Unnecessary Capabilities

A container by default may run with a number of unnecessary capabilities. Linux capabilities enable a subset of the available root privileges to a process. This increases the container attack surface.

Remediation

Carefully review the following default container capabilities and remove unnecessary ones.

[source]

"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE",
Source: https://github.com/moby/moby/blob/master/oci/caps/defaults.go#L6-L19

Metadata

Severity: low
Slug: unnecessary-capabilities

CWEs

272: Least Privilege Violation
269: Improper Privilege Management

OWASP

A04:2021: Insecure Design
A05:2021: Security Misconfiguration

Available Labs

Open Container labs in SecDim Play for this vulnerability.

easy

Capabilities.df

Other Easy Container Signature

Play AppSec WarGames

Want to skill-up in secure coding and AppSec? Try SecDim Wargames to learn how to find, hack and fix security vulnerabilities inspired by real-world incidents.

For Companies Play Now

Got a comment?

Join our secure coding and AppSec community. A discussion board to share and discuss all aspects of secure programming, AppSec, DevSecOps, fuzzing, cloudsec, AIsec code review, and more.