STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Memory usage for all containers must be limited in Docker Enterprise.

DISA Rule

SV-235806r627545_rule

Vulnerability Number

V-235806

Group Title

SRG-APP-000141

Rule Version

DKER-EE-002010

Severity

CAT II

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

Document container memory requirements in the System Security Plan (SSP).

Run the container with only as much memory as required. Always run the container using the --memory argument.

For example, run a container as below:

docker run --interactive --tty --memory 256m centos /bin/bash

In the above example, the container is started with a memory limit of 256 MB.

Note: The output of the below command would return values in scientific notation if memory limits are in place.

docker inspect --format='{{.Config.Memory}}' 7c5a2d4c7fe0

For example, if the memory limit is set to 256 MB for the above container instance, the output of the above command would be 2.68435456e+08 and NOT 256m. Convert this value using a scientific calculator or programmatic methods.

Check Contents

Ensure memory limits are in place for all containers.

This check should be executed on all nodes in a Docker Enterprise cluster.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Memory={{ .HostConfig.Memory }}'

If the above command returns 0, it means the memory limits are not in place and this is a finding.

Vulnerability Number

V-235806

Documentable

False

Rule Version

DKER-EE-002010

Severity Override Guidance

Ensure memory limits are in place for all containers.

This check should be executed on all nodes in a Docker Enterprise cluster.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Memory={{ .HostConfig.Memory }}'

If the above command returns 0, it means the memory limits are not in place and this is a finding.

Check Content Reference

M

Target Key

5281

Comments