Docker CLI commands must be run with an MKE client trust bundle and without unnecessary permissions.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-260938 | CNTR-MK-001180 | SV-260938r1015771_rule | CCI-002233 | medium |
| Description | ||||
| Running docker CLI commands remotely with a client trust bundle ensures that authentication and role permissions are checked for the command. Using --privileged option or --user option in docker exec gives extended Linux capabilities to the command. Do not run docker exec with the --privileged or --user options, especially when running containers with dropped capabilities or with enhanced restrictions. By default, docker exec command runs without --privileged or --user options. | ||||
| STIG | Date | |||
| Mirantis Kubernetes Engine Security Technical Implementation Guide | 2024-08-27 | |||
Details
Check Text (C-260938r1015771_chk)
The host OS must be locked down so that only authorized users with a client bundle can access docker commands.
To ensure that no commands with privilege or user authorizations are present via CLI:
Linux: As a trusted user on the host operating system, use the below command to filter out docker exec commands that used --privileged or --user option.
sudo ausearch -k docker | grep exec | grep privileged | grep user
If there are any in the output, then this is a finding.
Fix Text (F-64575r966170_fix)
Docker CLI command must only be run with a client bundle and must not use --privileged or --user option.
Refer to https://docs.mirantis.com/mke/3.7/ops/access-cluster/client-bundle/configure-client-bundle.html?highlight=client%20bundle.