STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-235828r627611_rule
V-235828
SRG-APP-000247
DKER-EE-002780
CAT II
10
This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system.
Use --pids-limit flag while launching the container with an appropriate value.
Example:
docker run -it --pids-limit 100 <Image_ID>
In the above example, the number of processes allowed to run at any given time is set to 100. After a limit of 100 concurrently running processes is reached, docker would restrict any new process creation.
This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system.
Ensure PIDs cgroup limit is used.
via CLI:
Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidsLimit={{ .HostConfig.PidsLimit }}'
Ensure that PidsLimit is not set to 0 or -1. A PidsLimit of 0 or -1 means that any number of processes can be forked inside the container concurrently. If the PidsLimit is set to either 0 or -1 then this is a finding.
V-235828
False
DKER-EE-002780
This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system.
Ensure PIDs cgroup limit is used.
via CLI:
Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: PidsLimit={{ .HostConfig.PidsLimit }}'
Ensure that PidsLimit is not set to 0 or -1. A PidsLimit of 0 or -1 means that any number of processes can be forked inside the container concurrently. If the PidsLimit is set to either 0 or -1 then this is a finding.
M
5281