5.4 Do not use privileged containers

Information

Using the--privilegedflag gives all Linux Kernel Capabilities to the container thus overwriting the --cap-add and --cap-drop flags. Ensure that it is not used.

Rationale:

The--privilegedflag gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker.

Solution

Do not run container with the--privilegedflag.

For example, do not start a container as below:

docker run --interactive --tty --privileged centos /bin/bash

Impact:

Linux Kernel Capabilities other than defaults would not be available for use within container.

Default Value:

False.

See Also

https://workbench.cisecurity.org/files/1476

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(4)

Plugin: Unix

Control ID: 29ce4c44a80b2c4087103860089d0ab7917f40677f17af247fd5c3b53c4942a6