| DISA_STIG_Docker_Enterprise_2.x_Linux_Unix_v2r1.audit from DISA Docker Enterprise 2.x Linux/UNIX v2r1 STIG | |
| DKER-EE-001050 - TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled. | ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| DKER-EE-001070 - FIPS mode must be enabled on all Docker Engine - Enterprise nodes - docker info .SecurityOptions | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION |
| DKER-EE-001090 - The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set - docker paths | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| DKER-EE-001090 - The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set - docker services | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| DKER-EE-001190 - Docker Enterprise sensitive host system directories must not be mounted on containers. | ACCESS CONTROL |
| DKER-EE-001240 - The Docker Enterprise hosts process namespace must not be shared. | ACCESS CONTROL |
| DKER-EE-001250 - The Docker Enterprise hosts IPC namespace must not be shared. | ACCESS CONTROL |
| DKER-EE-001370 - log-opts on all Docker Engine - Enterprise nodes must be configured. | AUDIT AND ACCOUNTABILITY |
| DKER-EE-001590 - Docker Enterprise must alert the ISSO and SA (at a minimum) in the event of an audit processing failure. | AUDIT AND ACCOUNTABILITY |
| DKER-EE-001770 - Docker Incs official GPG key must be added to the host using the users operating systems respective package repository management tooling. | CONFIGURATION MANAGEMENT |
| DKER-EE-001800 - The insecure registry capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled. | CONFIGURATION MANAGEMENT |
| DKER-EE-001810 - On Linux, a non-AUFS storage driver in the Docker Engine - Enterprise component of Docker Enterprise must be used. | CONFIGURATION MANAGEMENT |
| DKER-EE-001830 - The userland proxy capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled. | CONFIGURATION MANAGEMENT |
| DKER-EE-001840 - Experimental features in the Docker Engine - Enterprise component of Docker Enterprise must be disabled. | CONFIGURATION MANAGEMENT |
| DKER-EE-001930 - An appropriate AppArmor profile must be enabled on Ubuntu systems for Docker Enterprise. | CONFIGURATION MANAGEMENT |
| DKER-EE-001940 - SELinux security options must be set on Red Hat or CentOS systems for Docker Enterprise. | CONFIGURATION MANAGEMENT |
| DKER-EE-001950 - Linux Kernel capabilities must be restricted within containers as defined in the System Security Plan (SSP) for Docker Enterprise. | CONFIGURATION MANAGEMENT |
| DKER-EE-001960 - Privileged Linux containers must not be used for Docker Enterprise. | CONFIGURATION MANAGEMENT |
| DKER-EE-001970 - SSH must not run within Linux containers for Docker Enterprise. | CONFIGURATION MANAGEMENT |
| DKER-EE-001990 - Only required ports must be open on the containers in Docker Enterprise. | CONFIGURATION MANAGEMENT |
| DKER-EE-002000 - Docker Enterprise hosts network namespace must not be shared. | CONFIGURATION MANAGEMENT |
| DKER-EE-002010 - Memory usage for all containers must be limited in Docker Enterprise. | CONFIGURATION MANAGEMENT |
| DKER-EE-002020 - Docker Enterprise CPU priority must be set appropriately on all containers. | CONFIGURATION MANAGEMENT |
| DKER-EE-002030 - All Docker Enterprise containers root filesystem must be mounted as read only. | CONFIGURATION MANAGEMENT |
| DKER-EE-002040 - Docker Enterprise host devices must not be directly exposed to containers. | CONFIGURATION MANAGEMENT |
| DKER-EE-002050 - Mount propagation mode must not set to shared in Docker Enterprise. | CONFIGURATION MANAGEMENT |
| DKER-EE-002060 - The Docker Enterprise hosts UTS namespace must not be shared. | CONFIGURATION MANAGEMENT |
