add={'Capability 1','Capability 2'} <Run arguments> <Container
Image Name or ID> <Command>For example,docker run --interactive --tty --cap-add={'NET_ADMIN','SYS_ADMIN'} centos-latest
/bin/bashExecute the below command to drop unneeded capabilities-$> docker run --cap-drop={'Capability 1','Capability 2'} <Run arguments> <Container
Image Name or ID> <Command>For example,docker run --interactive --tty --cap-drop={'SETUID','SETGID'} centos-latest /bin/bashAlternatively,You may choose to drop all capabilities and add only add the needed ones-$> docker run --cap-drop=all --cap-add={'Capability 1','Capability 2'} <Run arguments>
<Container Image Name or ID> <Command>For example,docker run --interactive --tty --cap-drop=all --cap-add={'NET_ADMIN','SYS_ADMIN'}
centos-latest /bin/bashImpact-Based on what Linux Kernel Capabilities were added or dropped, restrictions within the
container would apply.Default Value-By default, below capabilities are available for containers-AUDIT_WRITE
CHOWN
DAC_OVERRIDE
FOWNER
FSETID
KILL
MKNOD
NET_BIND_SERVICE
NET_RAW
SETFCAP
SETGID
SETPCAP
SETUID
SYS_CHROOT

See Also

https://workbench.cisecurity.org/files/517

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(4)

Plugin: Unix

Control ID: 85f24fa9c949014cbfcae1c15a7e8804cad55acb53205b17bd2564ac8b973c78