Back to catalog

CAP_SYS_ADMIN capability added

No violationsstackroxmediumdeploy

Alert on deployments with containers escalating with CAP_SYS_ADMIN

Rationale
CAP_SYS_ADMIN grants an elevated level of privilege to a container that may not be necessary. https://lwn.net/Articles/486306/ explains what CAP_SYS_ADMIN does and points to possible alternatives.
Remediation
Ensure that the container really needs the CAP_SYS_ADMIN capability or use a userspace derivative.
CategoriesPrivileges
Compliance mappingsView coverage →
CIS Kubernetes Benchmark v1.8
5.2.8
DORA EU 2022/2554
Art. 9.2
ISO/IEC 27001 2022
A.8.2
NIST SP 800-53 rev. 5
AC-6
PCI DSS 4.0
7.2.1
SOC 2 2017 TSC
CC6.1

Generated artifacts

3 of 5 targets supported
cap-sys-admin-capability-added.yaml
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: cap-sys-admin-capability-added
  annotations:
    policies.kyverno.io/title: CAP_SYS_ADMIN capability added
    policies.kyverno.io/category: Privileges
    policies.kyverno.io/severity: medium
    policies.kyverno.io/description: Alert on deployments with containers escalating with CAP_SYS_ADMIN
    policies.kyverno.io/remediation: Ensure that the container really needs the CAP_SYS_ADMIN capability or use a userspace derivative.
    policies.kyverno.io/rationale: CAP_SYS_ADMIN grants an elevated level of privilege to a container that may not be necessary. https://lwn.net/Articles/486306/ explains what CAP_SYS_ADMIN does and points to possible alternatives.
    policies.io/source: stackrox
    policies.io/source-id: 30e8cb50-d93f-42a1-b022-ec7de7ab7b65
spec:
  validationFailureAction: Audit
  background: true
  rules:
    - name: cap-sys-admin-capability-added
      match:
        any:
          - resources:
              kinds:
                - Pod
      validate:
        message: 'Policy "CAP_SYS_ADMIN capability added" violated: Alert on deployments with containers escalating with CAP_SYS_ADMIN'
        deny:
          conditions:
            all:
              - key: "{{ request.object.spec.containers[].securityContext.capabilities.add[] || `[]` }}"
                operator: AnyIn
                value:
                  - SYS_ADMIN
IR (canonical)
{
  "id": "30e8cb50-d93f-42a1-b022-ec7de7ab7b65",
  "name": "CAP_SYS_ADMIN capability added",
  "description": "Alert on deployments with containers escalating with CAP_SYS_ADMIN",
  "rationale": "CAP_SYS_ADMIN grants an elevated level of privilege to a container that may not be necessary. https://lwn.net/Articles/486306/ explains what CAP_SYS_ADMIN does and points to possible alternatives.",
  "remediation": "Ensure that the container really needs the CAP_SYS_ADMIN capability or use a userspace derivative.",
  "severity": "medium",
  "categories": [
    "Privileges"
  ],
  "lifecycle": [
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": false
  },
  "expression": {
    "op": "criterion",
    "field": "add-capabilities",
    "values": [
      "SYS_ADMIN"
    ],
    "valuesOp": "or",
    "negate": false
  },
  "disabled": false
}
Original StackRox JSON
{
  "id": "30e8cb50-d93f-42a1-b022-ec7de7ab7b65",
  "name": "CAP_SYS_ADMIN capability added",
  "description": "Alert on deployments with containers escalating with CAP_SYS_ADMIN",
  "rationale": "CAP_SYS_ADMIN grants an elevated level of privilege to a container that may not be necessary. https://lwn.net/Articles/486306/ explains what CAP_SYS_ADMIN does and points to possible alternatives.",
  "remediation": "Ensure that the container really needs the CAP_SYS_ADMIN capability or use a userspace derivative.",
  "disabled": false,
  "categories": [
    "Privileges"
  ],
  "lifecycleStages": [
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [],
  "scope": [],
  "severity": "MEDIUM_SEVERITY",
  "enforcementActions": [],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Add Capabilities",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": "SYS_ADMIN"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}