STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.

DISA Rule

SV-235776r627455_rule

Vulnerability Number

V-235776

Group Title

SRG-APP-000014

Rule Version

DKER-EE-001050

Severity

CAT II

CCI(s)

• CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.
• CCI-000381 - The organization configures the information system to provide only essential capabilities.
• CCI-000382 - The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services.
• CCI-001184 - The information system protects the authenticity of communications sessions.
• CCI-001762 - The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure.
• CCI-002418 - The information system protects the confidentiality and/or integrity of transmitted information.
• CCI-002420 - The information system maintains the confidentiality and/or integrity of information during preparation for transmission.
• CCI-002421 - The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards.
• CCI-002422 - The information system maintains the confidentiality and/or integrity of information during reception.

Weight

10

Fix Recommendation

This fix only applies to Docker Engine - Enterprise nodes that are part of a UCP cluster.

Apply this fix to every node in the cluster.

(Linux) Execute the following command to open an override file for docker.service:

sudo systemctl edit docker.service

Remove any "-H" host daemon flags from the "ExecStart=/usr/bin/dockerd" line in the override file.

Save the file and reload the config with the following command:

sudo systemctl daemon-reload

Restart Docker with the following command:

sudo systemctl restart docker.service

Check Contents

This check only applies to the Docker Engine - Enterprise component of Docker Enterprise.

via CLI:

Linux: Verify the daemon has not been started with the "-H TCP://[host]" argument by running the following command:

ps -ef | grep dockerd

If -H UNIX://, this is not a finding.

If the "-H TCP://[host]" argument appears in the output, then this is a finding.

Vulnerability Number

V-235776

Documentable

False

Rule Version

DKER-EE-001050

Severity Override Guidance

This check only applies to the Docker Engine - Enterprise component of Docker Enterprise.

via CLI:

Linux: Verify the daemon has not been started with the "-H TCP://[host]" argument by running the following command:

ps -ef | grep dockerd

If -H UNIX://, this is not a finding.

If the "-H TCP://[host]" argument appears in the output, then this is a finding.

Check Content Reference

M

Target Key

5281

Comments