STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-235816r672380_rule
V-235816
SRG-APP-000141
DKER-EE-002110
CAT I
10
This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system.
Start the containers as below:
docker run --rm -it --security-opt=no-new-privileges <image>
A reference for the docker run command can be found at https://docs.docker.com/engine/reference/run/.
This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.
Ensure all containers are restricted from acquiring additional privileges.
via CLI:
Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:
docker ps --quiet --all | xargs -L 1 docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'
The above command returns the security options currently configured for the running containers, if 'SecurityOpt=' setting does not include the 'no-new-privileges' flag, this is a finding."
V-235816
False
DKER-EE-002110
This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.
Ensure all containers are restricted from acquiring additional privileges.
via CLI:
Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:
docker ps --quiet --all | xargs -L 1 docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'
The above command returns the security options currently configured for the running containers, if 'SecurityOpt=' setting does not include the 'no-new-privileges' flag, this is a finding."
M
5281