STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Mount propagation mode must not set to shared in Docker Enterprise.

DISA Rule

SV-235810r627557_rule

Vulnerability Number

V-235810

Group Title

SRG-APP-000141

Rule Version

DKER-EE-002050

Severity

CAT II

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

Do not mount volumes in shared mode propagation.

For example, do not start container as below:

docker run <Run arguments> --volume=/hostPath:/containerPath:shared <Container Image Name or ID> <Command>

Check Contents

Ensure mount propagation mode is not set to shared or rshared.

This check should be executed on all nodes in a Docker Enterprise cluster.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

docker ps --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: Propagation={{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}'

If Propagation=shared or Propagation-rshared, then this is a finding.

Vulnerability Number

V-235810

Documentable

False

Rule Version

DKER-EE-002050

Severity Override Guidance

Ensure mount propagation mode is not set to shared or rshared.

This check should be executed on all nodes in a Docker Enterprise cluster.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

docker ps --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: Propagation={{range $mnt := .Mounts}} {{json $mnt.Propagation}} {{end}}'

If Propagation=shared or Propagation-rshared, then this is a finding.

Check Content Reference

M

Target Key

5281

Comments