🚀 Join our AI Wargame at Black Hat Asia and our Workshop + Wargame at NDC Sydney .

Unnecessary Capabilities

A container by default may run with a number of unnecessary capabilities. Linux capabilities enable a subset of the available root privileges to a process. This increases the container attack surface.

Remediation

Carefully review the following default container capabilities and remove unnecessary ones.

[source]

"CAP_CHOWN",
"CAP_DAC_OVERRIDE",
"CAP_FSETID",
"CAP_FOWNER",
"CAP_MKNOD",
"CAP_NET_RAW",
"CAP_SETGID",
"CAP_SETUID",
"CAP_SETFCAP",
"CAP_SETPCAP",
"CAP_NET_BIND_SERVICE",
"CAP_SYS_CHROOT",
"CAP_KILL",
"CAP_AUDIT_WRITE",
Source: https://github.com/moby/moby/blob/master/oci/caps/defaults.go#L6-L19

Metadata

  • Severity: low
  • Slug: unnecessary-capabilities

CWEs

  • 272: Least Privilege Violation
  • 269: Improper Privilege Management

OWASP

  • A04:2021: Insecure Design
  • A05:2021: Security Misconfiguration

Available Labs

Open Container labs in SecDim Play for this vulnerability.

Try it yourself

Find, Hack and Fix Your First Vulnerability

Reading about security bugs is one thing — fixing one is how the skill sticks. Play a free challenge from the wargame, no setup required.