Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-95667 | DKER-EE-002110 | SV-104805r1_rule | High |
Description |
---|
Restrict the container from acquiring additional privileges via suid or sgid bits. A process can set the no_new_priv bit in the kernel. It persists across fork, clone, and execve. The no_new_priv bit ensures that the process or its children processes do not gain any additional privileges via suid or sgid bits. This way a lot of dangerous operations become a lot less dangerous because there is no possibility of subverting privileged binaries. no_new_priv prevents LSMs like SELinux from transitioning to process labels that have access not allowed to the current process. By default, new privileges are not restricted. |
STIG | Date |
---|---|
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide | 2019-09-13 |
Check Text ( C-94495r1_chk ) |
---|
This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster. Ensure all containers are restricted from acquiring additional privileges. via CLI: Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle: docker ps --quiet --all | xargs -L 1 docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}' The above command should return all the security options currently configured for the containers, and no-new-privileges should also be one of them. If it is, then this is a finding. |
Fix Text (F-101333r1_fix) |
---|
This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system. Start the containers as below: docker run --rm -it --security-opt=no-new-privileges A reference for the docker run command can be found at https://docs.docker.com/engine/reference/run/. |