UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Docker CLI commands must be run with an MKE client trust bundle and without unnecessary permissions.


Overview

Finding ID Version Rule ID IA Controls Severity
V-260938 CNTR-MK-001180 SV-260938r966171_rule Medium
Description
Running docker CLI commands remotely with a client trust bundle ensures that authentication and role permissions are checked for the command. Using --privileged option or --user option in docker exec gives extended Linux capabilities to the command. Do not run docker exec with the --privileged or --user options, especially when running containers with dropped capabilities or with enhanced restrictions. By default, docker exec command runs without --privileged or --user options.
STIG Date
Mirantis Kubernetes Engine Security Technical Implementation Guide 2024-04-10

Details

Check Text ( C-64667r966169_chk )
The host OS must be locked down so that only authorized users with a client bundle can access docker commands.

To ensure that no commands with privilege or user authorizations are present via CLI:

Linux: As a trusted user on the host operating system, use the below command to filter out docker exec commands that used --privileged or --user option.

sudo ausearch -k docker | grep exec | grep privileged | grep user

If there are any in the output, then this is a finding.
Fix Text (F-64575r966170_fix)
Docker CLI command must only be run with a client bundle and must not use --privileged or --user option.

Refer to https://docs.mirantis.com/mke/3.7/ops/access-cluster/client-bundle/configure-client-bundle.html?highlight=client%20bundle.