Privileged Linux containers must not be used for Docker Enterprise.

An XCCDF Rule

Description

<VulnDiscussion>Using the --privileged flag gives all Linux Kernel Capabilities to the container thus overwriting the --cap-add and --cap-drop flags. Ensure that it is not used. The --privileged flag gives all capabilities to the container, and it also lifts all the limitations enforced by the device cgroup controller. In other words, the container can then do almost everything that the host can do. This flag exists to allow special use-cases, like running Docker within Docker.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-235802r672378_rule
Severity: Medium
References: CCI-000381
Updated: about 1 year ago

This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.

Do not run containers with the --privileged flag.

For example, do not start a container as below:
docker run --interactive --tty --privileged centos /bin/bash

Privileged Linux containers must not be used for Docker Enterprise.

Description

Remediation - Manual Procedure