NET_RAW capability dropped
Description
Containers should drop NET_RAW capability (used for raw socket operations like ping, port scanning).
⚠️ Risk Impact
NET_RAW enables network reconnaissance + ARP spoofing from within compromised containers. Most workloads don't need it.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Add capabilities.drop:["NET_RAW"] to container spec. Or capabilities.drop:["ALL"] for maximum reduction.
💀 Real-World Attack Scenario
A compromised application pod used NET_RAW for ARP spoofing across the pod network. Captured credentials transmitted between other pods that didn't use mTLS.
💰 Cost of Non-Compliance
Lateral-movement via NET_RAW: avg detection delay 28 days.
📋 Audit Questions
- 1.NET_RAW dropped on containers?
- 2.Capabilities reduction policy?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔Default Linux capabilities retained
- ⛔Drop only specific caps instead of dropping ALL + re-adding needed
📈 Business Value
Capability reduction limits container-compromise lateral-movement.
⏱️ Effort Estimate
Per-container
EchelonGraph enforces via Kyverno
🔗 Cross-Framework References
Automate CIS Kubernetes 5.2.8 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →