Control: 5.5 Ensure that privileged containers are not used
Description
Using the --privileged flag provides all Linux kernel capabilities to the container to which it is applied and therefore overwrites the --cap-add and --cap-drop flags. For this reason you should ensure that it is not used.
The --privileged flag provides all capabilities to the container to which it is applied, and also lifts all the limitations enforced by the device cgroup controller. As a consequence this the container has most of the rights of the underlying host. This flag only exists to allow for specific use cases (for example running Docker within Docker) and should not generally be used.
Remediation
You should not run containers with the --privileged flag. For example, do not start a container using the command below:
docker run --interactive --tty --privileged centos /bin/bashDefault Value
False.
Usage
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_5_5Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_5_5 --shareSQL
This control uses a named query:
docker_container_privileged