STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Docker Enterprise must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

DISA Rule

SV-235787r627488_rule

Vulnerability Number

V-235787

Group Title

SRG-APP-000108

Rule Version

DKER-EE-001590

Severity

CAT III

CCI(s)

• CCI-000139 - The information system alerts designated organization-defined personnel or roles in the event of an audit processing failure.

Weight

10

Fix Recommendation

via CLI:

Linux: As a trusted user on the host operating system, open the /etc/docker/daemon.json file for editing. If the file doesn't exist, it must be created.

Set the "log-driver" property to one of the following: "syslog", "awslogs", "splunk", "gcplogs", "logentries" or "<plugin>" (where <plugin> is the naming of a third-party Docker logging driver plugin). Configure the "log-opts" object as required by the selected "log-driver".

Save the file. Restart the docker daemon.

Work with the SIEM administrator to configure an alert when no audit data is received from Docker.

Check Contents

via CLI:

Linux: Execute the following commands as a trusted user on the host operating system:

cat /etc/docker/daemon.json

Verify that the "log-driver" property is set to one of the following: "syslog", "awslogs", "splunk", "gcplogs", "logentries" or "<plugin>" (where <plugin> is the naming of a third-party Docker logging driver plugin).

Work with the SIEM administrator to determine if an alert is configured when audit data is no longer received as expected.
If "log-driver" is not set, or if alarms are not configured in the SIEM, then this is a finding.

Vulnerability Number

V-235787

Documentable

False

Rule Version

DKER-EE-001590

Severity Override Guidance

via CLI:

Linux: Execute the following commands as a trusted user on the host operating system:

cat /etc/docker/daemon.json

Verify that the "log-driver" property is set to one of the following: "syslog", "awslogs", "splunk", "gcplogs", "logentries" or "<plugin>" (where <plugin> is the naming of a third-party Docker logging driver plugin).

Work with the SIEM administrator to determine if an alert is configured when audit data is no longer received as expected.
If "log-driver" is not set, or if alarms are not configured in the SIEM, then this is a finding.

Check Content Reference

M

Target Key

5281

Comments