Docker CLI commands must be run with an MKE client trust bundle and without unnecessary permissions.

An XCCDF Rule

Description

<VulnDiscussion>Running docker CLI commands remotely with a client trust bundle ensures that authentication and role permissions are checked for the command. Using --privileged option or --user option in docker exec gives extended Linux capabilities to the command. Do not run docker exec with the --privileged or --user options, especially when running containers with dropped capabilities or with enhanced restrictions. By default, docker exec command runs without --privileged or --user options.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-260938r1015771_rule
Severity: Medium
References: CCI-001991 CCI-002233 CCI-004068
Updated: 23 days ago

Docker CLI command must only be run with a client bundle and must not use --privileged or --user option.

Refer to https://docs.mirantis.com/mke/3.7/ops/access-cluster/client-bundle/configure-client-bundle.html?highlight=client%20bundle.

Docker CLI commands must be run with an MKE client trust bundle and without unnecessary permissions.

Description

Remediation - Manual Procedure