STIGQter STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Docker Secrets must be used to store configuration files and small amounts of user-generated data (up to 500 kb in size) in Docker Enterprise.

DISA Rule

SV-235826r627605_rule

Vulnerability Number

V-235826

Group Title

SRG-APP-000231

Rule Version

DKER-EE-002660

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

For all containerized applications that leverage configuration files and/or small amounts of user-generated data, store that data in Docker Secrets.

All secrets should be created and managed using a UCP client bundle.

A reference for the use of docker secrets can be found at https://docs.docker.com/engine/swarm/secrets/.

Check Contents

Review System Security Plan (SSP) and identify applications that leverage configuration files and/or small amounts of user-generated data, ensure that data is stored in Docker Secrets or Kubernetes Secrets.

Using a Universal Control Plane (UCP) client bundle, verify that secrets are in use by executing the following commands:

docker secret ls

Confirm containerized applications identified in SSP as utilizing Docker secrets have a corresponding secret configured.
If the SSP requires Docker secrets be used but the containerized application does not use Docker secrets, this is a finding.

Vulnerability Number

V-235826

Documentable

False

Rule Version

DKER-EE-002660

Severity Override Guidance

Review System Security Plan (SSP) and identify applications that leverage configuration files and/or small amounts of user-generated data, ensure that data is stored in Docker Secrets or Kubernetes Secrets.

Using a Universal Control Plane (UCP) client bundle, verify that secrets are in use by executing the following commands:

docker secret ls

Confirm containerized applications identified in SSP as utilizing Docker secrets have a corresponding secret configured.
If the SSP requires Docker secrets be used but the containerized application does not use Docker secrets, this is a finding.

Check Content Reference

M

Target Key

5281

Comments