ECS task definition has 'NET_RAW' capability Affecting ECS service in AWS

Severity Framework Snyk CCSS

Rule category Containers / Capabilities

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

CIS-Controls CSA-CCM NIST-800-53 PCI-DSS

Snyk ID SNYK-CC-00108
credit Snyk Research Team

Report a new misconfiguration Found a mistake?

Description

ECS task definitions should not add Linux capabilities beyond defaults and should drop 'NET_RAW'. Adding capabilities allows users to grant some superuser permissions to a process without running that process as root. Either drop 'NET_RAW' and do not add any other capabilities, or drop 'ALL' and only add back the capabilities that you need.

How to fix?

In the container_definitions block, set linuxParameters.capabilities.drop to include NET_RAW or ALL. If set to ALL, ensure NET_RAW is not included in linuxParameters.capabilities.add.

Example Configuration

resource "aws_ecs_task_definition" "valid_drop_net_raw_only" {
  family = "valid_drop_net_raw_only"

  container_definitions = <<EOF
[
  {
    "name": "valid_drop_net_raw_only",
    "image": "hello-world",
    "memory": 128,
    "linuxParameters": {
      "capabilities": {
        "drop": ["NET_RAW"]
      }
    }
  }
]
EOF

  requires_compatibilities = ["EC2"]
}

Terraform

Resource: aws_ecs_task_definition

References

KernelCapabilities