STIGQter STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 19 Jul 2019: Only trusted, signed images must be stored in Docker Trusted Registry (DTR) in Docker Enterprise.

DISA Rule

SV-104865r1_rule

Vulnerability Number

V-95727

Group Title

SRG-APP-000475

Rule Version

DKER-EE-004260

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

This fix only applies to the DTR component of Docker Enterprise.

Store only trusted, signed images in DTR.

via CLI:

Linux: Execute the following commands as a user with access to the repository in DTR for which image signing is being enabled:

docker login [dtr_url]
docker trust signer add --key [ucp_client_bundle_cert].pem [ucp_user] [dtr_url]/[namespace]/[imageName]
docker trust key load [ucp_client_bundle_key].pem
docker tag [source_image] [dtr_url]/[namespace]/[imageName]:[tag]
export DOCKER_CONTENT_TRUST=1
docker push [dtr_url]/[namespace]/[imageName]:[tag]

Check Contents

This check only applies to the DTR component of Docker Enterprise.

Verify that all images that are stored in DTR are trusted, signed images:

via UI: As a Docker EE Admin, navigate to "Repositories" in the DTR management console. Select a repository from the list. Navigate to the "Images" tab and verify that the "Signed" checkmark is indicated for each image tag. Repeat this for all repositories stored in DTR.

If images stored in DTR are not signed, this is a finding.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands on a machine that can communicate with the DTR management console. Replace [dtr_url] with the DTR URL, [dtr_username] with the username of a Docker EE Admin and [dtr_password] with the password of a Docker EE Admin.

AUTHTOKEN=$(curl -sk -u [dtr_username]:[dtr_password] -X GET "https://[dtr_url]/auth/token" | jq -r .token)
REPOS=$(curl -sk -H "Authorization: Bearer $AUTHTOKEN" -X GET "https://[dtr_url]/api/v0/repositories" | jq -r '.repositories[] | "\(.namespace)/\(.name)"')
for r in $REPOS; do curl -sk -H "Authorization: Bearer $AUTHTOKEN" -X GET "https://[dtr_url]/api/v0/repositories/$r/tags?domain=[dtr_url]"; done | jq -r '.[] | [.name, .inNotary] | @csv'

Verify that "true" is output next to all tags listed.

If all images stored in DTR are not signed and trusted, this is a finding.

Vulnerability Number

V-95727

Documentable

False

Rule Version

DKER-EE-004260

Severity Override Guidance

This check only applies to the DTR component of Docker Enterprise.

Verify that all images that are stored in DTR are trusted, signed images:

via UI: As a Docker EE Admin, navigate to "Repositories" in the DTR management console. Select a repository from the list. Navigate to the "Images" tab and verify that the "Signed" checkmark is indicated for each image tag. Repeat this for all repositories stored in DTR.

If images stored in DTR are not signed, this is a finding.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands on a machine that can communicate with the DTR management console. Replace [dtr_url] with the DTR URL, [dtr_username] with the username of a Docker EE Admin and [dtr_password] with the password of a Docker EE Admin.

AUTHTOKEN=$(curl -sk -u [dtr_username]:[dtr_password] -X GET "https://[dtr_url]/auth/token" | jq -r .token)
REPOS=$(curl -sk -H "Authorization: Bearer $AUTHTOKEN" -X GET "https://[dtr_url]/api/v0/repositories" | jq -r '.repositories[] | "\(.namespace)/\(.name)"')
for r in $REPOS; do curl -sk -H "Authorization: Bearer $AUTHTOKEN" -X GET "https://[dtr_url]/api/v0/repositories/$r/tags?domain=[dtr_url]"; done | jq -r '.[] | [.name, .inNotary] | @csv'

Verify that "true" is output next to all tags listed.

If all images stored in DTR are not signed and trusted, this is a finding.

Check Content Reference

M

Target Key

3425

Comments