STIGQter STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Docker Enterprise hosts UTS namespace must not be shared.

DISA Rule

SV-235811r627560_rule

Vulnerability Number

V-235811

Group Title

SRG-APP-000141

Rule Version

DKER-EE-002060

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system.

Do not start a container with --uts=host argument.

For example, do not start a container as below:

docker run --rm --interactive --tty --uts=host rhel7.2

Check Contents

This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.

Ensure the host's UTS namespace is not shared.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UTSMode={{ .HostConfig.UTSMode }}'

If the above command returns host, it means the host UTS namespace is shared with the container and this is a finding.

Vulnerability Number

V-235811

Documentable

False

Rule Version

DKER-EE-002060

Severity Override Guidance

This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.

Ensure the host's UTS namespace is not shared.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: UTSMode={{ .HostConfig.UTSMode }}'

If the above command returns host, it means the host UTS namespace is shared with the container and this is a finding.

Check Content Reference

M

Target Key

5281

Comments