STIGQter STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

All Docker Engine - Enterprise nodes must be configured with a log driver plugin that sends logs to a remote log aggregation system (SIEM).

DISA Rule

SV-235833r627626_rule

Vulnerability Number

V-235833

Group Title

SRG-APP-000358

Rule Version

DKER-EE-003320

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

via CLI:

Linux: As a trusted user on the host operating system, open the /etc/docker/daemon.json file for editing. If the file doesn't exist, it must be created.

Set the "log-driver" property to one of the following: "syslog", "awslogs", "splunk", "gcplogs", "logentries" or "<plugin>" (where <plugin> is the naming of a third-party Docker logging driver plugin). Configure the "log-opts" object as required by the selected "log-driver" to ensure log aggregation is configured.

Save the file. Restart the docker daemon.

Configure the selected log system to send Docker events to a log aggregation server or SIEM.

Check Contents

via CLI:

Linux: Execute the following commands as a trusted user on the host operating system:

cat /etc/docker/daemon.json

Verify that the "log-driver" property is set to one of the following: "syslog", "awslogs", "splunk", "gcplogs", "logentries" or "<plugin>" (where <plugin> is the naming of a third-party Docker logging driver plugin).

Ask the sys admin to demonstrate how the login driver that is being used is configured to send log events to a log aggregation server or SIEM.

If "log-driver" is not set and configured to send logs to an aggregation server or SIEM, then this is a finding.

Vulnerability Number

V-235833

Documentable

False

Rule Version

DKER-EE-003320

Severity Override Guidance

via CLI:

Linux: Execute the following commands as a trusted user on the host operating system:

cat /etc/docker/daemon.json

Verify that the "log-driver" property is set to one of the following: "syslog", "awslogs", "splunk", "gcplogs", "logentries" or "<plugin>" (where <plugin> is the naming of a third-party Docker logging driver plugin).

Ask the sys admin to demonstrate how the login driver that is being used is configured to send log events to a log aggregation server or SIEM.

If "log-driver" is not set and configured to send logs to an aggregation server or SIEM, then this is a finding.

Check Content Reference

M

Target Key

5281

Comments