STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Docker Enterprise host devices must not be directly exposed to containers.

DISA Rule

SV-235809r627554_rule

Vulnerability Number

V-235809

Group Title

SRG-APP-000141

Rule Version

DKER-EE-002040

Severity

CAT I

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

Do not directly expose the host devices to containers. If at all, expose the host devices to containers, use the correct set of permissions:

For example, do not start a container as below:

docker run --interactive --tty --device=/dev/tty0:/dev/tty0:rwm --device=/dev/temp_sda:/dev/temp_sda:rwm centos bash

For example, share the host device with correct permissions:

docker run --interactive --tty --device=/dev/tty0:/dev/tty0:rw --device=/dev/temp_sda:/dev/temp_sda:r centos bash

Check Contents

Ensure host devices are not directly exposed to containers. Verify that the host device needs to be accessed from within the container and the permissions required are correctly set.

This check should be executed on all nodes in a Docker Enterprise cluster.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Devices={{ .HostConfig.Devices }}'

The above command lists out each device with below information:

- CgroupPermissions - For example, rwm
- PathInContainer - Device path within the container
- PathOnHost - Device path on the host

If Devices=[], or Devices=<no value>, this is not a finding. If Devices are listed and the host device is not documented and approved in the System Security Plan (SSP), this is a finding.

Vulnerability Number

V-235809

Documentable

False

Rule Version

DKER-EE-002040

Severity Override Guidance

Ensure host devices are not directly exposed to containers. Verify that the host device needs to be accessed from within the container and the permissions required are correctly set.

This check should be executed on all nodes in a Docker Enterprise cluster.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: Devices={{ .HostConfig.Devices }}'

The above command lists out each device with below information:

- CgroupPermissions - For example, rwm
- PathInContainer - Device path within the container
- PathOnHost - Device path on the host

If Devices=[], or Devices=<no value>, this is not a finding. If Devices are listed and the host device is not documented and approved in the System Security Plan (SSP), this is a finding.

Check Content Reference

M

Target Key

5281

Comments