Docker Enterprise container health must be checked at runtime.
An XCCDF Rule
Description
<VulnDiscussion>If the container image does not have an HEALTHCHECK instruction defined, use --health-cmd parameter at container runtime for checking container health. One of the important security triads is availability. If the container image being used does not have a pre-defined HEALTHCHECK instruction, use the --health-cmd parameter to check container health at runtime. Based on the reported health status, take necessary actions. By default, health checks are not done at container runtime.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-235827r627608_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Run the container using --health-cmd and the other parameters, or include the HEALTHCHECK instruction in the Dockerfiles.
Example:
docker run -d --health-cmd='stat /etc/passwd || exit 1' nginx