On 4/30/20 12:05 PM, Matej Tyc wrote:
I second to Jan - what I have heard from both of you, Gabe and Trevor, is that we can expect legitimate use cases of containers with elevated privileges that would e.g. influence the kernel by directly setting modules, kernel parameters, time and so on.
From what I see, there is no automated way of how to tell whether a scanned container is meant to be privileged (ntp container will need privileges), or whether it is an omission or an attack attempt. Therefore, I don't see how removing this machine platform could be an improvement. I would expect specialized container profiles that Trevor has just mentioned to come first. Disable of the machine platform denomination makes a positive change only when those profiles are ready.
Fair enough. Is there interest to join the SCAP committees to create new probes that can handle these scenarios?