STIGQter STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 19 Jul 2019: Docker Enterprise sensitive host system directories must not be mounted on containers.

DISA Rule

SV-104737r1_rule

Vulnerability Number

V-95599

Group Title

SRG-APP-000033

Rule Version

DKER-EE-001190

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

This fix only applies to the use of Docker Engine - Enterprise.

Do not mount host sensitive directories on containers especially in read-write mode.

Check Contents

This check only applies to the use of Docker Engine - Enterprise.

Verify that no running containers have mounted sensitive host system directories. Refer to System Security Plan for list of sensitive folders.

via CLI:

Execute the following command as a trusted user on the host operating system:

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep -iv "ucp\|kubelet\|dtr"

Verify in the output that no containers are running with mounted RW access to sensitive host system directories. If there are containers mounted with RW access to sensitive host system directories, this is a finding.

Vulnerability Number

V-95599

Documentable

False

Rule Version

DKER-EE-001190

Severity Override Guidance

This check only applies to the use of Docker Engine - Enterprise.

Verify that no running containers have mounted sensitive host system directories. Refer to System Security Plan for list of sensitive folders.

via CLI:

Execute the following command as a trusted user on the host operating system:

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep -iv "ucp\|kubelet\|dtr"

Verify in the output that no containers are running with mounted RW access to sensitive host system directories. If there are containers mounted with RW access to sensitive host system directories, this is a finding.

Check Content Reference

M

Target Key

3425

Comments