STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-235844r627659_rule
V-235844
SRG-APP-000435
DKER-EE-004040
CAT II
10
This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system.
Only override the default ulimit settings if needed and if so, document these settings in the SSP.
For example, to override default ulimit settings start a container as below:
docker run --ulimit nofile=1024:1024 --interactive --tty [image] [command]
This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system.
Ensure the default ulimit is not overwritten at runtime unless approved in the SSP.
via CLI:
Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Ulimits={{ .HostConfig.Ulimits }}'
If each container instance returns Ulimits=<no value>, this is not a finding.
If a container sets a Ulimit and the setting is not approved in the SSP, this is a finding.
V-235844
False
DKER-EE-004040
This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system.
Ensure the default ulimit is not overwritten at runtime unless approved in the SSP.
via CLI:
Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Ulimits={{ .HostConfig.Ulimits }}'
If each container instance returns Ulimits=<no value>, this is not a finding.
If a container sets a Ulimit and the setting is not approved in the SSP, this is a finding.
M
5281