STIGQter STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 19 Jul 2019: Linux Kernel capabilities must be restricted within containers as defined in the System Security Plan (SSP) for Docker Enterprise.

DISA Rule

SV-104775r1_rule

Vulnerability Number

V-95637

Group Title

SRG-APP-000141

Rule Version

DKER-EE-001950

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.

Document the required Kernel Capabilities for each container in the SSP. Only add needed capabilities when running containers.

via CLI:

Linux: Execute the below command to add needed capabilities:

$> docker run --cap-add={"Capability 1","Capability 2"}

Execute the below command to drop unneeded capabilities:

$> docker run --cap-drop={"Capability 1","Capability 2"}

The user may also choose to drop all capabilities and add only add the needed ones as per the SSP:

$> docker run --cap-drop=all --cap-add={"Capability 1","Capability 2"}

Check Contents

This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.

Verify that the added and dropped Linux Kernel Capabilities are in line with the ones needed for container processes for each container instance as defined in the SSP.

via CLI:

Linux: Execute the following command as a trusted user on the host operating system:
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CapAdd={{ .HostConfig.CapAdd }} CapDrop={{ .HostConfig.CapDrop }}'

If Linux Kernel Capabilities exceed what is defined in the SSP, then this is a finding.

Vulnerability Number

V-95637

Documentable

False

Rule Version

DKER-EE-001950

Severity Override Guidance

This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.

Verify that the added and dropped Linux Kernel Capabilities are in line with the ones needed for container processes for each container instance as defined in the SSP.

via CLI:

Linux: Execute the following command as a trusted user on the host operating system:
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CapAdd={{ .HostConfig.CapAdd }} CapDrop={{ .HostConfig.CapDrop }}'

If Linux Kernel Capabilities exceed what is defined in the SSP, then this is a finding.

Check Content Reference

M

Target Key

3425

Comments