Least privilege access and need to know must be required to access MKE runtime and instantiate container images.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-260906 | CNTR-MK-000110 | SV-260906r1015768_rule | CCI-000213 | high |
| Description | ||||
| To control what is instantiated within MKE, it is important to control access to the runtime. Without this control, container platform specific services and customer services can be introduced without receiving approval and going through proper testing. Only those individuals and roles approved by the organization can have access to the container platform runtime. | ||||
| STIG | Date | |||
| Mirantis Kubernetes Engine Security Technical Implementation Guide | 2024-08-27 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-3
1.00
- DISA · V2R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.1.1
1.00
- DISA · V2R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.1.2
1.00
- DISA · V2R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000213
1.00
- DISA · V2R1 · disa_xccdf · related
Details
Check Text (C-260906r1015768_chk)
Access to use the docker CLI must be limited to root only.
1. Log on to the host CLI and execute the following:
stat -c %U:%G /var/run/docker.sock | grep -v root:docker
If any output is present, this is a finding.
2. Verify that the docker group has only the required users by executing:
getent group docker
If any users listed are not required to have direct access to MCR, this is a finding.
3. Execute the following command to verify the Docker socket file has permissions of 660 or more restrictive:
stat -c %a /var/run/docker.sock
If permissions are not set to "660", this is a finding.
Fix Text (F-64543r966074_fix)
To remove unauthorized users from the docker group, access the host CLI and run:
gpasswd -d docker [username to remove]
To ensure that docker.socket is group owned, execute the following:
chown root:docker /var/run/docker.sock
Set the file permissions of the Docker socket file to "660" execute the following:
chmod 660 /var/run/docker.sock