STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

An appropriate AppArmor profile must be enabled on Ubuntu systems for Docker Enterprise.

DISA Rule

SV-235799r627524_rule

Vulnerability Number

V-235799

Group Title

SRG-APP-000141

Rule Version

DKER-EE-001930

Severity

CAT II

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

This fix only applies to the use of Docker Engine - Enterprise on the Ubuntu host operating system where AppArmor is in use and should be executed on all nodes in a Docker Enterprise cluster.

Run all containers using an AppArmor profile:

via CLI:

Linux: Install AppArmor (if not already installed).

Create/import an AppArmor profile (if not using the "docker-default" profile). Put the profile in "enforcing" model. Execute the following command as a trusted user on the host operating system to run the container using the customized AppArmor profile:

docker run [options] --security-opt="apparmor:[PROFILENAME]" [image] [command]

If using the "docker-default" default profile, run the container using the following command instead:

docker run [options] --security-opt apparmor=docker-default [image] [command]

Check Contents

This check only applies to the use of Docker Engine - Enterprise on the Ubuntu host operating system and should be executed on all nodes in a Docker Enterprise cluster.

Verify that all running containers include a valid AppArmor profile:

via CLI:

Linux: Execute the following command as a trusted user on the host operating system:

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: AppArmorProfile={{ .AppArmorProfile }}'

Verify that all containers include a valid AppArmor Profile in the output. If they do not, then this is a finding.

Vulnerability Number

V-235799

Documentable

False

Rule Version

DKER-EE-001930

Severity Override Guidance

This check only applies to the use of Docker Engine - Enterprise on the Ubuntu host operating system and should be executed on all nodes in a Docker Enterprise cluster.

Verify that all running containers include a valid AppArmor profile:

via CLI:

Linux: Execute the following command as a trusted user on the host operating system:

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: AppArmorProfile={{ .AppArmorProfile }}'

Verify that all containers include a valid AppArmor Profile in the output. If they do not, then this is a finding.

Check Content Reference

M

Target Key

5281

Comments