STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

All Docker Enterprise containers root filesystem must be mounted as read only.

DISA Rule

SV-235808r627551_rule

Vulnerability Number

V-235808

Group Title

SRG-APP-000141

Rule Version

DKER-EE-002030

Severity

CAT I

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

Add a --read-only flag at a container's runtime to enforce the container's root filesystem to be mounted as read only.

docker run <Run arguments> --read-only <Container Image Name or ID> <Command>

Enabling the --read-only option at a container's runtime should be used by administrators to force a container's executable processes to only write container data to explicit storage locations during the container's runtime.

Examples of explicit storage locations during a container's runtime include, but are not limited to:

1. Use the --tmpfs option to mount a temporary file system for non-persistent data writes.

Example:
docker run --interactive --tty --read-only --tmpfs "/run" --tmpfs "/tmp" [image] [command]

2. Enabling Docker rw mounts at a container's runtime to persist container data directly on the Docker host filesystem.

Example:
docker run --interactive --tty --read-only -v /opt/app/data:/run/app/data:rw [image] [command]

3. Utilizing Docker shared-storage volume plugins for Docker data volume to persist container data.

docker volume create -d convoy --opt o=size=20GB my-named-volume

docker run --interactive --tty --read-only -v my-named-volume:/run/app/data [image] [command]

Check Contents

Ensure all containers' root filesystem is mounted as read only.

This check should be executed on all nodes in a Docker Enterprise cluster.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

docker ps --quiet --all | xargs -L 1 docker inspect --format '{{ .Id }}: ReadonlyRootfs={{ .HostConfig.ReadonlyRootfs }}'

If ReadonlyRootfs=false, it means the container's root filesystem is writable and this is a finding.

Vulnerability Number

V-235808

Documentable

False

Rule Version

DKER-EE-002030

Severity Override Guidance

Ensure all containers' root filesystem is mounted as read only.

This check should be executed on all nodes in a Docker Enterprise cluster.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

docker ps --quiet --all | xargs -L 1 docker inspect --format '{{ .Id }}: ReadonlyRootfs={{ .HostConfig.ReadonlyRootfs }}'

If ReadonlyRootfs=false, it means the container's root filesystem is writable and this is a finding.

Check Content Reference

M

Target Key

5281

Comments