STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Only required ports must be open on the containers in Docker Enterprise.

DISA Rule

SV-235804r627539_rule

Vulnerability Number

V-235804

Group Title

SRG-APP-000141

Rule Version

DKER-EE-001990

Severity

CAT II

CCI(s)

CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

Fix Recommendation

Document the ports required for each container in the SSP.

Fix the Dockerfile of the container image to expose only needed ports by the containerized application. Ignore the list of ports defined in the Dockerfile by NOT using -P (UPPERCASE) or --publish-all flag when starting the container. Use the -p (lowercase) or --publish flag to explicitly define the ports needed for a particular container instance.

Example:
docker run --interactive --tty --publish 5000 --publish 5001 --publish 5002 centos /bin/bash

Check Contents

Ensure that mapped ports are the ones that are needed by the containers.

This check should be executed on all nodes in a Docker Enterprise cluster.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}'

Review the list and ensure that the ports mapped are the ones that are really needed for the container. If there are any mapped ports that aren't documented by the System Security Plan (SSP), then this is a finding.

Only required ports must be open on the containers in Docker Enterprise.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments