Details

https://docs.docker.com/articles/security/#linux-kernel-capabilities

Solution

Execute the below command to add needed capabilities-
$> docker run –cap-add={‘Capability 1′,’Capability 2’}
For example,
$> docker run –cap-add={‘NET_ADMIN’,’SYS_ADMIN’} -i -t centos-latest /bin/bash

Execute the below command to drop unneeded capabilities-
$> docker run –cap-drop={‘Capability 1′,’Capability 2’}

For example,$> docker run –cap-drop={‘SETUID’,’SETGID’} -i -t centos-latest /bin/bash

Impact-Based on what Linux Kernel Capabilities were added or dropped, restrictions within the
container would apply.

Default Value-By default, below capabilities are available for containers-AUDIT_WRITE
CHOWN
DAC_OVERRIDE
FOWNER
FSETID
KILL
MKNOD
NET_BIND_SERVICE
NET_RAW
SETFCAP
SETGID
SETPCAP
SETUID
SYS_CHROOT

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/514

This security hardening control applies to the following category of controls within NIST 800-53: Access Control.This control applies to the following type of system Unix.

References

• 800-53|AC-6(4)

Source

• Tenable.com/audits