| DKER-EE-002070 - The Docker Enterprise default seccomp profile must not be disabled. | CONFIGURATION MANAGEMENT |
| DKER-EE-002080 - Docker Enterprise exec commands must not be used with privileged option. | CONFIGURATION MANAGEMENT |
| DKER-EE-002090 - Docker Enterprise exec commands must not be used with the user option. | CONFIGURATION MANAGEMENT |
| DKER-EE-002100 - cgroup usage must be confirmed in Docker Enterprise. | CONFIGURATION MANAGEMENT |
| DKER-EE-002110 - All Docker Enterprise containers must be restricted from acquiring additional privileges. | CONFIGURATION MANAGEMENT |
| DKER-EE-002120 - The Docker Enterprise hosts user namespace must not be shared. | CONFIGURATION MANAGEMENT |
| DKER-EE-002130 - The Docker Enterprise socket must not be mounted inside any containers. | CONFIGURATION MANAGEMENT |
| DKER-EE-002150 - Docker Enterprise privileged ports must not be mapped within containers. | CONFIGURATION MANAGEMENT |
| DKER-EE-002160 - Docker Enterprise incoming container traffic must be bound to a specific host interface. | CONFIGURATION MANAGEMENT |
| DKER-EE-002380 - The certificate chain used by Universal Control Plane (UCP) client bundles must match what is defined in the System Security Plan (SSP) in Docker Enterprise. | IDENTIFICATION AND AUTHENTICATION |
| DKER-EE-002400 - Docker Enterprise Swarm manager must be run in auto-lock mode. | IDENTIFICATION AND AUTHENTICATION |
| DKER-EE-002410 - Docker Enterprise secret management commands must be used for managing secrets in a Swarm cluster. | IDENTIFICATION AND AUTHENTICATION |
| DKER-EE-002660 - Docker Secrets must be used to store configuration files and small amounts of user-generated data (up to 500 kb in size) in Docker Enterprise. | SYSTEM AND COMMUNICATIONS PROTECTION |
| DKER-EE-002770 - Docker Enterprise container health must be checked at runtime. | SYSTEM AND COMMUNICATIONS PROTECTION |
| DKER-EE-002780 - PIDs cgroup limits must be used in Docker Enterprise. | SYSTEM AND COMMUNICATIONS PROTECTION |
| DKER-EE-003200 - Docker Enterprise images must be built with the USER instruction to prevent containers from running as root. | ACCESS CONTROL |
| DKER-EE-003230 - An appropriate Docker Engine - Enterprise log driver plugin must be configured to collect audit events from Universal Control Plane (UCP) and Docker Trusted Registry (DTR). | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
| DKER-EE-003310 - The Docker Enterprise max-size and max-file json-file drivers logging options in the daemon.json configuration file must be configured to allocate audit record storage capacity for Universal Control Plane (UCP) and Docker Trusted Registry (DTR) per the requirements set forth by the System Security Plan (SSP) - max-file | AUDIT AND ACCOUNTABILITY |
| DKER-EE-003310 - The Docker Enterprise max-size and max-file json-file drivers logging options in the daemon.json configuration file must be configured to allocate audit record storage capacity for Universal Control Plane (UCP) and Docker Trusted Registry (DTR) per the requirements set forth by the System Security Plan (SSP) - max-size | AUDIT AND ACCOUNTABILITY |
| DKER-EE-003320 - All Docker Engine - Enterprise nodes must be configured with a log driver plugin that sends logs to a remote log aggregation system (SIEM). | AUDIT AND ACCOUNTABILITY |
| DKER-EE-003330 - Log aggregation/SIEM systems must be configured to alarm when audit storage space for Docker Engine - Enterprise nodes exceed 75% usage. | AUDIT AND ACCOUNTABILITY |
| DKER-EE-003340 - Log aggregation/SIEM systems must be configured to notify SA and ISSO on Docker Engine - Enterprise audit failure events. | AUDIT AND ACCOUNTABILITY |
