Setting capabilities can lead to privilege escalation and container escapes.
Linux capabilities allow you to assign narrow slices of root's permissions to processes. A thread with capabilities bypasses the
normal kernel security checks to execute high-privilege actions such as mounting a device to a directory, without requiring additional root
privileges.
In a container, capabilities might allow access to resources from the host system, which can result in container escapes. For example, with the
capability SYS_ADMIN an attacker might be able to mount devices from the host system inside of the container.
Capabilities granted to a process or file should be the minimum necessary for it to function. Assigning unnecessary capabilities increases the attack surface: if the process is compromised, an attacker can use those extra privileges to escalate further or escape a container. This rule detects code that grants Linux capabilities to processes or files, and configurations that add capabilities to containers.
Granting unnecessary capabilities allows an attacker who has compromised a process to perform high-privilege actions beyond the intended scope of that process.
An attacker with access to a process holding unnecessary capabilities can exploit them to modify system resources, mount filesystems, or manipulate kernel parameters that would otherwise require root access.
In containerized environments, capabilities such as SYS_ADMIN can be used to escape the container and access the host system,
potentially compromising other workloads and the underlying infrastructure.
- name: Set cap_sys_chroot+ep on /usr/bin/example
community.general.capabilities:
path: /usr/bin/example
capability: cap_sys_admin+ep # Noncompliant
state: present
- name: Set minimal capability on /usr/bin/example
community.general.capabilities:
path: /usr/bin/example
capability: cap_net_bind_service+ep
state: present