All Docker Enterprise containers must be restricted from acquiring additional privileges.

An XCCDF Rule

Description

<VulnDiscussion>Restrict the container from acquiring additional privileges via suid or sgid bits. A process can set the no_new_priv bit in the kernel. It persists across fork, clone, and execve. The no_new_priv bit ensures that the process or its children processes do not gain any additional privileges via suid or sgid bits. This way a lot of dangerous operations become a lot less dangerous because there is no possibility of subverting privileged binaries. no_new_priv prevents LSMs like SELinux from transitioning to process labels that have access not allowed to the current process. By default, new privileges are not restricted.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-235816r672380_rule
Severity: High
References: CCI-000381
Updated: about 1 year ago

This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system.

Start the containers as below:

docker run --rm -it --security-opt=no-new-privileges <image>
A reference for the docker run command can be found at https://docs.docker.com/engine/reference/run/.

All Docker Enterprise containers must be restricted from acquiring additional privileges.

Description

Remediation - Manual Procedure