4.8 Ensure setuid and setgid permissions are removed in the images

Information

Removing setuid and setgid permissions in the images would prevent privilege escalation attacks in the containers.
Rationale:
setuid and setgid permissions could be used for elevating privileges. While these permissions are at times legitimately needed, these could potentially be used in privilege escalation attacks. Thus, you should consider dropping these permissions for the packages which do not need them within the images.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Allow setuid and setgid permissions only on executables which need them. You could remove these permissions during build time by adding the following command in your Dockerfile, preferably towards the end of the Dockerfile:
RUN find / -perm +6000 -type f -exec chmod a-s {} ; || true
Impact:
Above command breaks all the executables that depend on setuid or setgid permissions including the legitimate ones. Hence, be careful to modify the command to suit your requirements so that it does not drop the permissions of legitimate programs. This requires a careful examination of each executable and fine tuning the permissions.


Default Value:
Not Applicable

See Also

https://workbench.cisecurity.org/files/1726