UCF STIG Viewer Logo

Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide


Overview

Date Finding Count (100)
2019-09-13 CAT I (High): 23 CAT II (Med): 72 CAT III (Low): 5
STIG Description
This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Available Profiles



Findings (MAC III - Administrative Sensitive)

Finding ID Severity Title
V-95651 High All Docker Enterprise containers root filesystem must be mounted as read only.
V-95653 High Docker Enterprise host devices must not be directly exposed to containers.
V-95659 High The Docker Enterprise default seccomp profile must not be disabled.
V-95645 High Docker Enterprise hosts network namespace must not be shared.
V-95747 High Docker Enterprise /etc/docker directory ownership must be set to root:root.
V-95743 High Docker Enterprise docker.socket file ownership must be set to root:root.
V-95739 High Docker Enterprise docker.service file ownership must be set to root:root.
V-95755 High Docker Enterprise TLS certificate authority (CA) certificate file ownership must be set to root:root.
V-95751 High Docker Enterprise registry certificate file ownership must be set to root:root.
V-95759 High Docker Enterprise server certificate file ownership must be set to root:root.
V-95765 High Docker Enterprise server certificate key file permissions must be set to 400.
V-95767 High Docker Enterprise socket file ownership must be set to root:docker.
V-95769 High Docker Enterprise socket file permissions must be set to 660 or more restrictive.
V-95673 High Docker Enterprise privileged ports must not be mapped within containers.
V-95671 High The Docker Enterprise socket must not be mounted inside any containers.
V-95777 High Docker Enterprise /etc/default/docker file permissions must be set to 644 or more restrictive.
V-95775 High Docker Enterprise /etc/default/docker file ownership must be set to root:root.
V-95773 High Docker Enterprise daemon.json file permissions must be set to 644 or more restrictive.
V-95771 High Docker Enterprise daemon.json file ownership must be set to root:root.
V-94867 High FIPS mode must be enabled on all Docker Engine - Enterprise nodes.
V-95667 High All Docker Enterprise containers must be restricted from acquiring additional privileges.
V-95661 High Docker Enterprise exec commands must not be used with privileged option.
V-95669 High The Docker Enterprise hosts user namespace must not be shared.
V-95719 Medium Docker Trusted Registry (DTR) must be integrated with a trusted certificate authority (CA) in Docker Enterprise.
V-95655 Medium Mount propagation mode must not set to shared in Docker Enterprise.
V-95657 Medium The Docker Enterprise hosts UTS namespace must not be shared.
V-95711 Medium Only trusted, signed images must be on Universal Control Plane (UCP) in Docker Enterprise.
V-95713 Medium Vulnerability scanning must be enabled for all repositories in the Docker Trusted Registry (DTR) component of Docker Enterprise.
V-95715 Medium Universal Control Plane (UCP) must be integrated with a trusted certificate authority (CA) in Docker Enterprise.
V-95783 Medium Docker Enterprise Swarm services must be bound to a specific host interface.
V-95781 Medium Docker Enterprise data exchanged between Linux containers on different nodes must be encrypted on the overlay network.
V-95785 Medium Docker Enterprise Universal Control Plane (UCP) must be configured to use TLS 1.2.
V-95599 Medium Docker Enterprise sensitive host system directories must not be mounted on containers.
V-95605 Medium log-opts on all Docker Engine - Enterprise nodes must be configured.
V-95355 Medium A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.
V-95647 Medium Memory usage for all containers must be limited in Docker Enterprise.
V-95643 Medium Only required ports must be open on the containers in Docker Enterprise.
V-95641 Medium SSH must not run within Linux containers for Docker Enterprise.
V-95639 Medium Privileged Linux containers must not be used for Docker Enterprise.
V-95631 Medium An appropriate AppArmor profile must be enabled on Ubuntu systems for Docker Enterprise.
V-95637 Medium Linux Kernel capabilities must be restricted within containers as defined in the System Security Plan (SSP) for Docker Enterprise.
V-95635 Medium SELinux security options must be set on Red Hat or CentOS systems for Docker Enterprise.
V-95725 Medium Docker Enterprise older Universal Control Plane (UCP) and Docker Trusted Registry (DTR) images must be removed from all cluster nodes upon upgrading.
V-95727 Medium Only trusted, signed images must be stored in Docker Trusted Registry (DTR) in Docker Enterprise.
V-95721 Medium The on-failure container restart policy must be is set to 5 in Docker Enterprise.
V-95723 Medium The Docker Enterprise default ulimit must not be overwritten at runtime unless approved in the System Security Plan (SSP).
V-95729 Medium Docker Content Trust enforcement must be enabled in Universal Control Plane (UCP).
V-95629 Medium Periodic data usage and analytics reporting in Docker Trusted Registry (DTR) must be disabled in Docker Enterprise.
V-95745 Medium Docker Enterprise docker.socket file permissions must be set to 644 or more restrictive.
V-95741 Medium Docker Enterprise docker.service file permissions must be set to 644 or more restrictive.
V-95621 Medium The Docker Enterprise self-signed certificates in Docker Trusted Registry (DTR) must be replaced with DoD trusted, signed certificates.
V-95623 Medium The option in Universal Control Plane (UCP) allowing users and administrators to schedule containers on all nodes, including UCP managers and Docker Trusted Registry (DTR) nodes must be disabled in Docker Enterprise.
