STIGs Search Compare About

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

Browse STIGs
Search
Compare Versions

Resources

About
VPAT
DISA STIG Library

Powered by Pylon

© 2026 Beacon Cloud Solutions, Inc. All rights reserved.

← Back to STIGs

Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide

Version

V2R2

Benchmark ID

Docker_Enterprise_2-x_Linux-UNIX_STIG

Total Checks

101

Tags

linuxcontainer

CAT I: 24CAT II: 72CAT III: 5

This Security Technical Implementation Guide is published as a tool to improve the security of Department of Defense (DOD) information systems. The requirements are derived from the National Institute of Standards and Technology (NIST) 800-53 and related documents. Comments or proposed revisions to this document should be sent via email to the following address: disa.stig_spt@mail.mil.

Export CKL Export CSV Export JSON

Checks (101)

V-235775LOWThe Docker Enterprise Per User Limit Login Session Control in the Universal Control Plane (UCP) Admin Settings must be set to an organization-defined value for all accounts and/or account types.V-235776MEDIUMTCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.V-235777HIGHFIPS mode must be enabled on all Docker Engine - Enterprise nodes.V-235778MEDIUMThe audit log configuration level must be set to request in the Universal Control Plane (UCP) component of Docker Enterprise.V-235779MEDIUMThe host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set.V-235780MEDIUMLDAP integration in Docker Enterprise must be configured.V-235781MEDIUMA policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.V-235782MEDIUMA policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.V-235783MEDIUMDocker Enterprise sensitive host system directories must not be mounted on containers.V-235784MEDIUMThe Docker Enterprise hosts process namespace must not be shared.V-235785MEDIUMThe Docker Enterprise hosts IPC namespace must not be shared.V-235786MEDIUMlog-opts on all Docker Engine - Enterprise nodes must be configured.V-235787LOWDocker Enterprise must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.V-235788LOWDocker Incs official GPG key must be added to the host using the users operating systems respective package repository management tooling.V-235789MEDIUMThe insecure registry capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.V-235790MEDIUMOn Linux, a non-AUFS storage driver in the Docker Engine - Enterprise component of Docker Enterprise must be used.V-235791MEDIUMThe userland proxy capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.V-235792MEDIUMExperimental features in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.V-235793MEDIUMThe Docker Enterprise self-signed certificates in Universal Control Plane (UCP) must be replaced with DoD trusted, signed certificates.V-235794MEDIUMThe Docker Enterprise self-signed certificates in Docker Trusted Registry (DTR) must be replaced with DoD trusted, signed certificates.V-235795MEDIUMThe option in Universal Control Plane (UCP) allowing users and administrators to schedule containers on all nodes, including UCP managers and Docker Trusted Registry (DTR) nodes must be disabled in Docker Enterprise.V-235796MEDIUMThe Create repository on push option in Docker Trusted Registry (DTR) must be disabled in Docker Enterprise.V-235797MEDIUMPeriodic data usage and analytics reporting in Universal Control Plane (UCP) must be disabled in Docker Enterprise.V-235798MEDIUMPeriodic data usage and analytics reporting in Docker Trusted Registry (DTR) must be disabled in Docker Enterprise.V-235799MEDIUMAn appropriate AppArmor profile must be enabled on Ubuntu systems for Docker Enterprise.V-235800MEDIUMSELinux security options must be set on Red Hat or CentOS systems for Docker Enterprise.V-235801MEDIUMLinux Kernel capabilities must be restricted within containers as defined in the System Security Plan (SSP) for Docker Enterprise.V-235802MEDIUMPrivileged Linux containers must not be used for Docker Enterprise.V-235803MEDIUMSSH must not run within Linux containers for Docker Enterprise.V-235804MEDIUMOnly required ports must be open on the containers in Docker Enterprise.V-235805HIGHDocker Enterprise hosts network namespace must not be shared.V-235806MEDIUMMemory usage for all containers must be limited in Docker Enterprise.V-235807LOWDocker Enterprise CPU priority must be set appropriately on all containers.V-235808HIGHAll Docker Enterprise containers root filesystem must be mounted as read only.V-235809HIGHDocker Enterprise host devices must not be directly exposed to containers.V-235810MEDIUMMount propagation mode must not set to shared in Docker Enterprise.V-235811MEDIUMThe Docker Enterprise hosts UTS namespace must not be shared.V-235812HIGHThe Docker Enterprise default seccomp profile must not be disabled.V-235813HIGHDocker Enterprise exec commands must not be used with privileged option.V-235814MEDIUMDocker Enterprise exec commands must not be used with the user option.V-235815MEDIUMcgroup usage must be confirmed in Docker Enterprise.V-235816HIGHAll Docker Enterprise containers must be restricted from acquiring additional privileges.V-235817HIGHThe Docker Enterprise hosts user namespace must not be shared.V-235818HIGHThe Docker Enterprise socket must not be mounted inside any containers.V-235819HIGHDocker Enterprise privileged ports must not be mapped within containers.V-235820MEDIUMDocker Enterprise incoming container traffic must be bound to a specific host interface.V-235821MEDIUMSAML integration must be enabled in Docker Enterprise.V-235822MEDIUMThe certificate chain used by Universal Control Plane (UCP) client bundles must match what is defined in the System Security Plan (SSP) in Docker Enterprise.V-235823MEDIUMDocker Enterprise Swarm manager must be run in auto-lock mode.V-235824MEDIUMDocker Enterprise secret management commands must be used for managing secrets