STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Lifetime Minutes and Renewal Threshold Minutes Login Session Controls must be set to 10 and 0 respectively in Docker Enterprise.

DISA Rule

SV-235825r627602_rule

Vulnerability Number

V-235825

Group Title

SRG-APP-000190

Rule Version

DKER-EE-002490

Severity

CAT II

CCI(s)

• CCI-000057 - The information system initiates a session lock after the organization-defined time period of inactivity.
• CCI-000060 - The information system conceals, via the session lock, information previously visible on the display with a publicly viewable image.
• CCI-002007 - The information system prohibits the use of cached authenticators after an organization-defined time period.
• CCI-001133 - The information system terminates the network connection associated with a communications session at the end of the session or after an organization-defined time period of inactivity.
• CCI-002038 - The organization requires users to reauthenticate upon organization-defined circumstances or situations requiring reauthentication.
• CCI-002361 - The information system automatically terminates a user session after organization-defined conditions or trigger events requiring session disconnect.

Weight

10

Fix Recommendation

Set the "Lifetime Minutes" and "Renewal Threshold Minutes" Login Session Controls in the UCP Admin Settings to "10" and "0" respectively.

via UI:

In the UCP web console, navigate to "Admin Settings" | "Authentication & Authorization" and set the "Lifetime Minutes" and "Renewal Threshold Minutes" fields to "10" and "0" respectively.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml > ucp-config.toml

Open the "ucp-config.toml" file, set the "lifetime_minutes" and "renewal_threshold_minutes" entries under the "[auth.sessions]" section to "10" and "0" respectively.

Execute the following commands to update UCP with the new configuration:

curl -sk -H "Authorization: Bearer $AUTHTOKEN" --upload-file ucp-config.toml https://[ucp_url]/api/ucp/config-toml

Check Contents

Verify that the "Lifetime Minutes" and "Renewal Threshold Minutes" Login Session Controls in the Universal Control Plane (UCP) Admin Settings to "10" and "0" respectively.

via UI:

In the UCP web console, navigate to "Admin Settings" | "Authentication & Authorization" and verify the "Lifetime Minutes" field is set to "10" and "Renewal Threshold Minutes" field is set to "0". If they are not, then this is a finding.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml

Look for the "lifetime_minutes" and "renewal_threshold_minutes" entries under the "[auth.sessions]" section in the output, and verify that the "lifetime_minutes" field is set to "10" and the "renewal_threshold_minutes" field is set to "0".

If they are not, then this is a finding.

Vulnerability Number

V-235825

Documentable

False

Rule Version

DKER-EE-002490

Severity Override Guidance

Verify that the "Lifetime Minutes" and "Renewal Threshold Minutes" Login Session Controls in the Universal Control Plane (UCP) Admin Settings to "10" and "0" respectively.

via UI:

In the UCP web console, navigate to "Admin Settings" | "Authentication & Authorization" and verify the "Lifetime Minutes" field is set to "10" and "Renewal Threshold Minutes" field is set to "0". If they are not, then this is a finding.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml

Look for the "lifetime_minutes" and "renewal_threshold_minutes" entries under the "[auth.sessions]" section in the output, and verify that the "lifetime_minutes" field is set to "10" and the "renewal_threshold_minutes" field is set to "0".

If they are not, then this is a finding.

Check Content Reference

M

Target Key

5281

Comments