Information
Removing setuidandsetgid permissions in the images would prevent privilege escalation attacks in the containers.
Rationale:
setuidandsetgid permissions could be used for elevating privileges. While these permissions are at times legitimately needed, these could potentially be used in privilege escalation attacks. Thus, you should consider dropping these permissions for the packages which do not need them within the images.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Allowsetuid and setgid permissions only on executables which needthem. You could remove these permissions during build time by adding the following command in your Dockerfile, preferablytowards the end of the Dockerfile:
RUN find / -perm +6000 -type f -exec chmod a-s {} ; || true
Impact:
Above command breaks all the executables that depend on setuid or setgidpermissions including the legitimate ones. Hence, be careful to modify the command to suit your requirements so that it does not drop the permissions of legitimate programs. This requires acareful examination of each executable and fine tuning the permissions.
Default Value:
Not Applicable