Docker Enterprise DISA STIG

Prisma Cloud supports the Docker Enterprise DISA STIG. STIGs contain technical guidance to lock down systems that might otherwise be vulnerable to attack. This STIG ensures government agencies run Docker Enterprise securely.
For an overview of the STIG, see here. To download the STIG, see here.

Checks

Prisma Cloud offers a compliance template for the Docker Enterprise DISA STIG. In many cases, DISA STIG checks map to checks already supported in the product. In some cases, we’ve implemented checks specficially to support the Docker Enterprise STIG. When configuring your compliance policy, simply select the DISA STIG template to enable all relevant checks.

CAT I

CAT I is a category code for any vulnerability, which when exploited, will directly and immediately result in loss of Confidentiality, Availability, or Integrity. These risks are the most severe.
The following table lists the CAT I checks implemented in Prisma Cloud, and how they map to existing Prisma Cloud checks. All CAT I checks, except DKER-EE-001070, map to CIS Docker Benchmark checks. A separate check has been implemented for DKER-EE-001070 to support the Docker Enterprise STIG.
STIG ID
Prisma Cloud ID
Description
DKER-EE-001070
N/A
FIPS mode must be enabled on all Docker Engine - Enterprise nodes.
DKER-EE-002000
59
Docker Enterprise hosts network namespace must not be shared.
DKER-EE-002030
512
All Docker Enterprise containers root filesystem must be mounted as read only.
DKER-EE-002040
517
Docker Enterprise host devices must not be directly exposed to containers.
DKER-EE-002070
521
The Docker Enterprise default seccomp profile must not be disabled.
DKER-EE-002080
224
Docker Enterprise exec commands must not be used with privileged option.
DKER-EE-002110
525
All Docker Enterprise containers must be restricted from acquiring additional privileges.
DKER-EE-002120
530
The Docker Enterprise hosts user namespace must not be shared.
DKER-EE-002130
531
The Docker Enterprise socket must not be mounted inside any containers.
DKER-EE-002150
57
Docker Enterprise privileged ports must not be mapped within containers.
DKER-EE-005170
31
Docker Enterprise docker.service file ownership must be set to root:root.
DKER-EE-005190
33
Docker Enterprise docker.socket file ownership must be set to root:root.
DKER-EE-005210
35
Docker Enterprise /etc/docker directory ownership must be set to root:root.
DKER-EE-005230
37
Docker Enterprise registry certificate file ownership must be set to root:root.
DKER-EE-005250
39
Docker TLS certificate authority (CA) certificate file ownership must be set to root:root
DKER-EE-005270
311
Docker server certificate file ownership must be set to root:root
DKER-EE-005300
314
Docker server certificate key file permissions must be set to 400
DKER-EE-005310
315
Docker Enterprise socket file ownership must be set to root:docker.
DKER-EE-005320
316
Docker Enterprise socket file permissions must be set to 660 or more restrictive.
DKER-EE-005330
317
Docker Enterprise daemon.json file ownership must be set to root:root.
DKER-EE-005340
318
Docker Enterprise daemon.json file permissions must be set to 644 or more restrictive.
DKER-EE-005350
319
Docker Enterprise /etc/default/docker file ownership must be set to root:root.
DKER-EE-005360
320
Docker Enterprise /etc/default/docker file permissions must be set to 644 or more restrictive.

