STIGQter STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide

Version: 1

Release: 1 Benchmark Date: 19 Jul 2019

CheckedNameTitle
SV-104693r1_ruleThe Docker Enterprise Per User Limit Login Session Control in the Universal Control Plane (UCP) Admin Settings must be set to an organization-defined value for all accounts and/or account types.
SV-104695r1_ruleTCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled.
SV-104697r1_ruleFIPS mode must be enabled on all Docker Engine - Enterprise nodes.
SV-104699r1_ruleThe audit log configuration level must be set to request in the Universal Control Plane (UCP) component of Docker Enterprise.
SV-104701r1_ruleThe host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set.
SV-104703r1_ruleLDAP integration in Docker Enterprise must be configured.
SV-104705r1_ruleA policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.
SV-104707r1_ruleA policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.
SV-104737r1_ruleDocker Enterprise sensitive host system directories must not be mounted on containers.
SV-104739r2_ruleThe Docker Enterprise hosts process namespace must not be shared.
SV-104741r2_ruleThe Docker Enterprise hosts IPC namespace must not be shared.
SV-104743r1_rulelog-opts on all Docker Engine - Enterprise nodes must be configured.
SV-104745r1_ruleDocker Enterprise must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.
SV-104747r1_ruleDocker Incs official GPG key must be added to the host using the users operating systems respective package repository management tooling.
SV-104749r1_ruleThe insecure registry capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.
SV-104751r1_ruleOn Linux, a non-AUFS storage driver in the Docker Engine - Enterprise component of Docker Enterprise must be used.
SV-104753r1_ruleThe userland proxy capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.
SV-104755r1_ruleExperimental features in the Docker Engine - Enterprise component of Docker Enterprise must be disabled.
SV-104757r1_ruleThe Docker Enterprise self-signed certificates in Universal Control Plane (UCP) must be replaced with DoD trusted, signed certificates.
SV-104759r1_ruleThe Docker Enterprise self-signed certificates in Docker Trusted Registry (DTR) must be replaced with DoD trusted, signed certificates.
SV-104761r1_ruleThe option in Universal Control Plane (UCP) allowing users and administrators to schedule containers on all nodes, including UCP managers and Docker Trusted Registry (DTR) nodes must be disabled in Docker Enterprise.
SV-104763r1_ruleThe Create repository on push option in Docker Trusted Registry (DTR) must be disabled in Docker Enterprise.
SV-104765r1_rulePeriodic data usage and analytics reporting in Universal Control Plane (UCP) must be disabled in Docker Enterprise.
SV-104767r1_rulePeriodic data usage and analytics reporting in Docker Trusted Registry (DTR) must be disabled in Docker Enterprise.
SV-104769r1_ruleAn appropriate AppArmor profile must be enabled on Ubuntu systems for Docker Enterprise.
SV-104773r1_ruleSELinux security options must be set on Red Hat or CentOS systems for Docker Enterprise.
SV-104775r1_ruleLinux Kernel capabilities must be restricted within containers as defined in the System Security Plan (SSP) for Docker Enterprise.
SV-104777r1_rulePrivileged Linux containers must not be used for Docker Enterprise.
SV-104779r1_ruleSSH must not run within Linux containers for Docker Enterprise.
SV-104781r1_ruleOnly required ports must be open on the containers in Docker Enterprise.
SV-104783r1_ruleDocker Enterprise hosts network namespace must not be shared.
SV-104785r1_ruleMemory usage for all containers must be limited in Docker Enterprise.
SV-104787r1_ruleDocker Enterprise CPU priority must be set appropriately on all containers.
SV-104789r1_ruleAll Docker Enterprise containers root filesystem must be mounted as read only.
SV-104791r1_ruleDocker Enterprise host devices must not be directly exposed to containers.
SV-104793r2_ruleMount propagation mode must not set to shared in Docker Enterprise.
SV-104795r2_ruleThe Docker Enterprise hosts UTS namespace must not be shared.
SV-104797r1_ruleThe Docker Enterprise default seccomp profile must not be disabled.
SV-104799r2_ruleDocker Enterprise exec commands must not be used with privileged option.
SV-104801r2_ruleDocker Enterprise exec commands must not be used with the user option.
SV-104803r1_rulecgroup usage must be confirmed in Docker Enterprise.
SV-104805r1_ruleAll Docker Enterprise containers must be restricted from acquiring additional privileges.
