Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-260938 | CNTR-MK-001180 | SV-260938r966171_rule | Medium |
Description |
---|
Running docker CLI commands remotely with a client trust bundle ensures that authentication and role permissions are checked for the command. Using --privileged option or --user option in docker exec gives extended Linux capabilities to the command. Do not run docker exec with the --privileged or --user options, especially when running containers with dropped capabilities or with enhanced restrictions. By default, docker exec command runs without --privileged or --user options. |
STIG | Date |
---|---|
Mirantis Kubernetes Engine Security Technical Implementation Guide | 2024-04-10 |
Check Text ( C-64667r966169_chk ) |
---|
The host OS must be locked down so that only authorized users with a client bundle can access docker commands. To ensure that no commands with privilege or user authorizations are present via CLI: Linux: As a trusted user on the host operating system, use the below command to filter out docker exec commands that used --privileged or --user option. sudo ausearch -k docker | grep exec | grep privileged | grep user If there are any in the output, then this is a finding. |
Fix Text (F-64575r966170_fix) |
---|
Docker CLI command must only be run with a client bundle and must not use --privileged or --user option. Refer to https://docs.mirantis.com/mke/3.7/ops/access-cluster/client-bundle/configure-client-bundle.html?highlight=client%20bundle. |