STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Linux Kernel capabilities must be restricted within containers as defined in the System Security Plan (SSP) for Docker Enterprise.

DISA Rule

SV-235801r627530_rule

Vulnerability Number

V-235801

Group Title

SRG-APP-000141

Rule Version

DKER-EE-001950

Severity

CAT II

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.

Document the required Kernel Capabilities for each container in the SSP. Only add needed capabilities when running containers.

via CLI:

Linux: Execute the below command to add needed capabilities:

$> docker run --cap-add={"Capability 1","Capability 2"}

Execute the below command to drop unneeded capabilities:

$> docker run --cap-drop={"Capability 1","Capability 2"}

The user may also choose to drop all capabilities and add only add the needed ones as per the SSP:

$> docker run --cap-drop=all --cap-add={"Capability 1","Capability 2"}

Check Contents

This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.

Verify that the added and dropped Linux Kernel Capabilities are in line with the ones needed for container processes for each container instance as defined in the SSP.

via CLI:

Linux: Execute the following command as a trusted user on the host operating system:
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CapAdd={{ .HostConfig.CapAdd }} CapDrop={{ .HostConfig.CapDrop }}'

If Linux Kernel Capabilities exceed what is defined in the SSP, then this is a finding.

Vulnerability Number

V-235801

Documentable

False

Rule Version

DKER-EE-001950

Severity Override Guidance

This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.

Verify that the added and dropped Linux Kernel Capabilities are in line with the ones needed for container processes for each container instance as defined in the SSP.

via CLI:

Linux: Execute the following command as a trusted user on the host operating system:
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CapAdd={{ .HostConfig.CapAdd }} CapDrop={{ .HostConfig.CapDrop }}'

If Linux Kernel Capabilities exceed what is defined in the SSP, then this is a finding.

Check Content Reference

M

Target Key

5281

Comments