All Docker Enterprise containers must be restricted from acquiring additional privileges.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-95667	DKER-EE-002110	SV-104805r1_rule		High

Description
Restrict the container from acquiring additional privileges via suid or sgid bits. A process can set the no_new_priv bit in the kernel. It persists across fork, clone, and execve. The no_new_priv bit ensures that the process or its children processes do not gain any additional privileges via suid or sgid bits. This way a lot of dangerous operations become a lot less dangerous because there is no possibility of subverting privileged binaries. no_new_priv prevents LSMs like SELinux from transitioning to process labels that have access not allowed to the current process. By default, new privileges are not restricted.

Description

Restrict the container from acquiring additional privileges via suid or sgid bits. A process can set the no_new_priv bit in the kernel. It persists across fork, clone, and execve. The no_new_priv bit ensures that the process or its children processes do not gain any additional privileges via suid or sgid bits. This way a lot of dangerous operations become a lot less dangerous because there is no possibility of subverting privileged binaries. no_new_priv prevents LSMs like SELinux from transitioning to process labels that have access not allowed to the current process. By default, new privileges are not restricted.

STIG	Date
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide	2019-09-13

Details

Check Text ( C-94495r1_chk )
This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster. Ensure all containers are restricted from acquiring additional privileges. via CLI: Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle: docker ps --quiet --all \| xargs -L 1 docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}' The above command should return all the security options currently configured for the containers, and no-new-privileges should also be one of them. If it is, then this is a finding.

Check Text ( C-94495r1_chk )

This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.

Ensure all containers are restricted from acquiring additional privileges.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

docker ps --quiet --all | xargs -L 1 docker inspect --format '{{ .Id }}: SecurityOpt={{ .HostConfig.SecurityOpt }}'

The above command should return all the security options currently configured for the containers, and no-new-privileges should also be one of them. If it is, then this is a finding.

Fix Text (F-101333r1_fix)
This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system. Start the containers as below: docker run --rm -it --security-opt=no-new-privileges A reference for the docker run command can be found at https://docs.docker.com/engine/reference/run/.