in a Swarm cluster.V-235825MEDIUMThe Lifetime Minutes and Renewal Threshold Minutes Login Session Controls must be set to 10 and 0 respectively in Docker Enterprise.V-235826MEDIUMDocker Secrets must be used to store configuration files and small amounts of user-generated data (up to 500 kb in size) in Docker Enterprise.V-235827MEDIUMDocker Enterprise container health must be checked at runtime.V-235828MEDIUMPIDs cgroup limits must be used in Docker Enterprise.V-235829LOWThe Docker Enterprise per user limit login session control must be set per the requirements in the System Security Plan (SSP).V-235830MEDIUMDocker Enterprise images must be built with the USER instruction to prevent containers from running as root.V-235831MEDIUMAn appropriate Docker Engine - Enterprise log driver plugin must be configured to collect audit events from Universal Control Plane (UCP) and Docker Trusted Registry (DTR).V-235832MEDIUMThe Docker Enterprise max-size and max-file json-file drivers logging options in the daemon.json configuration file must be configured to allocate audit record storage capacity for Universal Control Plane (UCP) and Docker Trusted Registry (DTR) per the requirements set forth by the System Security Plan (SSP).V-235833MEDIUMAll Docker Engine - Enterprise nodes must be configured with a log driver plugin that sends logs to a remote log aggregation system (SIEM).V-235834MEDIUMLog aggregation/SIEM systems must be configured to alarm when audit storage space for Docker Engine - Enterprise nodes exceed 75% usage.V-235835MEDIUMLog aggregation/SIEM systems must be configured to notify SA and ISSO on Docker Engine - Enterprise audit failure events.V-235836MEDIUMThe Docker Enterprise log aggregation/SIEM systems must be configured to send an alert the ISSO/ISSM when unauthorized software is installed.V-235837MEDIUMDocker Enterprise network ports on all running containers must be limited to what is needed.V-235838MEDIUMContent Trust enforcement must be enabled in Universal Control Plane (UCP) in Docker Enterprise.V-235839MEDIUMOnly trusted, signed images must be on Universal Control Plane (UCP) in Docker Enterprise.V-235840MEDIUMVulnerability scanning must be enabled for all repositories in the Docker Trusted Registry (DTR) component of Docker Enterprise.V-235841MEDIUMUniversal Control Plane (UCP) must be integrated with a trusted certificate authority (CA) in Docker Enterprise.V-235842MEDIUMDocker Trusted Registry (DTR) must be integrated with a trusted certificate authority (CA) in Docker Enterprise.V-235843MEDIUMThe on-failure container restart policy must be is set to 5 in Docker Enterprise.V-235844MEDIUMThe Docker Enterprise default ulimit must not be overwritten at runtime unless approved in the System Security Plan (SSP).V-235845MEDIUMDocker Enterprise older Universal Control Plane (UCP) and Docker Trusted Registry (DTR) images must be removed from all cluster nodes upon upgrading.V-235846MEDIUMOnly trusted, signed images must be stored in Docker Trusted Registry (DTR) in Docker Enterprise.V-235847MEDIUMDocker Content Trust enforcement must be enabled in Universal Control Plane (UCP).V-235848MEDIUMDocker Swarm must have the minimum number of manager nodes.V-235849MEDIUMDocker Enterprise Swarm manager auto-lock key must be rotated periodically.V-235850MEDIUMDocker Enterprise node certificates must be rotated as defined in the System Security Plan (SSP).V-235851HIGHDocker Enterprise docker.service file ownership must be set to root:root.V-235852MEDIUMDocker Enterprise docker.service file permissions must be set to 644 or more restrictive.V-235853HIGHDocker Enterprise docker.socket file ownership must be set to root:root.V-235854MEDIUMDocker Enterprise docker.socket file permissions must be set to 644 or more restrictive.V-235855HIGHDocker Enterprise /etc/docker directory ownership must be set to root:root.V-235856MEDIUMDocker Enterprise /etc/docker directory permissions must be set to 755 or more restrictive.V-235857HIGHDocker Enterprise registry certificate file ownership must be set to root:root.V-235858MEDIUMDocker Enterprise registry certificate file permissions must be set to 444 or more restrictive.V-235859HIGHDocker Enterprise TLS certificate authority (CA) certificate file ownership must be set to root:root.V-235860MEDIUMDocker Enterprise TLS certificate authority (CA) certificate file permissions must be set to 444 or more restrictive.V-235861HIGHDocker Enterprise server certificate file ownership must be set to root:root.V-235862MEDIUMDocker Enterprise server certificate file permissions must be set to 444 or more restrictive.V-235863MEDIUMDocker Enterprise server certificate key file ownership must be set to root:root.V-235864HIGHDocker Enterprise server certificate key file permissions must be set to 400.V-235865HIGHDocker Enterprise socket file ownership must be set to root:docker.V-235866HIGHDocker Enterprise socket file permissions must be set to 660 or more restrictive.V-235867HIGHDocker Enterprise daemon.json file ownership must be set to root:root.V-235868HIGHDocker Enterprise daemon.json file permissions must be set to 644 or more restrictive.V-235869HIGHDocker Enterprise /etc/default/docker file ownership must be set to root:root.V-235870HIGHDocker Enterprise /etc/default/docker file permissions must be set to 644 or more restrictive.V-235871MEDIUMDocker Enterprise Universal Control Plane (UCP) must be integrated with a trusted certificate authority (CA).V-235872MEDIUMDocker Enterprise data exchanged between Linux containers on different nodes must be encrypted on the overlay network.V-235873MEDIUMDocker Enterprise Swarm services must be bound to a specific host interface.V-235874MEDIUMDocker Enterprise Universal Control Plane (UCP) must be configured to use TLS 1.2.V-265885HIGHThe version of Docker Enterprise Edition running on the system must be a supported version.