Least privilege access and need to know must be required to access MKE runtime and instantiate container images.

An XCCDF Rule

Description

<VulnDiscussion>To control what is instantiated within MKE, it is important to control access to the runtime. Without this control, container platform specific services and customer services can be introduced without receiving approval and going through proper testing. Only those individuals and roles approved by the organization can have access to the container platform runtime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-260906r1015768_rule
Severity: High
References: CCI-000213 CCI-001094 CCI-001499 CCI-001764 CCI-001812 CCI-001813 CCI-002385 CCI-003980
Updated: 19 days ago

To remove unauthorized users from the docker group, access the host CLI and run:

gpasswd -d docker [username to remove]

To ensure that docker.socket is group owned, execute the following:
chown root:docker /var/run/docker.sock

Set the file permissions of the Docker socket file to "660" execute the following:

chmod 660 /var/run/docker.sock

Least privilege access and need to know must be required to access MKE runtime and instantiate container images.

Description

Remediation - Manual Procedure