DKER-EE-002100 - cgroup usage must be confirmed in Docker Enterprise.

Information

It is possible to attach to a particular cgroup on container run. Confirming cgroup usage would ensure that containers are running under defined cgroups.

System administrators typically define cgroups under which containers are supposed to run. Even if cgroups are not explicitly defined by the system administrators, containers run under docker cgroup by default. At run-time, it is possible to attach to a different cgroup other than the one that was expected to be used. This usage should be monitored and confirmed. By attaching to a different cgroup than the one that is expected, excess permissions and resources might be granted to the container and thus, can prove to be unsafe.

By default, containers run under docker cgroup.

Solution

This fix only applies to the use of Docker Engine - Enterprise on a Linux host operating system.

Do not use --cgroup-parent option in docker run command unless needed.
If required, document cgroup usage in the SSP.

A reference for the docker run command can be found at https://docs.docker.com/engine/reference/run/.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Docker_Enterprise_2-x_Linux-Unix_V2R2_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7a., CAT|II, CCI|CCI-000381, Rule-ID|SV-235815r960963_rule, STIG-ID|DKER-EE-002100, STIG-Legacy|SV-104803, STIG-Legacy|V-95665, Vuln-ID|V-235815

Plugin: Unix

Control ID: 8ff0ff435f6a8c9e32461695db119ec462adb4b0cd7d51709efbcd2e2bef3f41