UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Least privilege access and need to know must be required to access MKE runtime and instantiate container images.


Overview

Finding ID Version Rule ID IA Controls Severity
V-260906 CNTR-MK-000110 SV-260906r966075_rule High
Description
To control what is instantiated within MKE, it is important to control access to the runtime. Without this control, container platform specific services and customer services can be introduced without receiving approval and going through proper testing. Only those individuals and roles approved by the organization can have access to the container platform runtime.
STIG Date
Mirantis Kubernetes Engine Security Technical Implementation Guide 2024-04-10

Details

Check Text ( C-64635r966073_chk )
Access to use the docker CLI must be limited to root only.

1. Log on to the host CLI and execute the following:

stat -c %U:%G /var/run/docker.sock | grep -v root:docker

If any output is present, this is a finding.

2. Verify that the docker group has only the required users by executing:

getent group docker

If any users listed are not required to have direct access to MCR, this is a finding.

3. Execute the following command to verify the Docker socket file has permissions of 660 or more restrictive:
stat -c %a /var/run/docker.sock

If permissions are not set to "660", this is a finding.
Fix Text (F-64543r966074_fix)
To remove unauthorized users from the docker group, access the host CLI and run:

gpasswd -d docker [username to remove]

To ensure that docker.socket is group owned, execute the following:

chown root:docker /var/run/docker.sock

Set the file permissions of the Docker socket file to "660" execute the following:

chmod 660 /var/run/docker.sock