DISA STIG Docker Enterprise 2.x Linux/Unix v2r1

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: DISA STIG Docker Enterprise 2.x Linux/Unix v2r1

Updated: 8/28/2024

Authority: DISA STIG

Plugin: Unix

Revision: 1.6

Estimated Item Count: 83

File Details

Filename: DISA_STIG_Docker_Enterprise_2.x_Linux_Unix_v2r1.audit

Size: 206 kB

MD5: 7cb052612338d2cc9796ff7c40ceca3f
SHA256: e4504fe75fc915d06523e7a603aef947917b0b54a1cf9f17fe39c17c3592bb99

Audit Items

DescriptionCategories
DISA_STIG_Docker_Enterprise_2.x_Linux_Unix_v2r1.audit from DISA Docker Enterprise 2.x Linux/UNIX v2r1 STIG
DKER-EE-001050 - TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.

ACCESS CONTROL, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

DKER-EE-001070 - FIPS mode must be enabled on all Docker Engine - Enterprise nodes - docker info .SecurityOptions

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

DKER-EE-001090 - The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set - docker paths

AUDIT AND ACCOUNTABILITY

DKER-EE-001090 - The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set - docker services

AUDIT AND ACCOUNTABILITY

DKER-EE-001190 - Docker Enterprise sensitive host system directories must not be mounted on containers.

AUDIT AND ACCOUNTABILITY

DKER-EE-001240 - The Docker Enterprise hosts process namespace must not be shared.

SYSTEM AND COMMUNICATIONS PROTECTION

DKER-EE-001250 - The Docker Enterprise hosts IPC namespace must not be shared.

SYSTEM AND COMMUNICATIONS PROTECTION

DKER-EE-001370 - log-opts on all Docker Engine - Enterprise nodes must be configured.
DKER-EE-001590 - Docker Enterprise must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT

DKER-EE-001770 - Docker Incs official GPG key must be added to the host using the users operating systems respective package repository management tooling.

CONFIGURATION MANAGEMENT

DKER-EE-001800 - The insecure registry capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.

CONFIGURATION MANAGEMENT

DKER-EE-001810 - On Linux, a non-AUFS storage driver in the Docker Engine - Enterprise component of Docker Enterprise must be used.

CONFIGURATION MANAGEMENT

DKER-EE-001830 - The userland proxy capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.
DKER-EE-001840 - Experimental features in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.

CONFIGURATION MANAGEMENT

DKER-EE-001930 - An appropriate AppArmor profile must be enabled on Ubuntu systems for Docker Enterprise.

ACCESS CONTROL

DKER-EE-001940 - SELinux security options must be set on Red Hat or CentOS systems for Docker Enterprise.
DKER-EE-001950 - Linux Kernel capabilities must be restricted within containers as defined in the System Security Plan (SSP) for Docker Enterprise.
DKER-EE-001960 - Privileged Linux containers must not be used for Docker Enterprise.

ACCESS CONTROL

DKER-EE-001970 - SSH must not run within Linux containers for Docker Enterprise.

CONFIGURATION MANAGEMENT

DKER-EE-001990 - Only required ports must be open on the containers in Docker Enterprise.

CONFIGURATION MANAGEMENT

DKER-EE-002000 - Docker Enterprise hosts network namespace must not be shared.

CONFIGURATION MANAGEMENT

DKER-EE-002010 - Memory usage for all containers must be limited in Docker Enterprise.

SYSTEM AND COMMUNICATIONS PROTECTION

DKER-EE-002020 - Docker Enterprise CPU priority must be set appropriately on all containers.

SYSTEM AND COMMUNICATIONS PROTECTION

DKER-EE-002030 - All Docker Enterprise containers root filesystem must be mounted as read only.

CONFIGURATION MANAGEMENT

DKER-EE-002040 - Docker Enterprise host devices must not be directly exposed to containers.

