STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Docker Enterprise images must be built with the USER instruction to prevent containers from running as root.

DISA Rule

SV-235830r627617_rule

Vulnerability Number

V-235830

Group Title

SRG-APP-000342

Rule Version

DKER-EE-003200

Severity

CAT II

CCI(s)

• CCI-002233 - The information system prevents organization-defined software from executing at higher privilege levels than users executing the software.

Weight

10

Fix Recommendation

Set a non-root user for all container images.

Include the following line in all Dockerfiles where username or ID refers to the user that can be found in the container base image or one that is created as part of that same Dockerfile:

USER [username/ID]

Check Contents

Verify that all containers are running as non-root users.

via CLI: As a Docker EE admin, execute the following command using a client bundle:

docker ps -q -a | xargs docker inspect --format '{{ .Id }}: User={{ .Config.User }}'

Ensure that a non-admin username or user ID is returned for all containers in the output.

If User is 0, root or undefined, this is a finding.

Vulnerability Number

V-235830

Documentable

False

Rule Version

DKER-EE-003200

Severity Override Guidance

Verify that all containers are running as non-root users.

via CLI: As a Docker EE admin, execute the following command using a client bundle:

docker ps -q -a | xargs docker inspect --format '{{ .Id }}: User={{ .Config.User }}'

Ensure that a non-admin username or user ID is returned for all containers in the output.

If User is 0, root or undefined, this is a finding.

Check Content Reference

M

Target Key

5281

Comments