CAT II

CAT II is a category code for any vulnerability, which when exploited, has a potential to result in loss of Confidentiality, Availability, or Integrity.
The following table lists the CAT 1 checks implemented in Prisma Cloud, and how they map to existing checks. Some CAT 1 checks don’t map to any existing checks, and have been implemented specifically for this DISA STIG.
STIG ID
Prisma Cloud ID
Description
DKER-EE-001050
26
TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.
DKER-EE-001240
515
The Docker Enterprise hosts process namespace must not be shared.
DKER-EE-001250
516
The Docker Enterprise hosts IPC namespace must not be shared.
DKER-EE-001800
24
The insecure registry capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.
DKER-EE-001810
25
On Linux, a non-AUFS storage driver in the Docker Engine - Enterprise component of Docker Enterprise must be used.
DKER-EE-001830
218
The userland proxy capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.
DKER-EE-001840
221
Experimental features in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.
DKER-EE-001930
51
An appropriate AppArmor profile must be enabled on Ubuntu systems for Docker Enterprise.
DKER-EE-001940
52
SELinux security options must be set on Red Hat or CentOS systems for Docker Enterprise.
DKER-EE-001950
53
Linux Kernel capabilities must be restricted within containers as defined in the System Security Plan (SSP) for Docker Enterprise.
DKER-EE-001960
54
Privileged Linux containers must not be used for Docker Enterprise.
DKER-EE-001970
56
SSH must not run within Linux containers for Docker Enterprise.
DKER-EE-001990
58
Only required ports must be open on the containers in Docker Enterprise.
DKER-EE-002010
510
Memory usage for all containers must be limited in Docker Enterprise.
DKER-EE-002050
519
Mount propagation mode must not set to shared in Docker Enterprise.
DKER-EE-002060
520
The Docker Enterprise hosts UTS namespace must not be shared.
DKER-EE-002100
524
cgroup usage must be confirmed in Docker Enterprise.
DKER-EE-002160
513
Docker Enterprise incoming container traffic must be bound to a specific host interface.
DKER-EE-002400
223
Docker Enterprise Swarm manager must be run in auto-lock mode.
DKER-EE-002770
406
Docker Enterprise container health must be checked at runtime.
DKER-EE-002780
528
PIDs cgroup limits must be used in Docker Enterprise.
DKER-EE-003200
41
Docker Enterprise images must be built with the USER instruction to prevent containers from running as root.
DKER-EE-004030
514
The on-failure container restart policy must be is set to 5 in Docker Enterprise.
DKER-EE-004040
518
The Docker Enterprise default ulimit must not be overwritten at runtime unless approved in the System Security Plan (SSP).
DKER-EE-005180
32
Docker Enterprise docker.service file permissions must be set to 644 or more restrictive.
DKER-EE-005200
34
Docker Enterprise docker.socket file permissions must be set to 644 or more restrictive.
DKER-EE-005220
36
Docker Enterprise /etc/docker directory permissions must be set to 755 or more restrictive.
DKER-EE-005240
38
Docker Enterprise registry certificate file permissions must be set to 444 or more restrictive.
DKER-EE-005260
310
Docker TLS certificate authority (CA) certificate file permissions must be set to 444 or more restrictive
DKER-EE-005280
312
Docker server certificate file permissions must be set to 444 or more restrictive
DKER-EE-005290
313
Docker server certificate key file ownership must be set to root:root
DKER-EE-006270
217
Docker Enterprise Swarm services must be bound to a specific host interface.

CAT III

CAT III is a category code for any vulnerability, which when it exists, degrades measures to protect against loss of Confidentiality, Availability, or Integrity.
The following table lists the CAT III checks implemented in Prisma Cloud, and how they map to existing Prisma Cloud checks. All checks map to CIS Docker Benchmark checks.
STIG ID
Prisma Cloud ID
Description
DKER-EE-002020
511
Docker Enterprise CPU priority must be set appropriately on all containers.

Enable DISA STIG for Docker Enterprise checks

DISA STIG for Docker Enterprise checks have been grouped into a template. Checks are relevant to containers, images, and hosts.
  1. Log into Console.
  2. Enable the container checks.
    1. Go to
      Defend > Compliance > Containers and images > {Deployed | CI}
      .
    2. Click
      Add rule
      .
    3. Enter a rule name.
    4. In the
      Compliance template
      drop-down, select
      DISA STIG
      .
    5. Click
      Save
      .
  3. Enable host checks.
    1. Go to
      Defend > Compliance > Hosts > {Running hosts | VM images}
      .
    2. Click
      Add rule
      .
    3. Enter a rule name.
    4. In the
      Compliance template
      drop-down, select
      DISA STIG
      .
    5. Click
      Save
      .

Recommended For You