1. Overview

Prisma Cloud supports the Docker Enterprise DISA STIG. STIGs contain technical guidance to lock down systems that might otherwise be vulnerable to attack. This STIG ensures government agencies run Docker Enterprise securely.

For an overview of the STIG, see here. To download the STIG, see here.

2. Checks

Prisma Cloud offers a compliance template for the Docker Enterprise DISA STIG. In many cases, DISA STIG checks map to checks already supported in the product. In some cases, we’ve implemented checks specficially to support the Docker Enterprise STIG. When configuring your compliance policy, simply select the DISA STIG template to enable all relevant checks.

2.1. CAT I

CAT I is a category code for any vulnerability, which when exploited, will directly and immediately result in loss of Confidentiality, Availability, or Integrity. These risks are the most severe.

The following table lists the CAT I checks implemented in Prisma Cloud, and how they map to existing Prisma Cloud checks. All CAT I checks, except DKER-EE-001070, map to CIS Docker Benchmark checks. A separate check has been implemented for DKER-EE-001070 to support the Docker Enterprise STIG.

STIG ID Prisma Cloud ID Description

DKER-EE-001070

N/A

FIPS mode must be enabled on all Docker Engine - Enterprise nodes.

DKER-EE-002000

59

Docker Enterprise hosts network namespace must not be shared.

DKER-EE-002030

512

All Docker Enterprise containers root filesystem must be mounted as read only.

DKER-EE-002040

517

Docker Enterprise host devices must not be directly exposed to containers.

DKER-EE-002070

521

The Docker Enterprise default seccomp profile must not be disabled.

DKER-EE-002080

224

Docker Enterprise exec commands must not be used with privileged option.

DKER-EE-002110

525

All Docker Enterprise containers must be restricted from acquiring additional privileges.

DKER-EE-002120

530

The Docker Enterprise hosts user namespace must not be shared.

DKER-EE-002130

531

The Docker Enterprise socket must not be mounted inside any containers.

DKER-EE-002150

57

Docker Enterprise privileged ports must not be mapped within containers.

DKER-EE-005170

31

Docker Enterprise docker.service file ownership must be set to root:root.

DKER-EE-005190

33

Docker Enterprise docker.socket file ownership must be set to root:root.

DKER-EE-005210

35

Docker Enterprise /etc/docker directory ownership must be set to root:root.

DKER-EE-005230

37

Docker Enterprise registry certificate file ownership must be set to root:root.

DKER-EE-005250

39

Docker TLS certificate authority (CA) certificate file ownership must be set to root:root

DKER-EE-005270

311

Docker server certificate file ownership must be set to root:root

DKER-EE-005300

314

Docker server certificate key file permissions must be set to 400

DKER-EE-005310

315

Docker Enterprise socket file ownership must be set to root:docker.

DKER-EE-005320

316

Docker Enterprise socket file permissions must be set to 660 or more restrictive.

DKER-EE-005330

317

Docker Enterprise daemon.json file ownership must be set to root:root.

DKER-EE-005340

318

Docker Enterprise daemon.json file permissions must be set to 644 or more restrictive.

DKER-EE-005350

319

Docker Enterprise /etc/default/docker file ownership must be set to root:root.

DKER-EE-005360

320

Docker Enterprise /etc/default/docker file permissions must be set to 644 or more restrictive.

2.2. CAT II

CAT II is a category code for any vulnerability, which when exploited, has a potential to result in loss of Confidentiality, Availability, or Integrity.

The following table lists the CAT 1 checks implemented in Prisma Cloud, and how they map to existing checks. Some CAT 1 checks don’t map to any existing checks, and have been implemented specifically for this DISA STIG.

STIG ID Prisma Cloud ID Description

DKER-EE-001050

26

TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.

DKER-EE-001240

515

The Docker Enterprise hosts process namespace must not be shared.

DKER-EE-001250

516

The Docker Enterprise hosts IPC namespace must not be shared.

DKER-EE-001800

24

The insecure registry capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.

