All Docker Enterprise containers root filesystem must be mounted as read only.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-235808	DKER-EE-002030	SV-235808r627551_rule		High

Description
The container's root filesystem should be treated as a 'golden image' by using Docker run's --read-only option. This prevents any writes to the container's root filesystem at container runtime and enforces the principle of immutable infrastructure. Enabling this option forces containers at runtime to explicitly define their data writing strategy to persist or not persist their data. This also reduces security attack vectors since the container instance's filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories. Enabling --read-only at container runtime may break some container OS packages if a data writing strategy is not defined. Define what the container's data should and should not persist at runtime to determine which recommendation procedure to utilize. Example: - Enable use --tmpfs for temporary file writes to /tmp - Use Docker shared data volumes for persistent data writes By default, a container will have its root filesystem writable allowing all container processes to write files owned by the container's runtime user.

Description

The container's root filesystem should be treated as a 'golden image' by using Docker run's --read-only option. This prevents any writes to the container's root filesystem at container runtime and enforces the principle of immutable infrastructure. Enabling this option forces containers at runtime to explicitly define their data writing strategy to persist or not persist their data. This also reduces security attack vectors since the container instance's filesystem cannot be tampered with or written to unless it has explicit read-write permissions on its filesystem folder and directories. Enabling --read-only at container runtime may break some container OS packages if a data writing strategy is not defined. Define what the container's data should and should not persist at runtime to determine which recommendation procedure to utilize. Example: - Enable use --tmpfs for temporary file writes to /tmp - Use Docker shared data volumes for persistent data writes By default, a container will have its root filesystem writable allowing all container processes to write files owned by the container's runtime user.

STIG	Date
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide	2021-03-26

Details

Check Text ( C-39027r627549_chk )
Ensure all containers' root filesystem is mounted as read only. This check should be executed on all nodes in a Docker Enterprise cluster. via CLI: Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle: docker ps --quiet --all \| xargs -L 1 docker inspect --format '{{ .Id }}: ReadonlyRootfs={{ .HostConfig.ReadonlyRootfs }}' If ReadonlyRootfs=false, it means the container's root filesystem is writable and this is a finding.

Check Text ( C-39027r627549_chk )

Ensure all containers' root filesystem is mounted as read only.

This check should be executed on all nodes in a Docker Enterprise cluster.

via CLI:

Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:

docker ps --quiet --all | xargs -L 1 docker inspect --format '{{ .Id }}: ReadonlyRootfs={{ .HostConfig.ReadonlyRootfs }}'

If ReadonlyRootfs=false, it means the container's root filesystem is writable and this is a finding.

Fix Text (F-38990r627550_fix)
Add a --read-only flag at a container's runtime to enforce the container's root filesystem to be mounted as read only. docker run --read-only Enabling the --read-only option at a container's runtime should be used by administrators to force a container's executable processes to only write container data to explicit storage locations during the container's runtime. Examples of explicit storage locations during a container's runtime include, but are not limited to: 1. Use the --tmpfs option to mount a temporary file system for non-persistent data writes. Example: docker run --interactive --tty --read-only --tmpfs "/run" --tmpfs "/tmp" [image] [command] 2. Enabling Docker rw mounts at a container's runtime to persist container data directly on the Docker host filesystem. Example: docker run --interactive --tty --read-only -v /opt/app/data:/run/app/data:rw [image] [command] 3. Utilizing Docker shared-storage volume plugins for Docker data volume to persist container data. docker volume create -d convoy --opt o=size=20GB my-named-volume docker run --interactive --tty --read-only -v my-named-volume:/run/app/data [image] [command]

Fix Text (F-38990r627550_fix)

Add a --read-only flag at a container's runtime to enforce the container's root filesystem to be mounted as read only.

docker run --read-only

Enabling the --read-only option at a container's runtime should be used by administrators to force a container's executable processes to only write container data to explicit storage locations during the container's runtime.

Examples of explicit storage locations during a container's runtime include, but are not limited to:

1. Use the --tmpfs option to mount a temporary file system for non-persistent data writes.

Example:
docker run --interactive --tty --read-only --tmpfs "/run" --tmpfs "/tmp" [image] [command]

2. Enabling Docker rw mounts at a container's runtime to persist container data directly on the Docker host filesystem.

Example:
docker run --interactive --tty --read-only -v /opt/app/data:/run/app/data:rw [image] [command]

3. Utilizing Docker shared-storage volume plugins for Docker data volume to persist container data.

docker volume create -d convoy --opt o=size=20GB my-named-volume

docker run --interactive --tty --read-only -v my-named-volume:/run/app/data [image] [command]