STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

SELinux security options must be set on Red Hat or CentOS systems for Docker Enterprise.

DISA Rule

SV-235800r627527_rule

Vulnerability Number

V-235800

Group Title

SRG-APP-000141

Rule Version

DKER-EE-001940

Severity

CAT II

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

This fix only applies to the use of Docker Engine - Enterprise on either the Red Hat Enterprise Linux or CentOS host operating systems where SELinux is in use and should be executed on all nodes in a Docker Enterprise cluster.

Start the Docker daemon with SELinux mode enabled. Run Docker containers using appropriate security options.

via CLI:

Linux: Set the SE Linux state. Set the SELinux policy. Create or import a SELinux policy template for Docker containers. Start the Docker daemon with SELinux mode enabled by either adding the "--selinux-enabled" flag to the systemd drop-in file or by setting the "selinux-enabled" property to "true" in the "/etc/docker/daemon.json" daemon configuration file. Restart the Docker daemon.

Check Contents

This check only applies to the use of Docker Engine - Enterprise on either the Red Hat Enterprise Linux or CentOS host operating systems where SELinux is in use and should be executed on all nodes in a Docker Enterprise cluster.

Verify that the appropriate security options are configured for all running containers:

via CLI:

Linux: Execute the following command as a trusted user on the host operating system:

docker ps --quiet --all | xargs docker inspect --format '{{ .Name }}: SecurityOpt={{ .HostConfig.SecurityOpt }}' | grep -iv "ucp\|kube\|dtr"

If SecurityOpt=[label=disable], then this is a finding.

Vulnerability Number

V-235800

Documentable

False

Rule Version

DKER-EE-001940

Severity Override Guidance

This check only applies to the use of Docker Engine - Enterprise on either the Red Hat Enterprise Linux or CentOS host operating systems where SELinux is in use and should be executed on all nodes in a Docker Enterprise cluster.

Verify that the appropriate security options are configured for all running containers:

via CLI:

Linux: Execute the following command as a trusted user on the host operating system:

docker ps --quiet --all | xargs docker inspect --format '{{ .Name }}: SecurityOpt={{ .HostConfig.SecurityOpt }}' | grep -iv "ucp\|kube\|dtr"

If SecurityOpt=[label=disable], then this is a finding.

Check Content Reference

M

Target Key

5281

Comments