STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-235815r627572_rule
V-235815
SRG-APP-000141
DKER-EE-002100
CAT II
10
This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system.
Do not use --cgroup-parent option in docker run command unless needed.
If required, document cgroup usage in the SSP.
A reference for the docker run command can be found at https://docs.docker.com/engine/reference/run/.
This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.
Ensure cgroup usage is confirmed.
via CLI:
Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}'
If the cgroup is blank, the container is running under default docker cgroup. If the containers are found to be running under cgroup other than the one that is documented in the System Security Plan (SSP), then this is a finding.
V-235815
False
DKER-EE-002100
This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.
Ensure cgroup usage is confirmed.
via CLI:
Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:
docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}: CgroupParent={{ .HostConfig.CgroupParent }}'
If the cgroup is blank, the container is running under default docker cgroup. If the containers are found to be running under cgroup other than the one that is documented in the System Security Plan (SSP), then this is a finding.
M
5281