End-of-Life (EoL)
Docker Enterprise DISA STIG
Prisma Cloud supports the Docker Enterprise DISA STIG.
STIGs contain technical guidance to lock down systems that might otherwise be vulnerable to attack.
This STIG ensures government agencies run Docker Enterprise securely.
Checks
Prisma Cloud offers a compliance template for the Docker Enterprise DISA STIG.
In many cases, DISA STIG checks map to checks already supported in the product.
In some cases, we’ve implemented checks specficially to support the Docker Enterprise STIG.
When configuring your compliance policy, simply select the DISA STIG template to enable all relevant checks.
CAT I
CAT I is a category code for any vulnerability, which when exploited, will directly and immediately result in loss of Confidentiality, Availability, or Integrity.
These risks are the most severe.
The following table lists the CAT I checks implemented in Prisma Cloud, and how they map to existing Prisma Cloud checks.
All CAT I checks, except DKER-EE-001070, map to CIS Docker Benchmark checks.
A separate check has been implemented for DKER-EE-001070 to support the Docker Enterprise STIG.
STIG ID | Prisma Cloud ID | Description |
|---|---|---|
DKER-EE-001070 | N/A | FIPS mode must be enabled on all Docker Engine - Enterprise nodes. |
DKER-EE-002000 | 59 | Docker Enterprise hosts network namespace must not be shared. |
DKER-EE-002030 | 512 | All Docker Enterprise containers root filesystem must be mounted as read only. |
DKER-EE-002040 | 517 | Docker Enterprise host devices must not be directly exposed to containers. |
DKER-EE-002070 | 521 | The Docker Enterprise default seccomp profile must not be disabled. |
DKER-EE-002080 | 224 | Docker Enterprise exec commands must not be used with privileged option. |
DKER-EE-002110 | 525 | All Docker Enterprise containers must be restricted from acquiring additional privileges. |
DKER-EE-002120 | 530 | The Docker Enterprise hosts user namespace must not be shared. |
DKER-EE-002130 | 531 | The Docker Enterprise socket must not be mounted inside any containers. |
DKER-EE-002150 | 57 | Docker Enterprise privileged ports must not be mapped within containers. |
DKER-EE-005170 | 31 | Docker Enterprise docker.service file ownership must be set to root:root. |
DKER-EE-005190 | 33 | Docker Enterprise docker.socket file ownership must be set to root:root. |
DKER-EE-005210 | 35 | Docker Enterprise /etc/docker directory ownership must be set to root:root. |
DKER-EE-005230 | 37 | Docker Enterprise registry certificate file ownership must be set to root:root. |
DKER-EE-005250 | 39 | Docker TLS certificate authority (CA) certificate file ownership must be set to root:root |
DKER-EE-005270 | 311 | Docker server certificate file ownership must be set to root:root |
DKER-EE-005300 | 314 | Docker server certificate key file permissions must be set to 400 |
DKER-EE-005310 | 315 | Docker Enterprise socket file ownership must be set to root:docker. |
DKER-EE-005320 | 316 | Docker Enterprise socket file permissions must be set to 660 or more restrictive. |
DKER-EE-005330 | 317 | Docker Enterprise daemon.json file ownership must be set to root:root. |
DKER-EE-005340 | 318 | Docker Enterprise daemon.json file permissions must be set to 644 or more restrictive. |
DKER-EE-005350 | 319 | Docker Enterprise /etc/default/docker file ownership must be set to root:root. |
DKER-EE-005360 | 320 | Docker Enterprise /etc/default/docker file permissions must be set to 644 or more restrictive. |
CAT II
CAT II is a category code for any vulnerability, which when exploited, has a potential to result in loss of Confidentiality, Availability, or Integrity.
The following table lists the CAT 1 checks implemented in Prisma Cloud, and how they map to existing checks.
Some CAT 1 checks don’t map to any existing checks, and have been implemented specifically for this DISA STIG.
STIG ID | Prisma Cloud ID | Description |
|---|---|---|
DKER-EE-001050 | 26 | TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled. |
DKER-EE-001240 | 515 | The Docker Enterprise hosts process namespace must not be shared. |
DKER-EE-001250 | 516 | The Docker Enterprise hosts IPC namespace must not be shared. |
DKER-EE-001800 |