CME-705

Dropped Linux Capabilities

Isolate OS/Kernel High Confidence

Description

Removes unnecessary POSIX capabilities from container or process bounding set. Default container profiles drop CAP_SYS_ADMIN, CAP_NET_RAW, CAP_SYS_PTRACE, and others not needed by the workload.

CVSS Vector Impacts

Metric Transition Rationale
Privileges Required (PR) L H Even privileged operations require specific capabilities that have been dropped
Scope (S) C U Cannot mount filesystems, trace processes, or perform other scope-changing operations

CWE Relationships

CWE-250 CWE-269

Verification

Check effective capabilities of running process

$ grep CapEff /proc/<pid>/status
# Expected: 0000000000000000 or minimal set
Platform: linux
$ kubectl get pod <pod> -o jsonpath='{.spec.containers[0].securityContext.capabilities.drop}'
# Expected: ALL
Platform: kubernetes
← CME-704: cgroups v2 Resource Limits CME-706: Pod Security Standards (Restricted) →