Details
By default, Docker starts containers with a restricted set of Linux Kernel Capabilities. It
means that any process may be granted the required capabilities instead of root access.
Using Linux Kernel Capabilities, the processes do not have to run as root for almost all the
specific areas where root privileges are usually needed.Docker supports the addition and removal of capabilities, allowing use of a non-default
profile. This may make Docker more secure through capability removal, or less secure
through the addition of capabilities. It is thus recommended to remove all capabilities
except those explicitly required for your container process.For example, capabilities such as below are usually not needed for container process:NET_ADMIN
SYS_ADMIN
SYS_MODULE
Solution
Execute the below command to add needed capabilities-$> docker run –cap-add={‘Capability 1′,’Capability 2’}
/bin/bashExecute the below command to drop unneeded capabilities-$> docker run –cap-drop={‘Capability 1′,’Capability 2’}
centos-latest /bin/bashImpact-Based on what Linux Kernel Capabilities were added or dropped, restrictions within the
container would apply.Default Value-By default, below capabilities are available for containers-AUDIT_WRITE
CHOWN
DAC_OVERRIDE
FOWNER
FSETID
KILL
MKNOD
NET_BIND_SERVICE
NET_RAW
SETFCAP
SETGID
SETPCAP
SETUID
SYS_CHROOT
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.