Built off the open source project Osquery
Description: This query looks for Docker containers that have privileged status.
What The Data Shows: Using the privileged flag gives all Linux kernel capabilities to the container and lifts limitations enforced by the cgroup controller. CIS Benchmarks for running containers recommend that this flag is not used except for very few special use cases. Use this query to identify containers in your environment that have this elevated status and make sure that there is a specific reason that the container need to maintain that status.
SQL:
SELECT id, name, image, state, started_at
FROM docker_containers
WHERE privileged=1;
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.