STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Docker Enterprise incoming container traffic must be bound to a specific host interface.

DISA Rule

SV-235820r627587_rule

Vulnerability Number

V-235820

Group Title

SRG-APP-000142

Rule Version

DKER-EE-002160

Severity

CAT II

CCI(s)

• CCI-000382 - The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.

Weight

10

Fix Recommendation

Bind the container port to a specific host interface on the desired host port.

Example:
docker run --detach --publish 10.2.3.4:49153:80 nginx

In the example above, the container port 80 is bound to the host port on 49153 and would accept incoming connection only from 10.2.3.4 external interface.

Check Contents

Ensure incoming container traffic is bound to a specific host interface.

This check should be executed on all nodes in a Docker Enterprise cluster.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle to list all the running instances of containers and their port mapping:

docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}'

Review the list and ensure that the exposed container ports are tied to a particular interface and not to the wildcard IP address - 0.0.0.0. If they are, then this is a finding.

For example, if the above command returns as below the container can accept connections on any host interface on the specified port 49153, this is a finding.

Ports=map[443/TCP:<nil> 80/TCP:[map[HostPort:49153 HostIp:0.0.0.0]]]

However, if the exposed port is tied to a particular interface on the host as below, then this recommendation is configured as desired and is compliant.

Ports=map[443/TCP:<nil> 80/TCP:[map[HostIp:10.2.3.4 HostPort:49153]]]

Vulnerability Number

V-235820

Documentable

False

Rule Version

DKER-EE-002160

Severity Override Guidance

Ensure incoming container traffic is bound to a specific host interface.

This check should be executed on all nodes in a Docker Enterprise cluster.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle to list all the running instances of containers and their port mapping:

docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}'

Review the list and ensure that the exposed container ports are tied to a particular interface and not to the wildcard IP address - 0.0.0.0. If they are, then this is a finding.

For example, if the above command returns as below the container can accept connections on any host interface on the specified port 49153, this is a finding.

Ports=map[443/TCP:<nil> 80/TCP:[map[HostPort:49153 HostIp:0.0.0.0]]]

However, if the exposed port is tied to a particular interface on the host as below, then this recommendation is configured as desired and is compliant.

Ports=map[443/TCP:<nil> 80/TCP:[map[HostIp:10.2.3.4 HostPort:49153]]]

Check Content Reference

M

Target Key

5281

Comments