STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Privileged Linux containers must not be used for Docker Enterprise.

DISA Rule

SV-235802r672378_rule

Vulnerability Number

V-235802

Group Title

SRG-APP-000141

Rule Version

DKER-EE-001960

Severity

CAT II

CCI(s)

CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

Fix Recommendation

This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.

Do not run containers with the --privileged flag.

For example, do not start a container as below:

docker run --interactive --tty --privileged centos /bin/bash

Check Contents

This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.

Verify that no containers are running with the --privileged flag. The --privileged flag provides full kernel capabilities. Capabilities must be specified in the System Security Plan (SSP) rather than allowing full privileges.

via CLI:

Linux: Execute the following command as a trusted user on the host operating system:

docker ps --quiet --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: Privileged={{ .HostConfig.Privileged }}'

Verify in the output that no containers are running with the --privileged flag. If there are, then this is a finding.

Privileged Linux containers must not be used for Docker Enterprise.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments