DISA STIG Docker Enterprise 2.x Linux/Unix v2r1

Audit Details

Name: DISA STIG Docker Enterprise 2.x Linux/Unix v2r1

Updated: 4/25/2022

Authority: DISA STIG

Plugin: Unix

Revision: 1.1

Estimated Item Count: 83

File Details

Filename: DISA_STIG_Docker_Enterprise_2.x_Linux_Unix_v2r1.audit

Size: 226 kB

MD5: 5424c7cec972e2d73bc2887e56baeaea
SHA256: 66414ff79aaee69fb5bd75a0b871b900680b997c36a330b8a6b6f6bfb9fa99a7

Audit Items

DescriptionCategories
DISA_STIG_Docker_Enterprise_2.x_Linux_Unix_v2r1.audit from DISA Docker Enterprise 2.x Linux/UNIX v2r1 STIG
DKER-EE-001050 - TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.

ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

DKER-EE-001070 - FIPS mode must be enabled on all Docker Engine - Enterprise nodes - docker info .SecurityOptions

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

DKER-EE-001090 - The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set - docker paths

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

DKER-EE-001090 - The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set - docker services

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

DKER-EE-001190 - Docker Enterprise sensitive host system directories must not be mounted on containers.

ACCESS CONTROL

DKER-EE-001240 - The Docker Enterprise hosts process namespace must not be shared.

ACCESS CONTROL

DKER-EE-001250 - The Docker Enterprise hosts IPC namespace must not be shared.

ACCESS CONTROL

DKER-EE-001370 - log-opts on all Docker Engine - Enterprise nodes must be configured.

AUDIT AND ACCOUNTABILITY

DKER-EE-001590 - Docker Enterprise must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

AUDIT AND ACCOUNTABILITY

DKER-EE-001770 - Docker Incs official GPG key must be added to the host using the users operating systems respective package repository management tooling.

CONFIGURATION MANAGEMENT

DKER-EE-001800 - The insecure registry capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.

CONFIGURATION MANAGEMENT

DKER-EE-001810 - On Linux, a non-AUFS storage driver in the Docker Engine - Enterprise component of Docker Enterprise must be used.

CONFIGURATION MANAGEMENT

DKER-EE-001830 - The userland proxy capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.

CONFIGURATION MANAGEMENT

DKER-EE-001840 - Experimental features in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.

CONFIGURATION MANAGEMENT

DKER-EE-001930 - An appropriate AppArmor profile must be enabled on Ubuntu systems for Docker Enterprise.

CONFIGURATION MANAGEMENT

DKER-EE-001940 - SELinux security options must be set on Red Hat or CentOS systems for Docker Enterprise.

CONFIGURATION MANAGEMENT

DKER-EE-001950 - Linux Kernel capabilities must be restricted within containers as defined in the System Security Plan (SSP) for Docker Enterprise.

CONFIGURATION MANAGEMENT

DKER-EE-001960 - Privileged Linux containers must not be used for Docker Enterprise.

CONFIGURATION MANAGEMENT

DKER-EE-001970 - SSH must not run within Linux containers for Docker Enterprise.

CONFIGURATION MANAGEMENT

DKER-EE-001990 - Only required ports must be open on the containers in Docker Enterprise.

CONFIGURATION MANAGEMENT

DKER-EE-002000 - Docker Enterprise hosts network namespace must not be shared.

CONFIGURATION MANAGEMENT

DKER-EE-002010 - Memory usage for all containers must be limited in Docker Enterprise.

CONFIGURATION MANAGEMENT

DKER-EE-002020 - Docker Enterprise CPU priority must be set appropriately on all containers.

CONFIGURATION MANAGEMENT

DKER-EE-002030 - All Docker Enterprise containers root filesystem must be mounted as read only.

CONFIGURATION MANAGEMENT

DKER-EE-002040 - Docker Enterprise host devices must not be directly exposed to containers.

CONFIGURATION MANAGEMENT

DKER-EE-002050 - Mount propagation mode must not set to shared in Docker Enterprise.

CONFIGURATION MANAGEMENT

DKER-EE-002060 - The Docker Enterprise hosts UTS namespace must not be shared.

CONFIGURATION MANAGEMENT

DKER-EE-002070 - The Docker Enterprise default seccomp profile must not be disabled.

CONFIGURATION MANAGEMENT

DKER-EE-002080 - Docker Enterprise exec commands must not be used with privileged option.

CONFIGURATION MANAGEMENT

DKER-EE-002090 - Docker Enterprise exec commands must not be used with the user option.

CONFIGURATION MANAGEMENT

DKER-EE-002100 - cgroup usage must be confirmed in Docker Enterprise.

CONFIGURATION MANAGEMENT

DKER-EE-002110 - All Docker Enterprise containers must be restricted from acquiring additional privileges.

CONFIGURATION MANAGEMENT

DKER-EE-002120 - The Docker Enterprise hosts user namespace must not be shared.

CONFIGURATION MANAGEMENT

DKER-EE-002130 - The Docker Enterprise socket must not be mounted inside any containers.

CONFIGURATION MANAGEMENT

DKER-EE-002150 - Docker Enterprise privileged ports must not be mapped within containers.

CONFIGURATION MANAGEMENT

DKER-EE-002160 - Docker Enterprise incoming container traffic must be bound to a specific host interface.

CONFIGURATION MANAGEMENT

DKER-EE-002380 - The certificate chain used by Universal Control Plane (UCP) client bundles must match what is defined in the System Security Plan (SSP) in Docker Enterprise.

IDENTIFICATION AND AUTHENTICATION

DKER-EE-002400 - Docker Enterprise Swarm manager must be run in auto-lock mode.

IDENTIFICATION AND AUTHENTICATION

DKER-EE-002410 - Docker Enterprise secret management commands must be used for managing secrets in a Swarm cluster.

IDENTIFICATION AND AUTHENTICATION

DKER-EE-002660 - Docker Secrets must be used to store configuration files and small amounts of user-generated data (up to 500 kb in size) in Docker Enterprise.

SYSTEM AND COMMUNICATIONS PROTECTION

DKER-EE-002770 - Docker Enterprise container health must be checked at runtime.

SYSTEM AND COMMUNICATIONS PROTECTION

DKER-EE-002780 - PIDs cgroup limits must be used in Docker Enterprise.

SYSTEM AND COMMUNICATIONS PROTECTION

DKER-EE-003200 - Docker Enterprise images must be built with the USER instruction to prevent containers from running as root.

ACCESS CONTROL

DKER-EE-003230 - An appropriate Docker Engine - Enterprise log driver plugin must be configured to collect audit events from Universal Control Plane (UCP) and Docker Trusted Registry (DTR).

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

DKER-EE-003310 - The Docker Enterprise max-size and max-file json-file drivers logging options in the daemon.json configuration file must be configured to allocate audit record storage capacity for Universal Control Plane (UCP) and Docker Trusted Registry (DTR) per the requirements set forth by the System Security Plan (SSP) - max-file

AUDIT AND ACCOUNTABILITY

DKER-EE-003310 - The Docker Enterprise max-size and max-file json-file drivers logging options in the daemon.json configuration file must be configured to allocate audit record storage capacity for Universal Control Plane (UCP) and Docker Trusted Registry (DTR) per the requirements set forth by the System Security Plan (SSP) - max-size

AUDIT AND ACCOUNTABILITY

DKER-EE-003320 - All Docker Engine - Enterprise nodes must be configured with a log driver plugin that sends logs to a remote log aggregation system (SIEM).

AUDIT AND ACCOUNTABILITY

DKER-EE-003330 - Log aggregation/SIEM systems must be configured to alarm when audit storage space for Docker Engine - Enterprise nodes exceed 75% usage.

AUDIT AND ACCOUNTABILITY

DKER-EE-003340 - Log aggregation/SIEM systems must be configured to notify SA and ISSO on Docker Engine - Enterprise audit failure events.

AUDIT AND ACCOUNTABILITY