Docker Enterprise container health must be checked at runtime.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-235827 | DKER-EE-002770 | SV-235827r627608_rule | Medium |
| Description |
|---|
| If the container image does not have an HEALTHCHECK instruction defined, use --health-cmd parameter at container runtime for checking container health. One of the important security triads is availability. If the container image being used does not have a pre-defined HEALTHCHECK instruction, use the --health-cmd parameter to check container health at runtime. Based on the reported health status, take necessary actions. By default, health checks are not done at container runtime. |
| STIG | Date |
|---|---|
| Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide | 2021-03-26 |
Details
| Check Text ( C-39046r627606_chk ) |
|---|
| Ensure container health is checked at runtime. via CLI: Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle: Run the below command and ensure that all the containers are reporting health status: docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}' If Health does not = "Healthy", this is a finding. |
| Fix Text (F-39009r627607_fix) |
|---|
| Run the container using --health-cmd and the other parameters, or include the HEALTHCHECK instruction in the Dockerfiles. Example: docker run -d --health-cmd='stat /etc/passwd || exit 1' nginx |