STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Docker Enterprise CPU priority must be set appropriately on all containers.

DISA Rule

SV-235807r627548_rule

Vulnerability Number

V-235807

Group Title

SRG-APP-000141

Rule Version

DKER-EE-002020

Severity

CAT III

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

Document container CPU requirements in the System Security Plan (SSP).

Manage the CPU shares between containers. To do so, start the container using the --cpu-shares argument.

For example, run a container as below:

docker run --interactive --tty --cpu-shares 512 [image] [command]

In the above example, the container is started with CPU shares of 50% of what the other containers use. So, if the other container has CPU shares of 80%, this container will have CPU shares of 40%.

Note: Every new container will have 1024 shares of CPU by default. However, this value is shown as 0 if running the command mentioned in the audit section.

Alternatively,

1. Navigate to /sys/fs/cgroup/cpu/system.slice/ directory.
2. Check the container instance ID using docker ps.
3. Now, inside the above directory (in step 1), there will be a directory by name docker-<Instance ID>.scope. For example, docker-4acae729e8659c6be696ee35b2237cc1fe4edd2672e9186434c5116e1a6fbed6.scope. Navigate to this directory.
4. Find a file named cpu.shares. Execute cat cpu.shares. This will always show the CPU share value based on the system. So, even if there is no CPU shares configured using -c or --cpu-shares argument in the docker run command, this file will have a value of 1024.

By setting one container’s CPU shares to 512, it will receive half of the CPU time compared to the other container. So, take 1024 as 100% and then do quick math to derive the number that set for respective CPU shares. For example, use 512 to set 50% and 256 to set 25%.

Check Contents

Ensure CPU shares are in place for all containers.

This check should be executed on all nodes in a Docker Enterprise cluster.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CpuShares={{ .HostConfig.CpuShares }}'

If the above command returns 0 or 1024, it means the CPU shares are not in place and this is a finding.

Vulnerability Number

V-235807

Documentable

False

Rule Version

DKER-EE-002020

Severity Override Guidance

Ensure CPU shares are in place for all containers.

This check should be executed on all nodes in a Docker Enterprise cluster.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CpuShares={{ .HostConfig.CpuShares }}'

If the above command returns 0 or 1024, it means the CPU shares are not in place and this is a finding.

Check Content Reference

M

Target Key

5281

Comments