STIGQter STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.

DISA Rule

SV-235781r627470_rule

Vulnerability Number

V-235781

Group Title

SRG-APP-000033

Rule Version

DKER-EE-001170

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

This fix only applies to the UCP component of Docker Enterprise.

Apply RBAC policy sets in UCP per the requirements set forth by the SSP.

via UI:

As a Docker EE Admin, navigate to "Access Control" | "Grants" in the UCP web console. Create grants and cluster role bindings for Swarm per the requirements set forth by the SSP.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands on a machine that can communicate with the UCP management console:

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)

Create grants for Swarm for applicable subjects, objects and roles using the following command:

curl -sk -H "Authorization: Bearer $AUTHTOKEN" -X PUT https://[ucp_url]/collectionGrants/[subjectID]/[objectID]/[roleID]

Check Contents

This check only applies to the UCP component of Docker Enterprise.

Verify that the applied RBAC policy sets in UCP are configured per the requirements set forth by the System Security Plan (SSP).

via UI:

As a Docker EE Admin, navigate to "Access Control" | "Grants" in the UCP web console. Verify that all grants and cluster role bindings applied to Swarm are configured per the requirements set forth by the System Security Plan (SSP).

If the applied RBAC policy sets in UCP are not configured per the requirements set forth by the SSP, then this is a finding.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands on a machine that can communicate with the UCP management console:

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)

curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/collectionGrants?subjectType=all&expandUser=true&showPaths=true

Verify that all grants applied to Swarm in the API response are configured per the requirements set forth by the System Security Plan (SSP).

If the applied RBAC policy sets in UCP are not configured per the requirements set forth by the SSP, then this is a finding.

Vulnerability Number

V-235781

Documentable

False

Rule Version

DKER-EE-001170

Severity Override Guidance

This check only applies to the UCP component of Docker Enterprise.

Verify that the applied RBAC policy sets in UCP are configured per the requirements set forth by the System Security Plan (SSP).

via UI:

As a Docker EE Admin, navigate to "Access Control" | "Grants" in the UCP web console. Verify that all grants and cluster role bindings applied to Swarm are configured per the requirements set forth by the System Security Plan (SSP).

If the applied RBAC policy sets in UCP are not configured per the requirements set forth by the SSP, then this is a finding.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands on a machine that can communicate with the UCP management console:

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)

curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/collectionGrants?subjectType=all&expandUser=true&showPaths=true

Verify that all grants applied to Swarm in the API response are configured per the requirements set forth by the System Security Plan (SSP).

If the applied RBAC policy sets in UCP are not configured per the requirements set forth by the SSP, then this is a finding.

Check Content Reference

M

Target Key

5281

Comments