Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
Docker Enterprise container health must be checked at runtime.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-235827 | DKER-EE-002770 | SV-235827r627608_rule | Medium |
| Description |
|---|
| If the container image does not have an HEALTHCHECK instruction defined, use --health-cmd parameter at container runtime for checking container health. One of the important security triads is availability. If the container image being used does not have a pre-defined HEALTHCHECK instruction, use the --health-cmd parameter to check container health at runtime. Based on the reported health status, take necessary actions. By default, health checks are not done at container runtime. |
| STIG | Date |
|---|---|
| Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide | 2021-03-26 |
Details
| Check Text ( C-39046r627606_chk ) |
|---|
| Ensure container health is checked at runtime. via CLI: Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle: Run the below command and ensure that all the containers are reporting health status: docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Health={{ .State.Health.Status }}' If Health does not = "Healthy", this is a finding. |
| Fix Text (F-39009r627607_fix) |
|---|
| Run the container using --health-cmd and the other parameters, or include the HEALTHCHECK instruction in the Dockerfiles. Example: docker run -d --health-cmd='stat /etc/passwd || exit 1' nginx |