Check: CNTR-MK-001180
Mirantis Kubernetes Engine STIG:
CNTR-MK-001180
(in version v1 r1)
Title
Docker CLI commands must be run with an MKE client trust bundle and without unnecessary permissions. (Cat II impact)
Discussion
Running docker CLI commands remotely with a client trust bundle ensures that authentication and role permissions are checked for the command. Using --privileged option or --user option in docker exec gives extended Linux capabilities to the command. Do not run docker exec with the --privileged or --user options, especially when running containers with dropped capabilities or with enhanced restrictions. By default, docker exec command runs without --privileged or --user options.
Check Content
The host OS must be locked down so that only authorized users with a client bundle can access docker commands. To ensure that no commands with privilege or user authorizations are present via CLI: Linux: As a trusted user on the host operating system, use the below command to filter out docker exec commands that used --privileged or --user option. sudo ausearch -k docker | grep exec | grep privileged | grep user If there are any in the output, then this is a finding.
Fix Text
Docker CLI command must only be run with a client bundle and must not use --privileged or --user option. Refer to https://docs.mirantis.com/mke/3.7/ops/access-cluster/client-bundle/configure-client-bundle.html?highlight=client%20bundle.
Additional Identifiers
Rule ID: SV-260938r966171_rule
Vulnerability ID: V-260938
Group Title: SRG-APP-000342-CTR-000775
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001991 |
The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. |
| CCI-002233 |
The information system prevents organization-defined software from executing at higher privilege levels than users executing the software. |