UCF STIG Viewer Logo

Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide


Overview

Date Finding Count (100)
2021-03-26 CAT I (High): 23 CAT II (Med): 72 CAT III (Low): 5
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-235861 High Docker Enterprise server certificate file ownership must be set to root:root.
V-235867 High Docker Enterprise daemon.json file ownership must be set to root:root.
V-235866 High Docker Enterprise socket file permissions must be set to 660 or more restrictive.
V-235865 High Docker Enterprise socket file ownership must be set to root:docker.
V-235864 High Docker Enterprise server certificate key file permissions must be set to 400.
V-235869 High Docker Enterprise /etc/default/docker file ownership must be set to root:root.
V-235868 High Docker Enterprise daemon.json file permissions must be set to 644 or more restrictive.
V-235857 High Docker Enterprise registry certificate file ownership must be set to root:root.
V-235855 High Docker Enterprise /etc/docker directory ownership must be set to root:root.
V-235853 High Docker Enterprise docker.socket file ownership must be set to root:root.
V-235851 High Docker Enterprise docker.service file ownership must be set to root:root.
V-235859 High Docker Enterprise TLS certificate authority (CA) certificate file ownership must be set to root:root.
V-235812 High The Docker Enterprise default seccomp profile must not be disabled.
V-235813 High Docker Enterprise exec commands must not be used with privileged option.
V-235816 High All Docker Enterprise containers must be restricted from acquiring additional privileges.
V-235817 High The Docker Enterprise hosts user namespace must not be shared.
V-235818 High The Docker Enterprise socket must not be mounted inside any containers.
V-235819 High Docker Enterprise privileged ports must not be mapped within containers.
V-235805 High Docker Enterprise hosts network namespace must not be shared.
V-235777 High FIPS mode must be enabled on all Docker Engine - Enterprise nodes.
V-235809 High Docker Enterprise host devices must not be directly exposed to containers.
V-235808 High All Docker Enterprise containers root filesystem must be mounted as read only.
V-235870 High Docker Enterprise /etc/default/docker file permissions must be set to 644 or more restrictive.
V-235863 Medium Docker Enterprise server certificate key file ownership must be set to root:root.
V-235862 Medium Docker Enterprise server certificate file permissions must be set to 444 or more restrictive.
V-235860 Medium Docker Enterprise TLS certificate authority (CA) certificate file permissions must be set to 444 or more restrictive.
V-235856 Medium Docker Enterprise /etc/docker directory permissions must be set to 755 or more restrictive.
V-235854 Medium Docker Enterprise docker.socket file permissions must be set to 644 or more restrictive.
V-235852 Medium Docker Enterprise docker.service file permissions must be set to 644 or more restrictive.
V-235850 Medium Docker Enterprise node certificates must be rotated as defined in the System Security Plan (SSP).
V-235858 Medium Docker Enterprise registry certificate file permissions must be set to 444 or more restrictive.
V-235849 Medium Docker Enterprise Swarm manager auto-lock key must be rotated periodically.
V-235848 Medium Docker Swarm must have the minimum number of manager nodes.
V-235841 Medium Universal Control Plane (UCP) must be integrated with a trusted certificate authority (CA) in Docker Enterprise.
V-235840 Medium Vulnerability scanning must be enabled for all repositories in the Docker Trusted Registry (DTR) component of Docker Enterprise.
V-235843 Medium The on-failure container restart policy must be is set to 5 in Docker Enterprise.
V-235842 Medium Docker Trusted Registry (DTR) must be integrated with a trusted certificate authority (CA) in Docker Enterprise.
V-235845 Medium Docker Enterprise older Universal Control Plane (UCP) and Docker Trusted Registry (DTR) images must be removed from all cluster nodes upon upgrading.
V-235844 Medium The Docker Enterprise default ulimit must not be overwritten at runtime unless approved in the System Security Plan (SSP).
V-235847 Medium Docker Content Trust enforcement must be enabled in Universal Control Plane (UCP).
V-235846 Medium Only trusted, signed images must be stored in Docker Trusted Registry (DTR) in Docker Enterprise.
V-235789 Medium The insecure registry capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.
V-235838 Medium Content Trust enforcement must be enabled in Universal Control Plane (UCP) in Docker Enterprise.
V-235839 Medium Only trusted, signed images must be on Universal Control Plane (UCP) in Docker Enterprise.
V-235782 Medium A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.
V-235783 Medium Docker Enterprise sensitive host system directories must not be mounted on containers.
V-235780 Medium LDAP integration in Docker Enterprise must be configured.
V-235781 Medium A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.
V-235786 Medium log-opts on all Docker Engine - Enterprise nodes must be configured.
V-235784 Medium The Docker Enterprise hosts process namespace must not be shared.
V-235785 Medium The Docker Enterprise hosts IPC namespace must not be shared.
V-235827 Medium Docker Enterprise container health must be checked at runtime.
V-235826 Medium Docker Secrets must be used to store configuration files and small amounts of user-generated data (up to 500 kb in size) in Docker Enterprise.
V-235797 Medium Periodic data usage and analytics reporting in Universal Control Plane (UCP) must be disabled in Docker Enterprise.
