v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/docker_compliance
Overview
1Dashboards
88Controls
88Queries
2Variables
GitHub

Control: 5.26 Ensure that the container is restricted from acquiring additional privileges

Description

You should restrict the container from acquiring additional privileges via suid or sgid bits.

A process can set the no_new_priv bit in the kernel and this persists across forks, clones and execve. The no_new_priv bit ensures that the process and its child processes do not gain any additional privileges via suid or sgid bits. This reduces the danger associated with many operations because the possibility of subverting privileged binaries is lessened.

Remediation

You should start your container with the options below:

docker run --rm -it --security-opt=no-new-privileges ubuntu bash

Default Value

By default, new privileges are not restricted.

Usage

Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_5_26

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_5_26 --share

SQL

This control uses a named query:

docker_container_no_new_privileges

Tags

category = Compliance
cis = true
cis_item_id = 5.26
cis_level = 5
cis_section_id = 5
cis_type = manual
cis_version = v1.6.0
plugin = docker
service = Docker