STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Mirantis Kubernetes Engine Security Technical Implementation Guide

V-260938

CAT II (Medium)

Docker CLI commands must be run with an MKE client trust bundle and without unnecessary permissions.

Rule ID

SV-260938r986163_rule

STIG

Mirantis Kubernetes Engine Security Technical Implementation Guide

Version

V2R1

CCIs

CCI-002233CCI-004068

Discussion

Running docker CLI commands remotely with a client trust bundle ensures that authentication and role permissions are checked for the command. Using --privileged option or --user option in docker exec gives extended Linux capabilities to the command. Do not run docker exec with the --privileged or --user options, especially when running containers with dropped capabilities or with enhanced restrictions. By default, docker exec command runs without --privileged or --user options.

Check Content

The host OS must be locked down so that only authorized users with a client bundle can access docker commands.

To ensure that no commands with privilege or user authorizations are present via CLI:

Linux: As a trusted user on the host operating system, use the below command to filter out docker exec commands that used --privileged or --user option.

sudo ausearch -k docker | grep exec | grep privileged | grep user 

If there are any in the output, then this is a finding.

Fix Text

Docker CLI command must only be run with a client bundle and must not use --privileged or --user option.

Refer to https://docs.mirantis.com/mke/3.7/ops/access-cluster/client-bundle/configure-client-bundle.html?highlight=client%20bundle.