CAP_SYS_ADMIN capability added
No violationsstackroxmediumdeployAlert on deployments with containers escalating with CAP_SYS_ADMIN
- Rationale
- CAP_SYS_ADMIN grants an elevated level of privilege to a container that may not be necessary. https://lwn.net/Articles/486306/ explains what CAP_SYS_ADMIN does and points to possible alternatives.
- Remediation
- Ensure that the container really needs the CAP_SYS_ADMIN capability or use a userspace derivative.
CategoriesPrivileges
Compliance mappingsView coverage →
- CIS Kubernetes Benchmark v1.8
- 5.2.8
- DORA EU 2022/2554
- Art. 9.2
- ISO/IEC 27001 2022
- A.8.2
- NIST SP 800-53 rev. 5
- AC-6
- PCI DSS 4.0
- 7.2.1
- SOC 2 2017 TSC
- CC6.1
Generated artifacts
3 of 5 targets supportedcap-sys-admin-capability-added.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: cap-sys-admin-capability-added
annotations:
policies.kyverno.io/title: CAP_SYS_ADMIN capability added
policies.kyverno.io/category: Privileges
policies.kyverno.io/severity: medium
policies.kyverno.io/description: Alert on deployments with containers escalating with CAP_SYS_ADMIN
policies.kyverno.io/remediation: Ensure that the container really needs the CAP_SYS_ADMIN capability or use a userspace derivative.
policies.kyverno.io/rationale: CAP_SYS_ADMIN grants an elevated level of privilege to a container that may not be necessary. https://lwn.net/Articles/486306/ explains what CAP_SYS_ADMIN does and points to possible alternatives.
policies.io/source: stackrox
policies.io/source-id: 30e8cb50-d93f-42a1-b022-ec7de7ab7b65
spec:
validationFailureAction: Audit
background: true
rules:
- name: cap-sys-admin-capability-added
match:
any:
- resources:
kinds:
- Pod
validate:
message: 'Policy "CAP_SYS_ADMIN capability added" violated: Alert on deployments with containers escalating with CAP_SYS_ADMIN'
deny:
conditions:
all:
- key: "{{ request.object.spec.containers[].securityContext.capabilities.add[] || `[]` }}"
operator: AnyIn
value:
- SYS_ADMIN
IR (canonical)
{
"id": "30e8cb50-d93f-42a1-b022-ec7de7ab7b65",
"name": "CAP_SYS_ADMIN capability added",
"description": "Alert on deployments with containers escalating with CAP_SYS_ADMIN",
"rationale": "CAP_SYS_ADMIN grants an elevated level of privilege to a container that may not be necessary. https://lwn.net/Articles/486306/ explains what CAP_SYS_ADMIN does and points to possible alternatives.",
"remediation": "Ensure that the container really needs the CAP_SYS_ADMIN capability or use a userspace derivative.",
"severity": "medium",
"categories": [
"Privileges"
],
"lifecycle": [
"deploy"
],
"eventSource": "none",
"scope": [],
"exclusions": [],
"enforcement": {
"failBuild": false
},
"expression": {
"op": "criterion",
"field": "add-capabilities",
"values": [
"SYS_ADMIN"
],
"valuesOp": "or",
"negate": false
},
"disabled": false
}Original StackRox JSON
{
"id": "30e8cb50-d93f-42a1-b022-ec7de7ab7b65",
"name": "CAP_SYS_ADMIN capability added",
"description": "Alert on deployments with containers escalating with CAP_SYS_ADMIN",
"rationale": "CAP_SYS_ADMIN grants an elevated level of privilege to a container that may not be necessary. https://lwn.net/Articles/486306/ explains what CAP_SYS_ADMIN does and points to possible alternatives.",
"remediation": "Ensure that the container really needs the CAP_SYS_ADMIN capability or use a userspace derivative.",
"disabled": false,
"categories": [
"Privileges"
],
"lifecycleStages": [
"DEPLOY"
],
"eventSource": "NOT_APPLICABLE",
"exclusions": [],
"scope": [],
"severity": "MEDIUM_SEVERITY",
"enforcementActions": [],
"policySections": [
{
"sectionName": "",
"policyGroups": [
{
"fieldName": "Add Capabilities",
"booleanOperator": "OR",
"negate": false,
"values": [
{
"value": "SYS_ADMIN"
}
]
}
]
}
],
"notifiers": [],
"lastUpdated": null,
"SORTName": "",
"SORTLifecycleStage": "",
"SORTEnforcement": false,
"policyVersion": "1.1",
"mitreAttackVectors": [],
"criteriaLocked": true,
"mitreVectorsLocked": true,
"isDefault": true,
"source": "IMPERATIVE"
}