Title

MKE must use a non-AUFS storage driver. (Cat II impact)

Discussion

The aufs storage driver is an old driver based on a Linux kernel patch-set that is unlikely to be merged into the main Linux kernel. aufs driver is also known to cause some serious kernel crashes. aufs only has legacy support from Docker. Most importantly, aufs is not a supported driver in many Linux distributions using latest Linux kernels.

Check Content

The default storage driver for MCR is overlay2. To confirm this has not been changed via CLI: As a trusted user on the underlying host operating system, execute the following command: docker info | grep -e "Storage Driver:" If the Storage Driver setting contains *aufs or *btrfs, then this is a finding. If the above command returns no values, this is not a finding.

Fix Text

Modify Storage Driver setting. Via CLI as a trusted user on the underlying host operating system: If the daemon.json file does not exist, it must be created. "/etc/docker/daemon.json" Edit the "/etc/docker/daemon.json" file and set the "storage-driver" property to a value that is not "aufs" or "btrfs". { "storage-driver": "overlay2" } Restart the Docker daemon by executing the following: sudo systemctl restart docker

Additional Identifiers

Rule ID: SV-260926r966135_rule

Vulnerability ID: V-260926

Group Title: SRG-APP-000141-CTR-000315

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.