STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Docker Enterprise container health must be checked at runtime.

DISA Rule

SV-235827r627608_rule

Vulnerability Number

V-235827

Group Title

SRG-APP-000247

Rule Version

DKER-EE-002770

Severity

CAT II

CCI(s)

• CCI-001095 - The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.

Weight

10

Fix Recommendation

Run the container using --health-cmd and the other parameters, or include the HEALTHCHECK instruction in the Dockerfiles.

Example:
docker run -d --health-cmd='stat /etc/passwd || exit 1' nginx

Check Contents

Ensure container health is checked at runtime.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

Run the below command and ensure that all the containers are reporting health status:

docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}'

If Health does not = "Healthy", this is a finding.

Vulnerability Number

V-235827

Documentable

False

Rule Version

DKER-EE-002770

Severity Override Guidance

Ensure container health is checked at runtime.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

Run the below command and ensure that all the containers are reporting health status:

docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}'

If Health does not = "Healthy", this is a finding.

Check Content Reference

M

Target Key

5281

Comments