V-235796 Medium The Create repository on push option in Docker Trusted Registry (DTR) must be disabled in Docker Enterprise.
V-235791 Medium The userland proxy capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.
V-235790 Medium On Linux, a non-AUFS storage driver in the Docker Engine - Enterprise component of Docker Enterprise must be used.
V-235821 Medium SAML integration must be enabled in Docker Enterprise.
V-235820 Medium Docker Enterprise incoming container traffic must be bound to a specific host interface.
V-235799 Medium An appropriate AppArmor profile must be enabled on Ubuntu systems for Docker Enterprise.
V-235798 Medium Periodic data usage and analytics reporting in Docker Trusted Registry (DTR) must be disabled in Docker Enterprise.
V-235828 Medium PIDs cgroup limits must be used in Docker Enterprise.
V-235795 Medium The option in Universal Control Plane (UCP) allowing users and administrators to schedule containers on all nodes, including UCP managers and Docker Trusted Registry (DTR) nodes must be disabled in Docker Enterprise.
V-235794 Medium The Docker Enterprise self-signed certificates in Docker Trusted Registry (DTR) must be replaced with DoD trusted, signed certificates.
V-235825 Medium The Lifetime Minutes and Renewal Threshold Minutes Login Session Controls must be set to 10 and 0 respectively in Docker Enterprise.
V-235824 Medium Docker Enterprise secret management commands must be used for managing secrets in a Swarm cluster.
V-235823 Medium Docker Enterprise Swarm manager must be run in auto-lock mode.
V-235822 Medium The certificate chain used by Universal Control Plane (UCP) client bundles must match what is defined in the System Security Plan (SSP) in Docker Enterprise.
V-235793 Medium The Docker Enterprise self-signed certificates in Universal Control Plane (UCP) must be replaced with DoD trusted, signed certificates.
V-235792 Medium Experimental features in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.
V-235810 Medium Mount propagation mode must not set to shared in Docker Enterprise.
V-235811 Medium The Docker Enterprise hosts UTS namespace must not be shared.
V-235814 Medium Docker Enterprise exec commands must not be used with the user option.
V-235815 Medium cgroup usage must be confirmed in Docker Enterprise.
V-235834 Medium Log aggregation/SIEM systems must be configured to alarm when audit storage space for Docker Engine - Enterprise nodes exceed 75% usage.
V-235835 Medium Log aggregation/SIEM systems must be configured to notify SA and ISSO on Docker Engine - Enterprise audit failure events.
V-235836 Medium The Docker Enterprise log aggregation/SIEM systems must be configured to send an alert the ISSO/ISSM when unauthorized software is installed.
V-235837 Medium Docker Enterprise network ports on all running containers must be limited to what is needed.
V-235830 Medium Docker Enterprise images must be built with the USER instruction to prevent containers from running as root.
V-235831 Medium An appropriate Docker Engine - Enterprise log driver plugin must be configured to collect audit events from Universal Control Plane (UCP) and Docker Trusted Registry (DTR).
V-235832 Medium The Docker Enterprise max-size and max-file json-file drivers logging options in the daemon.json configuration file must be configured to allocate audit record storage capacity for Universal Control Plane (UCP) and Docker Trusted Registry (DTR) per the requirements set forth by the System Security Plan (SSP).
V-235833 Medium All Docker Engine - Enterprise nodes must be configured with a log driver plugin that sends logs to a remote log aggregation system (SIEM).
V-235804 Medium Only required ports must be open on the containers in Docker Enterprise.
V-235806 Medium Memory usage for all containers must be limited in Docker Enterprise.
V-235776 Medium TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.
V-235802 Medium Privileged Linux containers must not be used for Docker Enterprise.
V-235779 Medium The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set.
V-235778 Medium The audit log configuration level must be set to request in the Universal Control Plane (UCP) component of Docker Enterprise.
V-235801 Medium Linux Kernel capabilities must be restricted within containers as defined in the System Security Plan (SSP) for Docker Enterprise.
V-235800 Medium SELinux security options must be set on Red Hat or CentOS systems for Docker Enterprise.
V-235803 Medium SSH must not run within Linux containers for Docker Enterprise.
V-235871 Medium Docker Enterprise Universal Control Plane (UCP) must be integrated with a trusted certificate authority (CA).
V-235872 Medium Docker Enterprise data exchanged between Linux containers on different nodes must be encrypted on the overlay network.
V-235873 Medium Docker Enterprise Swarm services must be bound to a specific host interface.
V-235874 Medium Docker Enterprise Universal Control Plane (UCP) must be configured to use TLS 1.2.
V-235788 Low Docker Incs official GPG key must be added to the host using the users operating systems respective package repository management tooling.
V-235787 Low Docker Enterprise must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
V-235829 Low The Docker Enterprise per user limit login session control must be set per the requirements in the System Security Plan (SSP).
V-235807 Low Docker Enterprise CPU priority must be set appropriately on all containers.
V-235775 Low The Docker Enterprise Per User Limit Login Session Control in the Universal Control Plane (UCP) Admin Settings must be set to an organization-defined value for all accounts and/or account types.