STIGQter STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 19 Jul 2019: All Docker Enterprise containers must be restricted from acquiring additional privileges.

DISA Rule

SV-104805r1_rule

Vulnerability Number

V-95667

Group Title

SRG-APP-000141

Rule Version

DKER-EE-002110

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system.

Start the containers as below:

docker run --rm -it --security-opt=no-new-privileges <image>

A reference for the docker run command can be found at https://docs.docker.com/engine/reference/run/.

Check Contents

This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.

Ensure all containers are restricted from acquiring additional privileges.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

docker ps --quiet --all | xargs -L 1 docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'

The above command should return all the security options currently configured for the containers, and no-new-privileges should also be one of them. If it is, then this is a finding.

Vulnerability Number

V-95667

Documentable

False

Rule Version

DKER-EE-002110

Severity Override Guidance

This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.

Ensure all containers are restricted from acquiring additional privileges.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

docker ps --quiet --all | xargs -L 1 docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'

The above command should return all the security options currently configured for the containers, and no-new-privileges should also be one of them. If it is, then this is a finding.

Check Content Reference

M

Target Key

3425

Comments