STIGQter STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Docker Enterprise socket must not be mounted inside any containers.

DISA Rule

SV-235818r627581_rule

Vulnerability Number

V-235818

Group Title

SRG-APP-000141

Rule Version

DKER-EE-002130

Severity

CAT I

CCI(s)

Weight

10

Fix Recommendation

When using the -v/--volume flags to mount volumes to containers in a docker run command, do not use docker.sock as a volume.

A reference for the docker run command can be found at https://docs.docker.com/engine/reference/run/.

Check Contents

This check should be executed on all nodes in a Docker Enterprise cluster.

via CLI:

As a Docker EE Admin, execute the following command using a UCP client bundle:

docker ps --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep -i "docker.sock\|docker_engine"

If the Docker socket is mounted inside containers, this is a finding.

Vulnerability Number

V-235818

Documentable

False

Rule Version

DKER-EE-002130

Severity Override Guidance

This check should be executed on all nodes in a Docker Enterprise cluster.

via CLI:

As a Docker EE Admin, execute the following command using a UCP client bundle:

docker ps --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: Volumes={{ .Mounts }}' | grep -i "docker.sock\|docker_engine"

If the Docker socket is mounted inside containers, this is a finding.

Check Content Reference

M

Target Key

5281

Comments