DKER-EE-001810

25

On Linux, a non-AUFS storage driver in the Docker Engine - Enterprise component of Docker Enterprise must be used.

DKER-EE-001830

218

The userland proxy capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.

DKER-EE-001840

221

Experimental features in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.

DKER-EE-001930

51

An appropriate AppArmor profile must be enabled on Ubuntu systems for Docker Enterprise.

DKER-EE-001940

52

SELinux security options must be set on Red Hat or CentOS systems for Docker Enterprise.

DKER-EE-001950

53

Linux Kernel capabilities must be restricted within containers as defined in the System Security Plan (SSP) for Docker Enterprise.

DKER-EE-001960

54

Privileged Linux containers must not be used for Docker Enterprise.

DKER-EE-001970

56

SSH must not run within Linux containers for Docker Enterprise.

DKER-EE-001990

58

Only required ports must be open on the containers in Docker Enterprise.

DKER-EE-002010

510

Memory usage for all containers must be limited in Docker Enterprise.

DKER-EE-002050

519

Mount propagation mode must not set to shared in Docker Enterprise.

DKER-EE-002060

520

The Docker Enterprise hosts UTS namespace must not be shared.

DKER-EE-002100

524

cgroup usage must be confirmed in Docker Enterprise.

DKER-EE-002160

513

Docker Enterprise incoming container traffic must be bound to a specific host interface.

DKER-EE-002400

223

Docker Enterprise Swarm manager must be run in auto-lock mode.

DKER-EE-002770

406

Docker Enterprise container health must be checked at runtime.

DKER-EE-002780

528

PIDs cgroup limits must be used in Docker Enterprise.

DKER-EE-003200

41

Docker Enterprise images must be built with the USER instruction to prevent containers from running as root.

DKER-EE-004030

514

The on-failure container restart policy must be is set to 5 in Docker Enterprise.

DKER-EE-004040

518

The Docker Enterprise default ulimit must not be overwritten at runtime unless approved in the System Security Plan (SSP).

DKER-EE-005180

32

Docker Enterprise docker.service file permissions must be set to 644 or more restrictive.

DKER-EE-005200

34

Docker Enterprise docker.socket file permissions must be set to 644 or more restrictive.

DKER-EE-005220

36

Docker Enterprise /etc/docker directory permissions must be set to 755 or more restrictive.

DKER-EE-005240

38

Docker Enterprise registry certificate file permissions must be set to 444 or more restrictive.

DKER-EE-005260

310

Docker TLS certificate authority (CA) certificate file permissions must be set to 444 or more restrictive

DKER-EE-005280

312

Docker server certificate file permissions must be set to 444 or more restrictive

DKER-EE-005290

313

Docker server certificate key file ownership must be set to root:root

DKER-EE-006270

217

Docker Enterprise Swarm services must be bound to a specific host interface.

2.3. CAT III

CAT III is a category code for any vulnerability, which when it exists, degrades measures to protect against loss of Confidentiality, Availability, or Integrity.

The following table lists the CAT III checks implemented in Prisma Cloud, and how they map to existing Prisma Cloud checks. All checks map to CIS Docker Benchmark checks.

STIG ID Prisma Cloud ID Description

DKER-EE-002020

511

Docker Enterprise CPU priority must be set appropriately on all containers.

3. Enable DISA STIG for Docker Enterprise checks

DISA STIG for Docker Enterprise checks have been grouped into a template. Checks are relevant to containers, images, and hosts.

  1. Log into Console.

  2. Enable the container checks.

    1. Go to Defend > Compliance > Containers and images > {Deployed | CI}.

    2. Click Add rule.

    3. Enter a rule name.

    4. In the Compliance template drop-down, select DISA STIG.

    5. Click Save.

      docker enterprise disa stig container template
  3. Enable host checks.

    1. Go to Defend > Compliance > Hosts > {Running hosts | VM images}.

    2. Click Add rule.

    3. Enter a rule name.

    4. In the Compliance template drop-down, select DISA STIG.

    5. Click Save.

      docker enterprise disa stig host template