Capabilities restricted
Description
Containers should not add Linux capabilities beyond the default set.
⚠️ Risk Impact
Adding capabilities (CAP_SYS_ADMIN, CAP_NET_ADMIN, etc.) grants kernel-level privileges within container. Compromise = host privileges.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Avoid capabilities.add. If required, document business justification + restrict to least-privilege set.
💀 Real-World Attack Scenario
A container ran with capabilities.add:[CAP_SYS_ADMIN] for 'mounting filesystems'. Compromised, attacker used CAP_SYS_ADMIN for container escape (multiple known CVEs).
💰 Cost of Non-Compliance
Container-escape via capabilities: $4M+ avg.
📋 Audit Questions
- 1.Containers with capabilities.add?
- 2.Justification per addition?
- 3.Least-privilege scope?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔CAP_SYS_ADMIN added for FUSE mounting
- ⛔CAP_NET_ADMIN for legacy network configs
- ⛔Inherited from Docker patterns
📈 Business Value
Capability restriction limits container-escape probability.
⏱️ Effort Estimate
Per-deployment review
EchelonGraph audits capabilities.add usage
🔗 Cross-Framework References
Automate CIS Kubernetes 5.2.9 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →