Docker Enterprise images must be built with the USER instruction to prevent containers from running as root.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-235830 | DKER-EE-003200 | SV-235830r627617_rule | Medium |
| Description |
|---|
| Both the Universal Control Plane (UCP) and Docker Trusted Registry (DTR) components of Docker Enterprise leverage the same authentication and authorization backplane known as eNZi. The eNZi backplane includes its own managed user database, and also allows for LDAP integration in UCP and DTR. To meet the requirements of this control, configure LDAP integration. Apply an applicable set of role-based access control (RBAC) policies using the built-in capabilities provided by UCP in order to prevent organization-defined software from executing at higher privilege levels than users executing the software. By default, Docker images that are built without the USER instruction will be run as containers as root. Therefore, it is imperative that container images include the USER instruction and that the referenced UID/GID has been defined in the base image or previous instruction set. |
| STIG | Date |
|---|---|
| Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide | 2021-03-26 |
Details
| Check Text ( C-39049r627615_chk ) |
|---|
| Verify that all containers are running as non-root users. via CLI: As a Docker EE admin, execute the following command using a client bundle: docker ps -q -a | xargs docker inspect --format '{{ .Id }}: User={{ .Config.User }}' Ensure that a non-admin username or user ID is returned for all containers in the output. If User is 0, root or undefined, this is a finding. |
| Fix Text (F-39012r627616_fix) |
|---|
| Set a non-root user for all container images. Include the following line in all Dockerfiles where username or ID refers to the user that can be found in the container base image or one that is created as part of that same Dockerfile: USER [username/ID] |