Overview

DISA collaborated with Docker, the container platform, to create the Docker Enterprise 2.x Linux/UNIX STIG. The purpose of this STIG is to provide guidance for securing Docker and the supporting Linux and UNIX based operating systems.

DISA STIG_ID mapping to Prisma Cloud Compute Compliance Check ID

Eight new compliance checks have been specifically added for the DISA STIG checks, in addition to 49 existing checks that already align with the STIG checks. The remaining 43 STIG checks are not applicable. For example, STIG ID: DKER-EE-002180, SAML integration, must be enabled in Docker Enterprise Universal Control Plane.

STIG ID STIG Rule Title Prisma Cloud Compute Compliance Check ID Prisma Cloud Compute Compliance Check Description

DKER-EE-005250

Docker Enterprise TLS certificate authority (CA) certificate file ownership must be set to root:root.

39

Docker TLS certificate authority (CA) certificate file ownership must be set to root:root

DKER-EE-005260

Docker Enterprise TLS certificate authority (CA) certificate file permissions must be set to 444 or more restrictive.

310

Docker TLS certificate authority (CA) certificate file permissions must be set to 444 or more restrictive

DKER-EE-005270

Docker Enterprise server certificate file ownership must be set to root:root.

311

Docker server certificate file ownership must be set to root:root

DKER-EE-005280

Docker Enterprise server certificate file permissions must be set to 444 or more restrictive.

312

Docker server certificate file permissions must be set to 444 or more restrictive

DKER-EE-005290

Docker Enterprise server certificate key file ownership must be set to root:root.

313

Docker server certificate key file ownership must be set to root:root

DKER-EE-005300

Docker Enterprise server certificate key file permissions must be set to 400.

314

Docker server certificate key file permissions must be set to 400

DKER-EE-001050

TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.

26

Configure TLS authentication for Docker daemon

DKER-EE-001240

The Docker Enterprise hosts process namespace must not be shared.

515

Do not share the host’s process namespace

DKER-EE-001250

The Docker Enterprise hosts IPC namespace must not be shared

516

Do not share the host’s IPC namespace

DKER-EE-001800

The insecure registry capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.

24

Do not use insecure registries

DKER-EE-001810

On Linux, a non-AUFS storage driver in the Docker Engine - Enterprise component of Docker Enterprise must be used.

25

Do not use the aufs storage driver

DKER-EE-001830

The userland proxy capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.

218

Disable userland Proxy

DKER-EE-001840

Experimental features in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.

221

Avoid experimental features in production

DKER-EE-001930

An appropriate AppArmor profile must be enabled on Ubuntu systems for Docker Enterprise.

51

Verify AppArmor profile, if applicable

DKER-EE-001940

SELinux security options must be set on Red Hat or CentOS systems for Docker Enterprise.

52

Verify SELinux security options, if applicable

DKER-EE-001950

Linux Kernel capabilities must be restricted within containers as defined in the System Security Plan (SSP) for Docker Enterprise.

53

Restrict Linux kernel capabilities within containers

DKER-EE-001960

Privileged Linux containers must not be used for Docker Enterprise.

54

Do not use privileged containers

DKER-EE-001970

SSH must not run within Linux containers for Docker Enterprise.

56

Do not run ssh within containers

DKER-EE-001990

Only required ports must be open on the containers in Docker Enterprise.

58

Open only needed ports on container

DKER-EE-002000

Docker Enterprise hosts network namespace must not be shared.

59

Do not share the host’s network namespace

DKER-EE-002010

Memory usage for all containers must be limited in Docker Enterprise.

510

Limit memory usage for container

DKER-EE-002020

Docker Enterprise CPU priority must be set appropriately on all containers.

511

Set container CPU priority appropriately

DKER-EE-002030

All Docker Enterprise containers root filesystem must be mounted as read only.

512

Mount container’s root filesystem as read only

DKER-EE-002040

Docker Enterprise host devices must not be directly exposed to containers.

517

Do not directly expose host devices to containers

DKER-EE-002050

Mount propagation mode must not set to shared in Docker Enterprise.

519

Do not set mount propagation mode to shared

DKER-EE-002060

The Docker Enterprise hosts UTS namespace must not be shared.

520

Do not share the host’s UTS namespace

DKER-EE-002070

The Docker Enterprise default seccomp profile must not be disabled.

521

Do not disable default seccomp profile

DKER-EE-002080

Docker Enterprise exec commands must not be used with privileged option.

