Skip to content
Log In

Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide

Rules, Groups, and Values defined within the XCCDF Benchmark

  • SRG-APP-000141

    Group
    Show

  • An appropriate AppArmor profile must be enabled on Ubuntu systems for Docker Enterprise.

    AppArmor protects the Ubuntu OS and applications from various threats by enforcing security policy which is also known as AppArmor profile. The user can create their own AppArmor profile for contai...
    Rule Medium Severity
    Show

  • SRG-APP-000141

    Group
    Show

  • SRG-APP-000141

    Group
    Show

  • Linux Kernel capabilities must be restricted within containers as defined in the System Security Plan (SSP) for Docker Enterprise.

    By default, Docker starts containers with a restricted set of Linux Kernel Capabilities. It means that any process may be granted the required capabilities instead of root access. Using Linux Kerne...
    Rule Medium Severity
    Show

  • SRG-APP-000141

    Group
    Show

  • Privileged Linux containers must not be used for Docker Enterprise.

    Using the --privileged flag gives all Linux Kernel Capabilities to the container thus overwriting the --cap-add and --cap-drop flags. Ensure that it is not used. The --privileged flag gives all cap...
    Rule Medium Severity
    Show

  • SRG-APP-000141

    Group
    Show

  • SRG-APP-000141

    Group
    Show

  • SRG-APP-000141

    Group
    Show

  • Docker Enterprise hosts network namespace must not be shared.

    The networking mode on a container when set to --net=host, skips placing the container inside separate network stack. In essence, this choice tells Docker to not containerize the container's networ...
    Rule High Severity
    Show

  • SRG-APP-000141

    Group
    Show

  • Memory usage for all containers must be limited in Docker Enterprise.

    By default, all containers on a Docker host share the resources equally. By using the resource management capabilities of Docker host, such as memory limit, the amount of memory that a container ma...
    Rule Medium Severity
    Show

  • SRG-APP-000141

    Group
    Show

  • SRG-APP-000516

    Group
    Show

  • SRG-APP-000141

    Group
    Show

  • All Docker Enterprise containers root filesystem must be mounted as read only.

    The container's root filesystem should be treated as a 'golden image' by using Docker run's --read-only option. This prevents any writes to the container's root filesystem at container runtime and ...
    Rule High Severity
    Show

  • SRG-APP-000141

    Group
    Show

  • Docker Enterprise host devices must not be directly exposed to containers.

    Host devices can be directly exposed to containers at runtime. Do not directly expose host devices to containers especially for containers that are not trusted. The --device option exposes the hos...
    Rule High Severity
    Show

  • SRG-APP-000141

    Group
    Show

Node 2

siemur/test-space

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules