Information
By default, Docker starts containers with a restricted set of Linux kernel capabilities. This means that any process can be granted the required capabilities instead of giving it root access. Using Linux kernel capabilities, processes in general do not need to run as the root user.
Rationale:
Docker supports the addition and removal of capabilities. You should remove all capabilities not required for the correct function of the container.
Specifically, in the default capability set provided by Docker, the NET_RAW capability should be removed if not explicitly required, as it can give an attacker with access to a container the ability to create spoofed network traffic.
Impact:
Restrictions on processes within a container are based on which Linux capabilities are in force.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
You should execute the command below to add required capabilities:
docker run --cap-add={'Capability 1','Capability 2'} <Run arguments> <Container Image Name or ID> <Command>
You should execute the command below to remove unneeded capabilities:
docker run --cap-drop={'Capability 1','Capability 2'} <Run arguments> <Container Image Name or ID> <Command>
Alternatively, you could remove all the currently configured capabilities and then restore only the ones you specifically use:
docker run --cap-drop=all --cap-add={'Capability 1','Capability 2'} <Run arguments> <Container Image Name or ID> <Command>
Note that some settings also can be configured using the --sysctl option, reducing the need for container capabilities even further. This includes unprivileged ICMP echo sockets without NET_RAW and allow opening any port less than 1024 without NET_BIND_SERVICE.
Adding and removing capabilities are also possible when the docker service command is used:
docker service create --cap-drop=all --cap-add={'Capability 1','Capability 2'} <Run arguments> <Container Image Name or ID> <Command>
Default Value:
By default, the capabilities below are applied to containers:
AUDIT_WRITE
CHOWN
DAC_OVERRIDE
FOWNER
FSETID
KILL
MKNOD
NET_BIND_SERVICE
NET_RAW
SETFCAP
SETGID
SETPCAP
SETUID
SYS_CHROOT