Check: CNTR-MK-000110
Mirantis Kubernetes Engine STIG:
CNTR-MK-000110
(in versions v2 r1 through v1 r1)
Title
Least privilege access and need to know must be required to access MKE runtime and instantiate container images. (Cat I impact)
Discussion
To control what is instantiated within MKE, it is important to control access to the runtime. Without this control, container platform specific services and customer services can be introduced without receiving approval and going through proper testing. Only those individuals and roles approved by the organization can have access to the container platform runtime.
Check Content
Access to use the docker CLI must be limited to root only. 1. Log on to the host CLI and execute the following: stat -c %U:%G /var/run/docker.sock | grep -v root:docker If any output is present, this is a finding. 2. Verify that the docker group has only the required users by executing: getent group docker If any users listed are not required to have direct access to MCR, this is a finding. 3. Execute the following command to verify the Docker socket file has permissions of 660 or more restrictive: stat -c %a /var/run/docker.sock If permissions are not set to "660", this is a finding.
Fix Text
To remove unauthorized users from the docker group, access the host CLI and run: gpasswd -d docker [username to remove] To ensure that docker.socket is group owned, execute the following: chown root:docker /var/run/docker.sock Set the file permissions of the Docker socket file to "660" execute the following: chmod 660 /var/run/docker.sock
Additional Identifiers
Rule ID: SV-260906r1015768_rule
Vulnerability ID: V-260906
Group Title: SRG-APP-000033-CTR-000095
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000213 |
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
| CCI-001094 |
Restrict the ability of individuals to launch organization-defined denial of service attacks against other systems. |
| CCI-001499 |
Limit privileges to change software resident within software libraries. |
| CCI-001764 |
Prevent program execution in accordance with organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions; rules authorizing the terms and conditions of software program usage. |
| CCI-001812 |
The information system prohibits user installation of software without explicit privileged status. |
| CCI-001813 |
Enforce access restrictions using organization-defined mechanisms. |
| CCI-002385 |
Protect against or limit the effects of organization-defined types of denial-of-service events. |
| CCI-003980 |
Allow user installation of software only with explicit privileged status. |
Controls
| Number | Title |
|---|---|
| AC-3 |
Access Enforcement |
| CM-5(1) |
Automated Access Enforcement / Auditing |
| CM-5(6) |
Limit Library Privileges |
| CM-7(2) |
Prevent Program Execution |
| CM-11(2) |
Prohibit Installation Without Privileged Status |
| SC-5 |
Denial of Service Protection |
| SC-5(1) |
Restrict Internal Users |