5.4 Ensure that Linux kernel capabilities are restricted within containers

Information

By default, Docker starts containers with a restricted set of Linux kernel capabilities. This means that any process can be granted the required capabilities instead of giving it root access. Using Linux kernel capabilities, processes in general do not need to run as the root user.

Rationale:

Docker supports the addition and removal of capabilities. You should remove all capabilities not required for the correct function of the container.

Specifically, in the default capability set provided by Docker, the NET_RAW capability should be removed if not explicitly required, as it can give an attacker with access to a container the ability to create spoofed network traffic.

Impact:

Restrictions on processes within a container are based on which Linux capabilities are in force.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

You should execute the command below to add required capabilities:

docker run --cap-add={'Capability 1','Capability 2'} <Run arguments> <Container Image Name or ID> <Command>

You should execute the command below to remove unneeded capabilities:

docker run --cap-drop={'Capability 1','Capability 2'} <Run arguments> <Container Image Name or ID> <Command>

Alternatively, you could remove all the currently configured capabilities and then restore only the ones you specifically use:

docker run --cap-drop=all --cap-add={'Capability 1','Capability 2'} <Run arguments> <Container Image Name or ID> <Command>

Note that some settings also can be configured using the --sysctl option, reducing the need for container capabilities even further. This includes unprivileged ICMP echo sockets without NET_RAW and allow opening any port less than 1024 without NET_BIND_SERVICE.
Adding and removing capabilities are also possible when the docker service command is used:

docker service create --cap-drop=all --cap-add={'Capability 1','Capability 2'} <Run arguments> <Container Image Name or ID> <Command>

Default Value:

By default, the capabilities below are applied to containers:

AUDIT_WRITE

CHOWN

DAC_OVERRIDE

FOWNER

FSETID

KILL

MKNOD

NET_BIND_SERVICE

NET_RAW

SETFCAP

SETGID

SETPCAP

SETUID

SYS_CHROOT

See Also

https://workbench.cisecurity.org/files/4532

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|5.2

Plugin: Unix

Control ID: 8e77ba3c1e9497a291932b656b344a2b2f250c75944767211be128317b8e0a87