Control: 5.23 Ensure that docker exec commands are not used with the privileged option
Description
You should not use docker exec with the --privileged option
Using the --privileged option in docker exec commands gives extended Linux capabilities to the command. This could potentially be an insecure practice, particularly when you are running containers with reduced capabilities or with enhanced restrictions.
Remediation
You should not use the --privileged option in docker exec commands
Default Value
By default, the docker exec command runs without the --privileged option
Usage
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_5_23Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_5_23 --shareSQL
This control uses a named query:
with os_output as ( select btrim(stdout_output, E' \n\r\t') as os, _ctx ->> 'connection_name' as os_conn from exec_command where command = 'uname -s'), hostname as ( select btrim(stdout_output, E' \n\r\t') as host, _ctx ->> 'connection_name' as host_conn, _ctx from exec_command where command = 'hostname'),
linux_output as ( select stdout_output, _ctx ->> 'connection_name' as conn from exec_command, os_output where os_conn = _ctx ->> 'connection_name' and command = 'sudo -n ausearch -k docker | grep exec | grep privileged')select host as resource, case when os.os ilike '%Darwin%' then 'skip' when o.stdout_output = '' then 'ok' else 'alarm' end as status, case when os.os ilike '%Darwin%' then host || ' ausearch command not supported on ' || os.os || ' OS.' when o.stdout_output = '' then host || ' Docker exec commands are not used with the privileged option.' else host || ' Docker exec commands are used with the privileged option.' end as reason , h._ctx ->> 'connection_name' as connection_namefrom hostname as h, os_output as os, linux_output as owhere os.os_conn = h.host_conn and h.host_conn = o.conn;