DKER-EE-001950 - Linux Kernel capabilities must be restricted within containers as defined in the System Security Plan (SSP) for Docker Enterprise.

Information

By default, Docker starts containers with a restricted set of Linux Kernel Capabilities. It means that any process may be granted the required capabilities instead of root access. Using Linux Kernel Capabilities, the processes do not have to run as root for almost all the specific areas where root privileges are usually needed. Docker supports the addition and removal of capabilities, allowing the use of a non-default profile. This may make Docker more secure through capability removal, or less secure through the addition of capabilities. It is thus recommended to remove all capabilities except those explicitly required for the user's container process.

By default, below capabilities are available for Linux containers:

AUDIT_WRITE
CHOWN
DAC_OVERRIDE
FOWNER
FSETID
KILL
MKNOD
NET_BIND_SERVICE
NET_RAW
SETFCAP
SETGID
SETPCAP
SETUID
SYS_CHROOT

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.

Document the required Kernel Capabilities for each container in the SSP. Only add needed capabilities when running containers.

via CLI:

Linux: Execute the below command to add needed capabilities:

$> docker run --cap-add={'Capability 1','Capability 2'}

Execute the below command to drop unneeded capabilities:

$> docker run --cap-drop={'Capability 1','Capability 2'}

The user may also choose to drop all capabilities and add only add the needed ones as per the SSP:

$> docker run --cap-drop=all --cap-add={'Capability 1','Capability 2'}

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Docker_Enterprise_2-x_Linux-Unix_V2R2_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7a., CAT|II, CCI|CCI-000381, Rule-ID|SV-235801r960963_rule, STIG-ID|DKER-EE-001950, STIG-Legacy|SV-104775, STIG-Legacy|V-95637, Vuln-ID|V-235801

Plugin: Unix

Control ID: cc69a528ff62b5cb31408b3e63a5f4b6ed7400463fa82db313c59ec64b7efeb1