UCF STIG Viewer Logo

Docker Enterprise exec commands must not be used with the user option.


Overview

Finding ID Version Rule ID IA Controls Severity
V-235814 DKER-EE-002090 SV-235814r627569_rule Medium
Description
Do not docker exec with --user option. Using --user option in docker exec executes the command within the container as that user. Do not run docker exec with the --user option , especially when running containers with dropped capabilities or with enhanced restrictions. For example, suppose the container is running as tomcat user (or any other non-root user), it would be possible to run a command through docker exec as rootwith --user=root option. By default, docker exec command runs without --user option.
STIG Date
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide 2021-03-26

Details

Check Text ( C-39033r627567_chk )
This check only applies to the use of Docker Engine - Enterprise on a Linux host operating system and should be executed on all nodes in a Docker Enterprise cluster.

Ensure docker exec commands are not used with the user option.

via CLI:

Linux: As a trusted user on the host operating system, use the below command to filter out docker exec commands that used --privileged option.

sudo ausearch -k docker | grep exec | grep user

If there are any in the output, then this is a finding.
Fix Text (F-38996r627568_fix)
This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system.

Do not use --user option in docker exec command.

A reference for the docker exec command can be found at https://docs.docker.com/engine/reference/commandline/exec/.