Docker Enterprise exec commands must not be used with privileged option.
An XCCDF Rule
Description
<VulnDiscussion>Do not use docker exec with --privileged option. Using --privileged option in docker exec gives extended Linux capabilities to the command. Do not run docker exec with the --privileged option, especially when running containers with dropped capabilities or with enhanced restrictions. By default, docker exec command runs without --privileged option.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-235813r627566_rule
- Severity
- High
- References
- Updated
Remediation - Manual Procedure
This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system.
Do not use --privileged option in docker exec command.
A reference for the docker exec command can be found at https://docs.docker.com/engine/reference/commandline/exec/.