STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-235778r627461_rule
V-235778
SRG-APP-000016
DKER-EE-001080
CAT II
10
This fix only applies to the UCP component of Docker Enterprise.
Set the remote syslog configuration in UCP:
via UI:
As a Docker EE Admin, navigate to "Admin Settings" | "Audit Logs" in the UCP management console, and set the "Audit Log Level" to "Request".
via CLI:
Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine that can communicate with the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.
AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml > ucp-config.toml
Open the "ucp-config.toml" file under the "[audit_log_configuration]" section set "level = request".
Save the file.
Execute the following commands to update UCP with the new configuration:
curl -sk -H "Authorization: Bearer $AUTHTOKEN" --upload-file ucp-config.toml https://[ucp_url]/api/ucp/config-toml
This check only applies to the UCP component of Docker Enterprise.
Verify that the audit log configuration level in UCP is set to "request":
Via UI:
As a Docker EE Admin, navigate to "Admin Settings" | "Audit Logs" in the UCP management console, and verify "Audit Log Level" is set to "Request". If the audit log configuration level is not set to "Request", this is a finding.
via CLI:
Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine that can communicate with the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.
AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml
Look for the "level" entry under the "[audit_log_configuration]" section in the output, and verify that it is set to "request".
If the "level" entry under the "[audit_log_configuration]" section in the output is not set to "request", then this is a finding.
V-235778
False
DKER-EE-001080
This check only applies to the UCP component of Docker Enterprise.
Verify that the audit log configuration level in UCP is set to "request":
Via UI:
As a Docker EE Admin, navigate to "Admin Settings" | "Audit Logs" in the UCP management console, and verify "Audit Log Level" is set to "Request". If the audit log configuration level is not set to "Request", this is a finding.
via CLI:
Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine that can communicate with the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.
AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml
Look for the "level" entry under the "[audit_log_configuration]" section in the output, and verify that it is set to "request".
If the "level" entry under the "[audit_log_configuration]" section in the output is not set to "request", then this is a finding.
M
5281