STIGQter STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Docker Enterprise older Universal Control Plane (UCP) and Docker Trusted Registry (DTR) images must be removed from all cluster nodes upon upgrading.

DISA Rule

SV-235845r627662_rule

Vulnerability Number

V-235845

Group Title

SRG-APP-000454

Rule Version

DKER-EE-004130

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Remove all outdated UCP and DTR container images from all nodes in the cluster:

via CLI: As a Docker EE admin, execute the following commands using a client bundle:

docker rmi -f $(docker images --filter reference='docker/ucp*:[outdated_tags]' -q)
docker rmi -f $(docker images --filter reference='docker/dtr*:[outdated_tags]' -q)

Check Contents

Verify that all outdated UCP and DTR container images have been removed from all nodes in the cluster.

via CLI: As a Docker EE admin, execute the following command using a client bundle:

docker images --filter reference='docker/[ucp|dtr]*'

Verify that there are no tags listed that are older than the currently installed versions of UCP and DTR.

If any of the tags listed are older than the currently installed versions of UCP and DTR, then this is a finding.

Vulnerability Number

V-235845

Documentable

False

Rule Version

DKER-EE-004130

Severity Override Guidance

Verify that all outdated UCP and DTR container images have been removed from all nodes in the cluster.

via CLI: As a Docker EE admin, execute the following command using a client bundle:

docker images --filter reference='docker/[ucp|dtr]*'

Verify that there are no tags listed that are older than the currently installed versions of UCP and DTR.

If any of the tags listed are older than the currently installed versions of UCP and DTR, then this is a finding.

Check Content Reference

M

Target Key

5281

Comments