setuid and setgid permissions are removed
Set up the docker integration.
Description
Removing setuid and setgid permissions in the images can prevent privilege escalation attacks within containers.
Rationale
setuid and setgid permissions can be used for privilege escalation. Whilst these permissions can on occasion be legitimately needed, you should consider removing them from packages which do not need them. This should be reviewed for each image.
Audit
Run the command below against each image to list the executables which have either setuid or setgid permissions: docker run <Image_ID> find / -perm /6000 -type f -exec ls -ld {} \; 2> /dev/null
Review the list and ensure that all executables configured with these permissions actually require them.
You should allow setuid and setgid permissions only on executables which require them. You could remove these permissions at build time by adding the following command in your Dockerfile, preferably towards the end of the Dockerfile: RUN find / -perm /6000 -type f -exec chmod a-s {} \; || true
Impact
The above command would break all executables that depend on setuid or setgid permissions including legitimate ones. You should therefore be careful to modify the command to suit your requirements so that it does not reduce the permissions of legitimate programs excessively. Because of this, exercise a degree of caution and examine all processes carefully before making this type of modification in order to avoid outages.
Default value
Not Applicable
References
- http://container-solutions.com/content/uploads/2015/06/15.06.15_DockerCheatSheet_A2.pdf
- http://man7.org/linux/man-pages/man2/setuid.2.html
- http://man7.org/linux/man-pages/man2/setgid.2.html
CIS controls
Version 6
5.1 Minimize And Sparingly Use Administrative Privileges - Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative privileged functions and monitor for anomalous behavior.
