5.3 Restrict Linux Kernel Capabilities within containers

Information

By default, Docker starts containers with a restricted set of Linux Kernel Capabilities. It means that any process may be granted the required capabilities instead of root access. Using Linux Kernel Capabilities, the processes do not have to run as root for almost all the specific areas where root privileges are usually needed.

Rationale:

Docker supports the addition and removal of capabilities, allowing use of a non-default profile. This may make Docker more secure through capability removal, or less secure through the addition of capabilities. It is thus recommended to remove all capabilities except those explicitly required for your container process.

For example, capabilities such as below are usually not needed for container process:

NET_ADMIN

SYS_ADMIN

SYS_MODULE


NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Execute the below command to add needed capabilities:

$>docker run --cap-add={"Capability 1","Capability 2"} <Run arguments> <Container Image Name or ID> <Command>

For example,

docker run --interactive --tty --cap-add={"NET_ADMIN","SYS_ADMIN"} centos:latest /bin/bash



Execute the below command to drop unneeded capabilities:

$> docker run --cap-drop={"Capability 1","Capability 2"} <Run arguments> <Container Image Name or ID> <Command>

For example,

docker run --interactive --tty --cap-drop={"SETUID","SETGID"} centos:latest /bin/bash

Alternatively,

You may choose to drop all capabilities and add only add the needed ones:

$>docker run --cap-drop=all --cap-add={"Capability 1","Capability 2"} <Run arguments> <Container Image Name or ID> <Command>

For example,

docker run --interactive --tty --cap-drop=all --cap-add={"NET_ADMIN","SYS_ADMIN"} centos:latest /bin/bash

Impact:

Based on what Linux Kernel Capabilities were added or dropped, restrictions within the container would apply.

Default Value:

By default, below capabilities are available for containers:

AUDIT_WRITE

CHOWN

DAC_OVERRIDE

FOWNER

FSETID

KILL

MKNOD

NET_BIND_SERVICE

NET_RAW

SETFCAP

SETGID

SETPCAP

SETUID

SYS_CHROOT

See Also

https://workbench.cisecurity.org/files/1476

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(4)

Plugin: Unix

Control ID: 47bcc62c08c9c1971d88ad58234f55cb8c1a62c4c8d2cbb48dc83e7222434c13