SELinux security options must be set on Red Hat or CentOS systems for Docker Enterprise.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-235800	DKER-EE-001940	SV-235800r627527_rule		Medium

Description
SELinux provides a Mandatory Access Control (MAC) system on RHEL and CentOS that greatly augments the default Discretionary Access Control (DAC) model. The user can thus add an extra layer of safety by enabling SELinux on the RHEL or CentOS host. By default, no SELinux security options are applied on containers.

STIG	Date
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide	2021-03-26

Details

Check Text ( C-39019r627525_chk )
This check only applies to the use of Docker Engine - Enterprise on either the Red Hat Enterprise Linux or CentOS host operating systems where SELinux is in use and should be executed on all nodes in a Docker Enterprise cluster. Verify that the appropriate security options are configured for all running containers: via CLI: Linux: Execute the following command as a trusted user on the host operating system: docker ps --quiet --all \| xargs docker inspect --format '{{ .Name }}: SecurityOpt={{ .HostConfig.SecurityOpt }}' \| grep -iv "ucp\\|kube\\|dtr" If SecurityOpt=[label=disable], then this is a finding.

Check Text ( C-39019r627525_chk )

This check only applies to the use of Docker Engine - Enterprise on either the Red Hat Enterprise Linux or CentOS host operating systems where SELinux is in use and should be executed on all nodes in a Docker Enterprise cluster.

Verify that the appropriate security options are configured for all running containers:

via CLI:

Linux: Execute the following command as a trusted user on the host operating system:

docker ps --quiet --all | xargs docker inspect --format '{{ .Name }}: SecurityOpt={{ .HostConfig.SecurityOpt }}' | grep -iv "ucp\|kube\|dtr"

If SecurityOpt=[label=disable], then this is a finding.

Fix Text (F-38982r627526_fix)
This fix only applies to the use of Docker Engine - Enterprise on either the Red Hat Enterprise Linux or CentOS host operating systems where SELinux is in use and should be executed on all nodes in a Docker Enterprise cluster. Start the Docker daemon with SELinux mode enabled. Run Docker containers using appropriate security options. via CLI: Linux: Set the SE Linux state. Set the SELinux policy. Create or import a SELinux policy template for Docker containers. Start the Docker daemon with SELinux mode enabled by either adding the "--selinux-enabled" flag to the systemd drop-in file or by setting the "selinux-enabled" property to "true" in the "/etc/docker/daemon.json" daemon configuration file. Restart the Docker daemon.

Fix Text (F-38982r627526_fix)

This fix only applies to the use of Docker Engine - Enterprise on either the Red Hat Enterprise Linux or CentOS host operating systems where SELinux is in use and should be executed on all nodes in a Docker Enterprise cluster.

Start the Docker daemon with SELinux mode enabled. Run Docker containers using appropriate security options.

via CLI:

Linux: Set the SE Linux state. Set the SELinux policy. Create or import a SELinux policy template for Docker containers. Start the Docker daemon with SELinux mode enabled by either adding the "--selinux-enabled" flag to the systemd drop-in file or by setting the "selinux-enabled" property to "true" in the "/etc/docker/daemon.json" daemon configuration file. Restart the Docker daemon.