STIGQter STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Mount propagation mode must not set to shared in Docker Enterprise.

DISA Rule

SV-235810r627557_rule

Vulnerability Number

V-235810

Group Title

SRG-APP-000141

Rule Version

DKER-EE-002050

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Do not mount volumes in shared mode propagation.

For example, do not start container as below:

docker run <Run arguments> --volume=/hostPath:/containerPath:shared <Container Image Name or ID> <Command>

Check Contents

Ensure mount propagation mode is not set to shared or rshared.

This check should be executed on all nodes in a Docker Enterprise cluster.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

docker ps --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: Propagation={{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}'

If Propagation=shared or Propagation-rshared, then this is a finding.

Vulnerability Number

V-235810

Documentable

False

Rule Version

DKER-EE-002050

Severity Override Guidance

Ensure mount propagation mode is not set to shared or rshared.

This check should be executed on all nodes in a Docker Enterprise cluster.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

docker ps --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: Propagation={{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}'

If Propagation=shared or Propagation-rshared, then this is a finding.

Check Content Reference

M

Target Key

5281

Comments