Check: CNTR-MK-000110
Mirantis Kubernetes Engine STIG:
CNTR-MK-000110
(in version v1 r1)
Title
Least privilege access and need to know must be required to access MKE runtime and instantiate container images. (Cat I impact)
Discussion
To control what is instantiated within MKE, it is important to control access to the runtime. Without this control, container platform specific services and customer services can be introduced without receiving approval and going through proper testing. Only those individuals and roles approved by the organization can have access to the container platform runtime.
Check Content
Access to use the docker CLI must be limited to root only. 1. Log on to the host CLI and execute the following: stat -c %U:%G /var/run/docker.sock | grep -v root:docker If any output is present, this is a finding. 2. Verify that the docker group has only the required users by executing: getent group docker If any users listed are not required to have direct access to MCR, this is a finding. 3. Execute the following command to verify the Docker socket file has permissions of 660 or more restrictive: stat -c %a /var/run/docker.sock If permissions are not set to "660", this is a finding.
Fix Text
To remove unauthorized users from the docker group, access the host CLI and run: gpasswd -d docker [username to remove] To ensure that docker.socket is group owned, execute the following: chown root:docker /var/run/docker.sock Set the file permissions of the Docker socket file to "660" execute the following: chmod 660 /var/run/docker.sock
Additional Identifiers
Rule ID: SV-260906r966075_rule
Vulnerability ID: V-260906
Group Title: SRG-APP-000033-CTR-000095
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
CCI-001094 |
The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems. |
CCI-001499 |
The organization limits privileges to change software resident within software libraries. |
CCI-001764 |
The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage. |
CCI-001812 |
The information system prohibits user installation of software without explicit privileged status. |
CCI-001813 |
The information system enforces access restrictions. |
CCI-002385 |
The information system protects against or limits the effects of organization-defined types of denial of service attacks by employing organization-defined security safeguards. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |
CM-5 (1) |
Automated Access Enforcement / Auditing |
CM-5 (6) |
Limit Library Privileges |
CM-7 (2) |
Prevent Program Execution |
CM-11 (2) |
Prohibit Installation Without Privileged Status |
SC-5 |
Denial Of Service Protection |
SC-5 (1) |
Restrict Internal Users |