STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-235783r627476_rule
V-235783
SRG-APP-000033
DKER-EE-001190
CAT II
10
This fix only applies to the use of Docker Engine - Enterprise.
Do not mount host sensitive directories on containers especially in read-write mode.
This check only applies to the use of Docker Engine - Enterprise.
Verify that no running containers have mounted sensitive host system directories. Refer to System Security Plan for list of sensitive folders.
via CLI:
Execute the following command as a trusted user on the host operating system:
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep -iv "ucp\|kubelet\|dtr"
Verify in the output that no containers are running with mounted RW access to sensitive host system directories. If there are containers mounted with RW access to sensitive host system directories, this is a finding.
V-235783
False
DKER-EE-001190
This check only applies to the use of Docker Engine - Enterprise.
Verify that no running containers have mounted sensitive host system directories. Refer to System Security Plan for list of sensitive folders.
via CLI:
Execute the following command as a trusted user on the host operating system:
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep -iv "ucp\|kubelet\|dtr"
Verify in the output that no containers are running with mounted RW access to sensitive host system directories. If there are containers mounted with RW access to sensitive host system directories, this is a finding.
M
5281