STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Docker Enterprise hosts network namespace must not be shared.

DISA Rule

SV-235805r627542_rule

Vulnerability Number

V-235805

Group Title

SRG-APP-000141

Rule Version

DKER-EE-002000

Severity

CAT I

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

Do not pass --net=host or --network=host options when starting the container.

For example, when executing docker run, do not use the --net=host nor --network=host arguments.

A more detailed reference for the docker run command can be found at https://docs.docker.com/engine/reference/run/.

Check Contents

Ensure the host's network namespace is not shared.

This check should be executed on all nodes in a Docker Enterprise cluster.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

docker ps --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: NetworkMode={{ .HostConfig.NetworkMode }}'

If the above command returns NetworkMode=host, this is a finding.

Vulnerability Number

V-235805

Documentable

False

Rule Version

DKER-EE-002000

Severity Override Guidance

Ensure the host's network namespace is not shared.

This check should be executed on all nodes in a Docker Enterprise cluster.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

docker ps --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: NetworkMode={{ .HostConfig.NetworkMode }}'

If the above command returns NetworkMode=host, this is a finding.

Check Content Reference

M

Target Key

5281

Comments