SYSTEM AND COMMUNICATIONS PROTECTION

DKER-EE-002050 - Mount propagation mode must not set to shared in Docker Enterprise.

CONFIGURATION MANAGEMENT

DKER-EE-002060 - The Docker Enterprise hosts UTS namespace must not be shared.

CONFIGURATION MANAGEMENT

DKER-EE-002070 - The Docker Enterprise default seccomp profile must not be disabled.

CONFIGURATION MANAGEMENT

DKER-EE-002080 - Docker Enterprise exec commands must not be used with privileged option.

CONFIGURATION MANAGEMENT

DKER-EE-002090 - Docker Enterprise exec commands must not be used with the user option.

CONFIGURATION MANAGEMENT

DKER-EE-002100 - cgroup usage must be confirmed in Docker Enterprise.

CONFIGURATION MANAGEMENT

DKER-EE-002110 - All Docker Enterprise containers must be restricted from acquiring additional privileges.

CONFIGURATION MANAGEMENT

DKER-EE-002120 - The Docker Enterprise hosts user namespace must not be shared.

SYSTEM AND COMMUNICATIONS PROTECTION

DKER-EE-002130 - The Docker Enterprise socket must not be mounted inside any containers.

AUDIT AND ACCOUNTABILITY

DKER-EE-002150 - Docker Enterprise privileged ports must not be mapped within containers.

CONFIGURATION MANAGEMENT

DKER-EE-002160 - Docker Enterprise incoming container traffic must be bound to a specific host interface.

CONFIGURATION MANAGEMENT

DKER-EE-002380 - The certificate chain used by Universal Control Plane (UCP) client bundles must match what is defined in the System Security Plan (SSP) in Docker Enterprise.
DKER-EE-002400 - Docker Enterprise Swarm manager must be run in auto-lock mode.

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

DKER-EE-002410 - Docker Enterprise secret management commands must be used for managing secrets in a Swarm cluster.
DKER-EE-002660 - Docker Secrets must be used to store configuration files and small amounts of user-generated data (up to 500 kb in size) in Docker Enterprise.
DKER-EE-002770 - Docker Enterprise container health must be checked at runtime.

CONFIGURATION MANAGEMENT

DKER-EE-002780 - PIDs cgroup limits must be used in Docker Enterprise.

SYSTEM AND COMMUNICATIONS PROTECTION

DKER-EE-003200 - Docker Enterprise images must be built with the USER instruction to prevent containers from running as root.

ACCESS CONTROL

DKER-EE-003230 - An appropriate Docker Engine - Enterprise log driver plugin must be configured to collect audit events from Universal Control Plane (UCP) and Docker Trusted Registry (DTR).

AUDIT AND ACCOUNTABILITY

DKER-EE-003310 - The Docker Enterprise max-size and max-file json-file drivers logging options in the daemon.json configuration file must be configured to allocate audit record storage capacity for Universal Control Plane (UCP) and Docker Trusted Registry (DTR) per the requirements set forth by the System Security Plan (SSP) - max-file

AUDIT AND ACCOUNTABILITY

DKER-EE-003310 - The Docker Enterprise max-size and max-file json-file drivers logging options in the daemon.json configuration file must be configured to allocate audit record storage capacity for Universal Control Plane (UCP) and Docker Trusted Registry (DTR) per the requirements set forth by the System Security Plan (SSP) - max-size

AUDIT AND ACCOUNTABILITY

DKER-EE-003320 - All Docker Engine - Enterprise nodes must be configured with a log driver plugin that sends logs to a remote log aggregation system (SIEM).

AUDIT AND ACCOUNTABILITY

DKER-EE-003330 - Log aggregation/SIEM systems must be configured to alarm when audit storage space for Docker Engine - Enterprise nodes exceed 75% usage.
DKER-EE-003340 - Log aggregation/SIEM systems must be configured to notify SA and ISSO on Docker Engine - Enterprise audit failure events.