Guide to the Secure Configuration of Red Hat Enterprise Linux 7
with profile C2S for DockerThis profile demonstrates compliance against the U.S. Government Commercial Cloud Services (C2S) baseline. This baseline was inspired by the Center for Internet Security (CIS) Docker Community Edition Benchmark, v1.1.0 - 07-06-2017. For the SCAP Security Guide project to remain in compliance with CIS' terms and conditions, specifically Restrictions(8), note there is no representation or claim that the C2S profile will ensure a system is in compliance or consistency with the CIS baseline.
scap-security-guide
package which is developed at
https://www.open-scap.org/security-policies/scap-security-guide.
Providing system administrators with such guidance informs them how to securely configure systems under their control in a variety of network roles. Policy makers and baseline creators can use this catalog of settings, with its associated references to higher-level security control catalogs, in order to assist them in security baseline creation. This guide is a catalog, not a checklist, and satisfaction of every item is not likely to be possible or sensible in many operational scenarios. However, the XCCDF format enables granular selection and adjustment of settings, and their association with OVAL and OCIL content provides an automated checking capability. Transformations of this document, and its associated automated checking content, are capable of providing baselines that meet a diverse set of policy objectives. Some example XCCDF Profiles, which are selections of items that form checklists and can be used as baselines, are available with this guide. They can be processed, in an automated fashion, with tools that support the Security Content Automation Protocol (SCAP). The DISA STIG for Red Hat Enterprise Linux 7, which provides required settings for US Department of Defense systems, is one example of a baseline created from this guidance.
Profile Title | C2S for Docker |
---|---|
Profile ID | xccdf_org.ssgproject.content_profile_C2S-docker |
Revision History
Current version: 0.1.38
- draft (as of 2018-03-05)
Platforms
- cpe:/o:redhat:enterprise_linux:7
- cpe:/o:redhat:enterprise_linux:7::client
- cpe:/o:redhat:enterprise_linux:7::computenode
Table of Contents
Checklist
contains 1 rule | ||||||||||||||||
System Settings [ref]groupContains rules that check correct system settings. | ||||||||||||||||
contains 1 rule | ||||||||||||||||
Installing and Maintaining Software [ref]groupThe following sections contain information on security-relevant choices during the initial operating system installation process and the setup of software updates. | ||||||||||||||||
contains 1 rule | ||||||||||||||||
Updating Software [ref]groupThe | ||||||||||||||||
contains 1 rule | ||||||||||||||||
Ensure Software Patches Installed [ref]ruleIf the system is joined to the Red Hat Network, a Red Hat Satellite Server, or a yum server, run the following command to install updates: $ sudo yum updateIf the system is not configured to use one of these sources, updates (in the form of RPM packages) can be manually downloaded from the Red Hat Network and installed using rpm .
NOTE: U.S. Defense systems are required to be patched within 30 days or sooner as local policy dictates. Rationale: Installing software updates is a fundamental mitigation against the exploitation of publicly-known vulnerabilities. If the most recent security patches and updates are not installed, unauthorized users may take advantage of weaknesses in the unpatched software. The lack of prompt attention to patching could result in a system compromise. Severity: high Identifiers: CCE-26895-3 References: RHEL-07-020260, SV-86623r3_rule
|