STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-235843r627656_rule
V-235843
SRG-APP-000435
DKER-EE-004030
CAT II
10
If a container is desired to be restarted on its own, then, for example, start the container as below:
docker run --detach --restart=on-failure:5 nginx
Ensure 'on-failure' container restart policy is set to 5.
via CLI:
Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:
docker ps --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: RestartPolicyName={{ .HostConfig.RestartPolicy.Name }} MaximumRetryCount={{ .HostConfig.RestartPolicy.MaximumRetryCount }}'
If RestartPolicyName= "" and MaximumRetryCount=0, this is not a finding.
If RestartPolicyName=always, this is a finding.
If RestartPolicyName=on-failure, verify that the number of restart attempts is set to 5 or less by looking at MaximumRetryCount.
If RestartPolicyName=failure and MaximumRetryCount is > 5, this is a finding.
V-235843
False
DKER-EE-004030
Ensure 'on-failure' container restart policy is set to 5.
via CLI:
Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:
docker ps --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: RestartPolicyName={{ .HostConfig.RestartPolicy.Name }} MaximumRetryCount={{ .HostConfig.RestartPolicy.MaximumRetryCount }}'
If RestartPolicyName= "" and MaximumRetryCount=0, this is not a finding.
If RestartPolicyName=always, this is a finding.
If RestartPolicyName=on-failure, verify that the number of restart attempts is set to 5 or less by looking at MaximumRetryCount.
If RestartPolicyName=failure and MaximumRetryCount is > 5, this is a finding.
M
5281