If MKE is deployed on a Red Hat or CentOS system, SELinux security must be enabled.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-260921 | CNTR-MK-000530 | SV-260921r966120_rule | CCI-000381 | medium |
| Description | ||||
| SELinux provides a Mandatory Access Control (MAC) system on RHEL and CentOS that greatly augments the default Discretionary Access Control (DAC) model. The user can thus add an extra layer of safety by enabling SELinux on the RHEL or CentOS host. When applied to containers, SELinux helps isolate and restrict the actions that containerized processes can perform, reducing the risk of container escapes and unauthorized access. By default, no SELinux security options are applied on containers. | ||||
| STIG | Date | |||
| Mirantis Kubernetes Engine Security Technical Implementation Guide | 2024-08-27 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
CM-7
1.00
- DISA · V2R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.4.6
1.00
- DISA · V2R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000381
1.00
- DISA · V2R1 · disa_xccdf · related
Details
Check Text (C-260921r966120_chk)
If using MKE on operating systems other than Red Hat Enterprise Linux or CentOS host operating systems where SELinux is in use, this check is Not Applicable.
Execute on all nodes in a cluster.
Verify that the appropriate security options are configured for all running containers:
Via CLI:
Linux: Execute the following command as a user on the host operating system:
docker info --format '{{.SecurityOptions}}'
expected output [name=seccomp, profile=default name=selinux name=fips]
If there is no output or name does not equal SELinux, this is a finding.
Fix Text (F-64558r966119_fix)
If using MKE on operating systems other than Red Hat Enterprise Linux or CentOS host operating systems where SELinux is in use, this check is Not Applicable.
Execute on all nodes in a cluster.
Start MKE with SELinux mode enabled. Run containers using appropriate security options.
Via CLI:
Linux: Set the SELinux state and policy. Create or import a SELinux policy template for MKE. Then, start MKE with SELinux mode enabled by setting the "selinux-enabled" property to "true" in the "/etc/docker/daemon.json" daemon configuration file.
Restart MKE.