Limit Containers Ability to Escalate Privileges

An XCCDF Rule

Details
Profiles

Description

Containers should be limited to only the privileges required to run and should not be allowed to escalate their privileges. To prevent containers from escalating privileges, the appropriate Security Context Constraints (SCCs) should set allowPrivilegeEscalation to false.

Rationale

Privileged containers have access to more of the Linux Kernel capabilities and devices. If a privileged container were compromised, an attacker would have full access to the container and host.

ID: xccdf_org.ssgproject.content_rule_scc_limit_privilege_escalation
Severity: Medium
References: CIP-003-8 R6 CIP-004-6 R3 CIP-007-3 R6.1

CM-6 CM-6(1)

Req-2.2

5.2.5

CCE-83447-3

SRG-APP-000516-CTR-001325

APP.4.4.A9

2.2 2.2.1
Updated: over 1 year ago