V-95625 Medium The Create repository on push option in Docker Trusted Registry (DTR) must be disabled in Docker Enterprise.
V-95749 Medium Docker Enterprise /etc/docker directory permissions must be set to 755 or more restrictive.
V-95627 Medium Periodic data usage and analytics reporting in Universal Control Plane (UCP) must be disabled in Docker Enterprise.
V-95733 Medium Docker Enterprise Swarm manager auto-lock key must be rotated periodically.
V-95731 Medium Docker Swarm must have the minimum number of manager nodes.
V-95735 Medium Docker Enterprise node certificates must be rotated as defined in the System Security Plan (SSP).
V-95757 Medium Docker Enterprise TLS certificate authority (CA) certificate file permissions must be set to 444 or more restrictive.
V-95753 Medium Docker Enterprise registry certificate file permissions must be set to 444 or more restrictive.
V-95761 Medium Docker Enterprise server certificate file permissions must be set to 444 or more restrictive.
V-95763 Medium Docker Enterprise server certificate key file ownership must be set to root:root.
V-95699 Medium All Docker Engine - Enterprise nodes must be configured with a log driver plugin that sends logs to a remote log aggregation system (SIEM).
V-95695 Medium An appropriate Docker Engine - Enterprise log driver plugin must be configured to collect audit events from Universal Control Plane (UCP) and Docker Trusted Registry (DTR).
V-95697 Medium The Docker Enterprise max-size and max-file json-file drivers logging options in the daemon.json configuration file must be configured to allocate audit record storage capacity for Universal Control Plane (UCP) and Docker Trusted Registry (DTR) per the requirements set forth by the System Security Plan (SSP).
V-95693 Medium Docker Enterprise images must be built with the USER instruction to prevent containers from running as root.
V-95615 Medium The userland proxy capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.
V-95617 Medium Experimental features in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.
V-95611 Medium The insecure registry capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.
V-95613 Medium On Linux, a non-AUFS storage driver in the Docker Engine - Enterprise component of Docker Enterprise must be used.
V-96003 Medium Docker Enterprise Swarm manager must be run in auto-lock mode.
V-95619 Medium The Docker Enterprise self-signed certificates in Universal Control Plane (UCP) must be replaced with DoD trusted, signed certificates.
V-95677 Medium SAML integration must be enabled in Docker Enterprise.
V-95675 Medium Docker Enterprise incoming container traffic must be bound to a specific host interface.
V-95779 Medium Docker Enterprise Universal Control Plane (UCP) must be integrated with a trusted certificate authority (CA).
V-95679 Medium The certificate chain used by Universal Control Plane (UCP) client bundles must match what is defined in the System Security Plan (SSP) in Docker Enterprise.
V-94865 Medium TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.
V-94869 Medium The audit log configuration level must be set to request in the Universal Control Plane (UCP) component of Docker Enterprise.
V-95689 Medium PIDs cgroup limits must be used in Docker Enterprise.
V-95683 Medium The Lifetime Minutes and Renewal Threshold Minutes Login Session Controls must be set to 10 and 0 respectively in Docker Enterprise.
V-95681 Medium Docker Enterprise secret management commands must be used for managing secrets in a Swarm cluster.
V-95687 Medium Docker Enterprise container health must be checked at runtime.
V-95685 Medium Docker Secrets must be used to store configuration files and small amounts of user-generated data (up to 500 kb in size) in Docker Enterprise.
V-95603 Medium The Docker Enterprise hosts IPC namespace must not be shared.
V-95601 Medium The Docker Enterprise hosts process namespace must not be shared.
V-95357 Medium A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.
V-95113 Medium LDAP integration in Docker Enterprise must be configured.
V-95111 Medium The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set.
V-95665 Medium cgroup usage must be confirmed in Docker Enterprise.
V-95709 Medium Content Trust enforcement must be enabled in Universal Control Plane (UCP) in Docker Enterprise.
V-95663 Medium Docker Enterprise exec commands must not be used with the user option.
V-95703 Medium Log aggregation/SIEM systems must be configured to notify SA and ISSO on Docker Engine - Enterprise audit failure events.
V-95701 Medium Log aggregation/SIEM systems must be configured to alarm when audit storage space for Docker Engine - Enterprise nodes exceed 75% usage.
V-95707 Medium Docker Enterprise network ports on all running containers must be limited to what is needed.
V-95705 Medium The Docker Enterprise log aggregation/SIEM systems must be configured to send an alert the ISSO/ISSM when unauthorized software is installed.
V-95649 Low Docker Enterprise CPU priority must be set appropriately on all containers.
V-95609 Low Docker Incs official GPG key must be added to the host using the users operating systems respective package repository management tooling.
V-95691 Low The Docker Enterprise per user limit login session control must be set per the requirements in the System Security Plan (SSP).
V-94863 Low The Docker Enterprise Per User Limit Login Session Control in the Universal Control Plane (UCP) Admin Settings must be set to an organization-defined value for all accounts and/or account types.
V-95607 Low Docker Enterprise must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.