The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Find Containers Running As Privileged

Description: This query looks for Docker containers that have privileged status.

What The Data Shows:  Using the privileged flag gives all Linux kernel capabilities to the container and lifts limitations enforced by the cgroup controller. CIS Benchmarks for running containers recommend that this flag is not used except for very few special use cases. Use this query to identify containers in your environment that have this elevated status and make sure that there is a specific reason that the container need to maintain that status.

SQL: 

   SELECT id, name, image, state, started_at 
   FROM docker_containers
   WHERE privileged=1;

 

1 Comment
baustin
Carbon Black Employee
Status changed to: Approved