STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-235817r627578_rule
V-235817
SRG-APP-000141
DKER-EE-002120
CAT I
10
This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system.
Do not share user namespaces between host and containers.
For example, do not run a container as below:
docker run --rm -it --userns=host <image>
This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.
Ensure PIDs cgroup limit is used.
via CLI:
Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UsernsMode={{ .HostConfig.UsernsMode }}'
Ensure that it does not return any value for UsernsMode. If it returns a value of host, it means the host user namespace is shared with the containers and this is a finding.
V-235817
False
DKER-EE-002120
This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.
Ensure PIDs cgroup limit is used.
via CLI:
Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UsernsMode={{ .HostConfig.UsernsMode }}'
Ensure that it does not return any value for UsernsMode. If it returns a value of host, it means the host user namespace is shared with the containers and this is a finding.
M
5281