Entering other containers’ network namespaces with the setns() call to open their network adapters for capture requires either privileged mode or SYS_ADMIN and SYS_PTRACE capabilities. If you prefer to use the SYS_ADMIN and SYS_PTRACE capabilities rather than privileged mode, you can replace privileged: true within the deployment definitions with the following:
capabilities:
add:
- SYS_ADMIN
- SYS_PTRACE
- NET_ADMIN
- NET_BIND_SERVICE
However, Alert Logic does not recommend the above change. The amount of access granted with these capabilities makes maintaining more granular control of the al-agent-container not worthwhile, because any malicious process granted the above set can escalate to a fully privileged mode. Additionally, future versions of the agent may require extra capabilities for new functionality and could break remote updates if a more restricted set is used. Therefore, customers choosing to restrict al-agent-container capabilities in the above manner must do so at their own risk.
Comments
0 comments
Please sign in to leave a comment.