Guide to the Secure Configuration of Red Hat Enterprise Linux 7
with profile Standard Docker Host Security ProfileThis profile contains rules to ensure standard security baseline of Red Hat Enterprise Linux 7 system running the docker daemon. This discussion is currently being held on open-scap-list@redhat.com and scap-security-guide@lists.fedorahosted.org.
scap-security-guide
package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Red Hat Enterprise Linux 7, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Profile Title | Standard Docker Host Security Profile |
---|---|
Profile ID | xccdf_org.ssgproject.content_profile_docker-host |
Revision History
Current version: 0.1.31
- draft (as of 2017-02-12)
Platforms
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
Table of Contents
Checklist
contains 6 rules | ||||||||
System Settings [ref]groupContains rules that check correct system settings. | ||||||||
contains 4 rules | ||||||||
SELinux [ref]groupSELinux is a feature of the Linux kernel which can be
used to guard against misconfigured or compromised programs.
SELinux enforces the idea that programs should be limited in what
files they can access and what actions they can take.
| ||||||||
contains 4 rules | ||||||||
Ensure SELinux Not Disabled in /etc/default/grub [ref]ruleSELinux can be disabled at boot time by an argument in
Disabling a major host protection feature, such as SELinux, at boot time prevents it from confining system services at boot time. Further, it increases the chances that it will remain off during system operation. identifiers: CCE-26961-3 references: AC-3, AC-3(3), AC-3(4), AC-4, AC-6, AU-9, SI-6(a), 22, 32, 1.4.1
| ||||||||
Ensure SELinux State is Enforcing [ref]ruleThe SELinux state should be set to SELINUX=enforcingRationale: Setting the SELinux state to enforcing ensures SELinux is able to confine potentially compromised processes to the security policy, which is designed to prevent them from causing damage to the system or further elevating their privileges. identifiers: CCE-27334-2 references: AC-3, AC-3(3), AC-3(4), AC-4, AC-6, AU-9, SI-6(a), 2165, 2696, 1.4.2, SRG-OS-000445-GPOS-00199, RHEL-07-020210
| ||||||||
Configure SELinux Policy [ref]ruleThe SELinux SELINUXTYPE=targetedOther policies, such as mls , provide additional security labeling
and greater confinement but are not compatible with many general-purpose
use cases.
Rationale:
Setting the SELinux policy to identifiers: CCE-27279-9 references: AC-3, AC-3(3), AC-3(4), AC-4, AC-6, AU-9, SI-6(a), 2696, 1.4.3, SRG-OS-000445-GPOS-00199, RHEL-07-020211
| ||||||||
Ensure SELinux support is enabled in Docker [ref]rule
To enable the SELinux for the Docker service, the Docker service must be
configured to run the Docker daemon with OPTIONS='--selinux-enabled'Rationale: If SELinux is not explicitely enabled in the Docker daemon configuration, Docker does not use SELinux which means Docker runs unconfined, and SELinux will not provide security separation for Docker container processes. However enabling SELinux for the Docker service prevents an attacker or rogue container from attacking other container processes and content as well as prevents taking over the host operating system. | ||||||||
Services [ref]group
The best protection against vulnerable software is running less software. This section describes how to review
the software which Red Hat Enterprise Linux 7 installs on a system and disable software which is not needed. It
then enumerates the software packages installed on a default Red Hat Enterprise Linux 7 system and provides guidance about which
ones can be safely disabled.
| ||||||||
contains 2 rules | ||||||||
Docker Service [ref]groupThe docker service is necessary to create containers, which are self-sufficient and self-contained applications using the resource isolation features of the kernel. | ||||||||
contains 2 rules | ||||||||
Enable the Docker service [ref]ruleThe docker service is commonly needed to
create containers.
The $ sudo systemctl enable docker.serviceRationale: To be able to find any problems with misconfiguration of the docker daemon and running containers, the docker service has to be enabled. | ||||||||
Use direct-lvm with the Device Mapper Storage Driver [ref]ruleTo use Docker in production with the device mapper storage driver, the Docker daemon should be configured to use direct-lvm instead of loopback device as a storage. For setting up the LVM and configuring Docker, see the Docker Device Mapper Storage Documentation. Rationale:For using Docker in production, the device mapper storage driver with loopback devices is discouraged. The suggested way of configuring device mapper storage driver is direct-lvm. Choosing the right storage driver and backing filesystem is crucial to stability and performance. |