Details

Using the –privileged flag gives all Linux Kernel Capabilities to the container thus overwriting the –cap-add and –cap-drop flags. Ensure that it is not used.

Rationale:

The –privileged flag gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker.

Solution

Do not run container with the –privileged flag.
For example, do not start a container as below:
docker run –interactive –tty –privileged centos /bin/bash
Impact:
Linux Kernel Capabilities other than defaults would not be available for use within container.
Default Value:
False.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/1726https://workbench.cisecurity.org/files/1726

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

• 800-53|AC-6(4)
• CSCv6|5.1

Source

• Tenable.com/audits