Use of privileged Linux containers must be limited to system containers.

An XCCDF Rule

Description

<VulnDiscussion>Using the --privileged flag gives all Linux Kernel Capabilities to the container, thus overwriting the --cap-add and --cap-drop flags. The --privileged flag gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller. Any container that requires this privilege must be documented and approved.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-260940r966177_rule
Severity: Medium
References: CCI-002233
Updated: 19 days ago

When using Kubernetes orchestration, this check is Not Applicable. 

Review and remove nonsystem containers previously created by these users that allowed privileged execution using:

docker container rm [container]

Use of privileged Linux containers must be limited to system containers.

Description

Remediation - Manual Procedure