STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-235829r627614_rule
V-235829
SRG-APP-000295
DKER-EE-002970
CAT III
10
Set the "Per User Limit" Login Session Control in the UCP Admin Settings per the requirements set forth by the SSP but not "0".
via UI:
In the UCP web console, navigate to "Admin Settings" | "Authentication & Authorization" and set the "Per User Limit" field according to the SSP.
via CLI:
Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.
AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml > ucp-config.toml
Open the "ucp-config.toml" file, set the "per_user_limit" entry under the "[auth.sessions]" section according to the SSP but not 0. Save the file.
Execute the following commands to update UCP with the new configuration:
curl -sk -H "Authorization: Bearer $AUTHTOKEN" --upload-file ucp-config.toml https://[ucp_url]/api/ucp/config-toml
Check that the "Per User Limit" Login Session Control in the UCP Admin Settings are set according to the System Security Plan but not set to "0".
via UI:
In the UCP web console, navigate to "Admin Settings" | "Authentication & Authorization" and verify the "Per User Limit" field is set according to the settings described in the SSP. If the per user limit setting is not set to the value defined in the SSP or is set to "0", this is a finding.
via CLI:
Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.
AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml
Look for the "per_user_limit" entry under the "[auth.sessions]" section in the output, and verify that it is set according to the requirements of this control.
If the "per_user_limit" entry under the "[auth.sessions]" section in the output is not set according to the value defined in the SSP, or if the per user limit is set to "0", then this is a finding.
V-235829
False
DKER-EE-002970
Check that the "Per User Limit" Login Session Control in the UCP Admin Settings are set according to the System Security Plan but not set to "0".
via UI:
In the UCP web console, navigate to "Admin Settings" | "Authentication & Authorization" and verify the "Per User Limit" field is set according to the settings described in the SSP. If the per user limit setting is not set to the value defined in the SSP or is set to "0", this is a finding.
via CLI:
Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.
AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml
Look for the "per_user_limit" entry under the "[auth.sessions]" section in the output, and verify that it is set according to the requirements of this control.
If the "per_user_limit" entry under the "[auth.sessions]" section in the output is not set according to the value defined in the SSP, or if the per user limit is set to "0", then this is a finding.
M
5281