Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-95663 | DKER-EE-002090 | SV-104801r2_rule | Medium |
Description |
---|
Do not docker exec with --user option. Using --user option in docker exec executes the command within the container as that user. Do not run docker exec with the --user option , especially when running containers with dropped capabilities or with enhanced restrictions. For example, suppose the container is running as tomcat user (or any other non-root user), it would be possible to run a command through docker exec as rootwith --user=root option. By default, docker exec command runs without --user option. |
STIG | Date |
---|---|
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide | 2019-09-13 |
Check Text ( C-94491r1_chk ) |
---|
This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster. Ensure docker exec commands are not used with the user option. via CLI: Linux: As a trusted user on the host operating system, use the below command to filter out docker exec commands that used --privileged option. sudo ausearch -k docker | grep exec | grep user If there are any in the output, then this is a finding. |
Fix Text (F-101329r1_fix) |
---|
This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system. Do not use --user option in docker exec command. A reference for the docker exec command can be found at https://docs.docker.com/engine/reference/commandline/exec/. |