Rule ID
SV-260906r986161_rule
Version
V2R1
To control what is instantiated within MKE, it is important to control access to the runtime. Without this control, container platform specific services and customer services can be introduced without receiving approval and going through proper testing. Only those individuals and roles approved by the organization can have access to the container platform runtime.
Access to use the docker CLI must be limited to root only. 1. Log on to the host CLI and execute the following: stat -c %U:%G /var/run/docker.sock | grep -v root:docker If any output is present, this is a finding. 2. Verify that the docker group has only the required users by executing: getent group docker If any users listed are not required to have direct access to MCR, this is a finding. 3. Execute the following command to verify the Docker socket file has permissions of 660 or more restrictive: stat -c %a /var/run/docker.sock If permissions are not set to "660", this is a finding.
To remove unauthorized users from the docker group, access the host CLI and run: gpasswd -d docker [username to remove] To ensure that docker.socket is group owned, execute the following: chown root:docker /var/run/docker.sock Set the file permissions of the Docker socket file to "660" execute the following: chmod 660 /var/run/docker.sock