Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide
Rules, Groups, and Values defined within the XCCDF Benchmark
-
Docker Enterprise sensitive host system directories must not be mounted on containers.
Sensitive host system directories such as below should not be allowed to be mounted as container volumes especially in read-write mode. Linux: / /boot /dev /etc /lib /proc /sys /usr Windows: %w...Rule Medium Severity -
log-opts on all Docker Engine - Enterprise nodes must be configured.
The Universal Control Plane (UCP) and Docker Trusted Registry (DTR) components of Docker Enterprise provide audit record generation capabilities. Audit logs capture all HTTP actions for the followi...Rule Medium Severity -
Docker Incs official GPG key must be added to the host using the users operating systems respective package repository management tooling.
All packaged components of Docker Enterprise are digitally signed using GPG keys maintained by Docker, Inc. The Docker Engine - Enterprise daemon, itself, is digitally signed. Furthermore, all Dock...Rule Low Severity -
The Docker Enterprise self-signed certificates in Universal Control Plane (UCP) must be replaced with DoD trusted, signed certificates.
Docker Enterprise includes the following capabilities that are considered non-essential: *NOTE: disabling these capabilities negatively affects the operation of Docker Trusted Registry (DTR) and s...Rule Medium Severity -
Periodic data usage and analytics reporting in Docker Trusted Registry (DTR) must be disabled in Docker Enterprise.
Docker Enterprise includes the following capabilities that are considered non-essential: *NOTE: disabling these capabilities negatively affects the operation of Universal Control Plane (UCP) and D...Rule Medium Severity -
SELinux security options must be set on Red Hat or CentOS systems for Docker Enterprise.
SELinux provides a Mandatory Access Control (MAC) system on RHEL and CentOS that greatly augments the default Discretionary Access Control (DAC) model. The user can thus add an extra layer of safet...Rule Medium Severity -
SSH must not run within Linux containers for Docker Enterprise.
SSH server should not be running within the container. The user should instead use Universal Control Plane (UCP) to console in to running containers. Running SSH within the container increases the...Rule Medium Severity -
Only required ports must be open on the containers in Docker Enterprise.
Dockerfile for a container image defines the ports to be opened by default on a container instance. The list of ports may or may not be relevant to the application running within the container. A ...Rule Medium Severity -
Docker Enterprise CPU priority must be set appropriately on all containers.
By default, all containers on a Docker host share the resources equally. By using the resource management capabilities of Docker host, such as CPU shares, the user control the host CPU resources th...Rule Low Severity -
The Docker Enterprise hosts UTS namespace must not be shared.
UTS namespaces provide isolation of two system identifiers: the hostname and the NIS domain name. It is used for setting the hostname and the domain that is visible to running processes in that nam...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.