Information
By default, Docker starts containers with a restricted set of Linux kernel capabilities. This means that any process can be granted the required capabilities instead of giving it root access. Using Linux kernel capabilities, processes in general do not need to run as the root user.
Rationale:
Docker supports the addition and removal of capabilities. You should remove all capabilities not required for the correct function of the container.
Specifically, in the default capability set provided by Docker, the NET_RAW capability should be removed if not explicitly required, as it can give an attacker with access to a container the ability to create spoofed network traffic.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
You should execute the command below to add required capabilities:
docker run --cap-add={'Capability 1','Capability 2'} <Run arguments> <Container Image Name or ID> <Command>
You should execute the command below to remove unneeded capabilities:
docker run --cap-drop={'Capability 1','Capability 2'} <Run arguments> <Container Image Name or ID> <Command>
Alternatively, you could remove all the currently configured capabilities and then restore only the ones you specifically use:
docker run --cap-drop=all --cap-add={'Capability 1','Capability 2'} <Run arguments> <Container Image Name or ID> <Command>
Impact:
Restrictions on processes within a container are based on which Linux capabilities are in force. Removal of the NET_RAW capability prevents the container from creating raw sockets which is good security practice under most circumstances, but may affect some networking utilities.
Default Value:
By default, the capabilities below are applied to containers:
AUDIT_WRITE
CHOWN
DAC_OVERRIDE
FOWNER
FSETID
KILL
MKNOD
NET_BIND_SERVICE
NET_RAW
SETFCAP
SETGID
SETPCAP
SETUID
SYS_CHROOT