Information
By default, Docker starts containers with a restricted set of Linux Kernel Capabilities. It
means that any process may be granted the required capabilities instead of root access.
Using Linux Kernel Capabilities, the processes do not have to run as root for almost all the
specific areas where root privileges are usually needed.
Docker supports the addition and removal of capabilities, allowing use of a non-default
profile. This may make Docker more secure through capability removal, or less secure
through the addition of capabilities. It is thus recommended to remove all capabilities
except those explicitly required for your container process.For example, capabilities such as below are usually not needed for container process-NET_ADMIN
SYS_ADMIN
SYS_MODULE
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Execute the below command to add needed capabilities-
$> docker run --cap-add={'Capability 1','Capability 2'} <Run arguments> <ContainerImage Name or ID> <Command>
For example,
$> docker run --cap-add={'NET_ADMIN','SYS_ADMIN'} -i -t centos-latest /bin/bash
Execute the below command to drop unneeded capabilities-
$> docker run --cap-drop={'Capability 1','Capability 2'} <Run arguments> <Container Image Name or ID> <Command>
For example,$> docker run --cap-drop={'SETUID','SETGID'} -i -t centos-latest /bin/bash
Impact-Based on what Linux Kernel Capabilities were added or dropped, restrictions within the
container would apply.
Default Value-By default, below capabilities are available for containers-AUDIT_WRITE
CHOWN
DAC_OVERRIDE
FOWNER
FSETID
KILL
MKNOD
NET_BIND_SERVICE
NET_RAW
SETFCAP
SETGID
SETPCAP
SETUID
SYS_CHROOT