STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Only trusted, signed images must be on Universal Control Plane (UCP) in Docker Enterprise.

DISA Rule

SV-235839r627644_rule

Vulnerability Number

V-235839

Group Title

SRG-APP-000386

Rule Version

DKER-EE-003610

Severity

CAT II

CCI(s)

• CCI-001774 - The organization employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system.
• CCI-002710 - The information system performs an integrity check of organization-defined software at startup, at organization-defined transitional states or security-relevant events, or on an organization-defined frequency.
• CCI-002715 - The information system automatically shuts the information system down, restarts the information system, and/or implements organization-defined security safeguards when integrity violations are discovered.
• CCI-002723 - The information system, upon detection of a potential integrity violation, provides the capability to audit the event.
• CCI-002724 - The information system, upon detection of a potential integrity violation, initiates one or more of the following actions: generates an audit record; alerts the current user; alerts organization-defined personnel or roles; and/or organization-defined other actions.

Weight

10

Fix Recommendation

This fix only applies to the UCP component of Docker Enterprise.

Pull and run only signed images on a UCP cluster.

via CLI:

Linux: When using a client bundle, set the "DOCKER_CONTENT_TRUST" environment variable to a value of "1" prior the execution of any of the following commands: docker push, docker build, docker create, docker pull and docker run.

Check Contents

This check only applies to the UCP component of Docker Enterprise.

Verify that all images sitting on a UCP cluster are signed.

via CLI:

Linux: As a Docker EE Admin, execute the following commands using a client bundle:

docker trust inspect $(docker images | awk '{print $1 ":" $2}')

Verify that all image tags in the output have valid signatures.

If the images are not signed, this is a finding.

Vulnerability Number

V-235839

Documentable

False

Rule Version

DKER-EE-003610

Severity Override Guidance

This check only applies to the UCP component of Docker Enterprise.

Verify that all images sitting on a UCP cluster are signed.

via CLI:

Linux: As a Docker EE Admin, execute the following commands using a client bundle:

docker trust inspect $(docker images | awk '{print $1 ":" $2}')

Verify that all image tags in the output have valid signatures.

If the images are not signed, this is a finding.

Check Content Reference

M

Target Key

5281

Comments