224

Ensure containers are restricted from acquiring new privileges

DKER-EE-002100

cgroup usage must be confirmed in Docker Enterprise.

524

Confirm cgroup usage

DKER-EE-002110

All Docker Enterprise containers must be restricted from acquiring additional privileges.

525

Restrict container from acquiring additional privileges

DKER-EE-002120

The Docker Enterprise hosts user namespace must not be shared.

530

Do not share the host’s user namespaces

DKER-EE-002130

The Docker Enterprise socket must not be mounted inside any containers.

531

Do not mount the Docker socket inside any containers

DKER-EE-002150

Docker Enterprise privileged ports must not be mapped within containers.

57

Do not map privileged ports within containers

DKER-EE-002160

Docker Enterprise incoming container traffic must be bound to a specific host interface.

513

Bind incoming container traffic to a specific host interface

DKER-EE-002770

Docker Enterprise container health must be checked at runtime.

406

Add HEALTHCHECK instruction to the container image

DKER-EE-002780

PIDs cgroup limits must be used in Docker Enterprise.

528

Use PIDs cgroup limit

DKER-EE-003200

Docker Enterprise images must be built with the USER instruction to prevent containers from running as root.

41

Image should be created with a non-root user

DKER-EE-004040

The Docker Enterprise default ulimit must not be overwritten at runtime unless approved in the System Security Plan (SSP).

518

Override default ulimit at runtime only if needed

DKER-EE-005170

Docker Enterprise docker.service file ownership must be set to root:root.

31

Verify that docker.service file ownership is set to root:root

DKER-EE-005180

Docker Enterprise docker.service file permissions must be set to 644 or more restrictive.

32

Verify that docker.service file permissions are set to 644 or more restrictive

DKER-EE-005190

Docker Enterprise docker.socket file ownership must be set to root:root.

33

Verify that docker.socket file ownership is set to root:root

DKER-EE-005200

Docker Enterprise docker.socket file permissions must be set to 644 or more restrictive.

34

Verify that docker.socket file permissions are set to 644 or more restrictive

DKER-EE-005210

Docker Enterprise /etc/docker directory ownership must be set to root:root.

35

Verify that /etc/docker directory ownership is set to root:root

DKER-EE-005220

Docker Enterprise /etc/docker directory permissions must be set to 755 or more restrictive.

36

Verify that /etc/docker directory permissions are set to 755 or more restrictive

DKER-EE-005230

Docker Enterprise registry certificate file ownership must be set to root:root.

37

Verify that registry certificate file ownership is set to root:root

DKER-EE-005240

Docker Enterprise registry certificate file permissions must be set to 444 or more restrictive.

38

Verify that registry certificate file permissions are set to 444 or more restrictive

DKER-EE-005310

Docker Enterprise socket file ownership must be set to root:docker.

315

Verify that Docker socket file ownership is set to root:docker

DKER-EE-005320

Docker Enterprise socket file permissions must be set to 660 or more restrictive.

316

Verify that Docker socket file permissions are set to 660 or more restrictive

DKER-EE-005330

Docker Enterprise daemon.json file ownership must be set to root:root.

317

Verify that daemon.json file ownership is set to root:root

DKER-EE-005340

Docker Enterprise daemon.json file permissions must be set to 644 or more restrictive.

318

Verify that daemon.json file permissions are set to 644 or more restrictive

DKER-EE-005350

Docker Enterprise /etc/default/docker file ownership must be set to root:root.

319

Verify that /etc/default/docker file ownership is set to root:root

DKER-EE-005360

Docker Enterprise /etc/default/docker file permissions must be set to 644 or more restrictive.

320

Verify that /etc/default/docker file permissions are set to 644 or more restrictive

DKER-EE-006270

Docker Enterprise Swarm services must be bound to a specific host interface.

217

Bind swarm services to a specific host interface

DKER-EE-002400

Docker Enterprise Swarm manager must be run in auto-lock mode.

223

Run swarm manager in auto-lock mode

DKER-EE-004030

The on-failure container restart policy must be is set to 5 in Docker Enterprise.

514

Do not set the 'on-failure' container restart policy to always

DKER-EE-001070

FIPS mode must be enabled on all Docker Engine - Enterprise nodes.

701070

FIPS mode must be enabled on all Docker Engine - Enterprise nodes

DKER-EE-001190

Docker Enterprise sensitive host system directories must not be mounted on containers.

55

Do not mount sensitive host system directories on containers