STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-235837r627638_rule
V-235837
SRG-APP-000383
DKER-EE-003560
CAT II
10
Publish only needed ports for all container images and running containers per the requirements set forth by the SSP.
Update Dockerfiles and set or remove any EXPOSE lines accordingly.
To ignore exposed ports as defined by a Dockerfile during container start, do not pass the "-P/--publish-all" flag to the Docker commands.
When publishing needed ports at container start, use the "-p/--publish" flag to explicitly define the ports that are needed.
Verify that only needed ports are open on all running containers.
via CLI: As a Docker EE admin, execute the following command using a client bundle:
docker ps -q | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}'
Review the list and ensure that the ports mapped are the ones really needed for the containers per the requirements set forth by the SSP.
If ports are not documented and approved in the SSP, this is a finding.
V-235837
False
DKER-EE-003560
Verify that only needed ports are open on all running containers.
via CLI: As a Docker EE admin, execute the following command using a client bundle:
docker ps -q | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}'
Review the list and ensure that the ports mapped are the ones really needed for the containers per the requirements set forth by the SSP.
If ports are not documented and approved in the SSP, this is a finding.
M
5281