STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-235812r627563_rule
V-235812
SRG-APP-000141
DKER-EE-002070
CAT I
10
This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system.
By default, seccomp profiles are enabled. It is not necessary to do anything unless the user wants to modify the seccomp profile. Do not pass unconfined flags to run a container without the default seccomp profile. Refer to seccomp documentation for details.
https://docs.docker.com/engine/security/seccomp/
This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.
Ensure the default seccomp profile is not disabled.
via CLI:
Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:
docker ps --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'
If seccomp:=unconfined, then the container is running without any seccomp profiles and this is a finding.
V-235812
False
DKER-EE-002070
This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.
Ensure the default seccomp profile is not disabled.
via CLI:
Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:
docker ps --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'
If seccomp:=unconfined, then the container is running without any seccomp profiles and this is a finding.
M
5281