|
Parameter |
Mandatory/Optional |
Data Type |
Description |
|---|---|---|---|
|
controlId |
Mandatory |
string |
Specify the ID of a compliance control for which you want to get details. |
API request
curl -X GET
"<qualys_base_url>/csapi/v1.3/controls/10808" --header "Authorization: Bearer <token>"
Response
{
"id": 10808,
"statement": "Status of the 'cap-drop' flag settings on Docker containers on the host system",
"criticality": "CRITICAL",
"comments": "STMT: Status of the 'cap-drop' flag settings on Docker containers on the host system\n\nRAT: Linux Capabilities allows dividing privileges associated with superuser into distinct group of smaller units, known as capabilities. By default, Docker containers are started with a restricted set of capabilities where each one can be independently enabled and disabled. This enables the processes running inside a container to perform almost all the specific areas where root privileges are usually needed without having to have them run as root. Unrestricted Linux capabilities could allow unauthorized access to containers which could potentially lead to attacks such as privilege escalation exploits. Linux Capabilities on Docker containers should be restricted as appropriate to the needs of the business to have only those that are required for the containers to perform their function.\n\nCIS_Docker_1.11.0_Benchmark_v1.0.0: 5.3 Restrict Linux Kernel Capabilities within containers\nCIS_Docker_1.12.0_Benchmark_v1.0.0: 5.3 Restrict Linux Kernel Capabilities within containers",
"deprecated": "Control is not deprecated",
"category": "Access Control Requirements",
"subCategory": "Authorization (Single-user ACL/role)",
"technologies": [
{
"technologyId": 283,
"technologyName": "Docker Containers/Images",
"rational": "Linux Capabilities allows dividing privileges associated with superuser into distinct group of smaller units, known as capabilities. By default, Docker containers are started with a restricted set of capabilities where each one can be independently enabled and disabled. This enables the processes running inside a container to perform almost all the specific areas where root privileges are usually needed without having to have them run as root. Unrestricted Linux capabilities could allow unauthorized access to containers which could potentially lead to attacks such as privilege escalation exploits. Linux Capabilities on Docker containers should be restricted as appropriate to the needs of the business to have only those that are required for the containers to perform their function.",
"remediation": "Run the following command to verify that the added and dropped Linux Kernel Capabilities are in line with the ones needed for container process for each container instance.\n# docker ps --quiet | xargs docker inspect --format '}: CapAdd=} CapDrop=}'\n\nRun the following command to add needed capabilities:\n# docker run --cap-add={\"Capability 1\",\"Capability 2\"} <run-arguments> <container-image-name-or-ID> <command>\n\nFor example,\n# docker run --interactive --tty --cap-add={\"NET_ADMIN\",\"SYS_ADMIN\"} centos:latest /bin/bash\n\nTo drop unneeded capabilities, run the following command:\n# docker run --cap-drop={\"Capability 1\",\"Capability 2\"} <run-arguments> <container-image-name-or-ID> <command>\n\nFor example, \ndocker run --interactive --tty --cap-drop={\"SETUID\",\"SETGID\"} centos:latest /bin/bash\n\nAlternatively, drop all capabilities and add only add only those that are the needed:\n# docker run --cap-drop=all --cap-add={\"Capability 1\",\"Capability 2\"} <run-arguments> <container-image-name-or-ID> <command>\n\nFor example, \ndocker run --interactive --tty --cap-drop=all --cap-add={\"NET_ADMIN\",\"SYS_ADMIN\"} centos:latest /bin/bash"
}
]
}