Docker CLI commands must be run with an MKE client trust bundle and without unnecessary permissions.

An XCCDF Rule

Description

Running docker CLI commands remotely with a client trust bundle ensures that authentication and role permissions are checked for the command. Using --privileged option or --user option in docker exec gives extended Linux capabilities to the command. Do not run docker exec with the --privileged or --user options, especially when running containers with dropped capabilities or with enhanced restrictions. By default, docker exec command runs without --privileged or --user options.

ID: SV-260938r1015771_rule
Version: CNTR-MK-001180
Severity: Medium
References: CCI-001991 CCI-002233 CCI-004068
Updated: 26 days ago

Remediation Templates

Docker CLI command must only be run with a client bundle and must not use --privileged or --user option.

Refer to https://docs.mirantis.com/mke/3.7/ops/access-cluster/client-bundle/configure-client-bundle.html?highlight=client%20bundle.

Docker CLI commands must be run with an MKE client trust bundle and without unnecessary permissions.

Description

Remediation Templates

A Manual Procedure