SV-104807r1_ruleThe Docker Enterprise hosts user namespace must not be shared.
SV-104809r1_ruleThe Docker Enterprise socket must not be mounted inside any containers.
SV-104811r1_ruleDocker Enterprise privileged ports must not be mapped within containers.
SV-104813r1_ruleDocker Enterprise incoming container traffic must be bound to a specific host interface.
SV-104815r1_ruleSAML integration must be enabled in Docker Enterprise.
SV-104817r1_ruleThe certificate chain used by Universal Control Plane (UCP) client bundles must match what is defined in the System Security Plan (SSP) in Docker Enterprise.
SV-104819r1_ruleDocker Enterprise secret management commands must be used for managing secrets in a Swarm cluster.
SV-104821r1_ruleThe Lifetime Minutes and Renewal Threshold Minutes Login Session Controls must be set to 10 and 0 respectively in Docker Enterprise.
SV-104823r1_ruleDocker Secrets must be used to store configuration files and small amounts of user-generated data (up to 500 kb in size) in Docker Enterprise.
SV-104825r1_ruleDocker Enterprise container health must be checked at runtime.
SV-104827r1_rulePIDs cgroup limits must be used in Docker Enterprise.
SV-104829r1_ruleThe Docker Enterprise per user limit login session control must be set per the requirements in the System Security Plan (SSP).
SV-104831r1_ruleDocker Enterprise images must be built with the USER instruction to prevent containers from running as root.
SV-104833r1_ruleAn appropriate Docker Engine - Enterprise log driver plugin must be configured to collect audit events from Universal Control Plane (UCP) and Docker Trusted Registry (DTR).
SV-104835r1_ruleThe Docker Enterprise max-size and max-file json-file drivers logging options in the daemon.json configuration file must be configured to allocate audit record storage capacity for Universal Control Plane (UCP) and Docker Trusted Registry (DTR) per the requirements set forth by the System Security Plan (SSP).
SV-104837r1_ruleAll Docker Engine - Enterprise nodes must be configured with a log driver plugin that sends logs to a remote log aggregation system (SIEM).
SV-104839r1_ruleLog aggregation/SIEM systems must be configured to alarm when audit storage space for Docker Engine - Enterprise nodes exceed 75% usage.
SV-104841r1_ruleLog aggregation/SIEM systems must be configured to notify SA and ISSO on Docker Engine - Enterprise audit failure events.
SV-104843r1_ruleThe Docker Enterprise log aggregation/SIEM systems must be configured to send an alert the ISSO/ISSM when unauthorized software is installed.
SV-104845r1_ruleDocker Enterprise network ports on all running containers must be limited to what is needed.
SV-104847r1_ruleContent Trust enforcement must be enabled in Universal Control Plane (UCP) in Docker Enterprise.
SV-104849r1_ruleOnly trusted, signed images must be on Universal Control Plane (UCP) in Docker Enterprise.
SV-104851r1_ruleVulnerability scanning must be enabled for all repositories in the Docker Trusted Registry (DTR) component of Docker Enterprise.
SV-104853r1_ruleUniversal Control Plane (UCP) must be integrated with a trusted certificate authority (CA) in Docker Enterprise.
SV-104857r1_ruleDocker Trusted Registry (DTR) must be integrated with a trusted certificate authority (CA) in Docker Enterprise.
SV-104859r1_ruleThe on-failure container restart policy must be is set to 5 in Docker Enterprise.
SV-104861r1_ruleThe Docker Enterprise default ulimit must not be overwritten at runtime unless approved in the System Security Plan (SSP).
SV-104863r1_ruleDocker Enterprise older Universal Control Plane (UCP) and Docker Trusted Registry (DTR) images must be removed from all cluster nodes upon upgrading.
SV-104865r1_ruleOnly trusted, signed images must be stored in Docker Trusted Registry (DTR) in Docker Enterprise.
SV-104867r1_ruleDocker Content Trust enforcement must be enabled in Universal Control Plane (UCP).
SV-104869r1_ruleDocker Swarm must have the minimum number of manager nodes.
SV-104871r1_ruleDocker Enterprise Swarm manager auto-lock key must be rotated periodically.
SV-104873r1_ruleDocker Enterprise node certificates must be rotated as defined in the System Security Plan (SSP).
SV-104877r1_ruleDocker Enterprise docker.service file ownership must be set to root:root.
SV-104879r1_ruleDocker Enterprise docker.service file permissions must be set to 644 or more restrictive.
SV-104881r1_ruleDocker Enterprise docker.socket file ownership must be set to root:root.
SV-104883r1_ruleDocker Enterprise docker.socket file permissions must be set to 644 or more restrictive.
SV-104885r1_ruleDocker Enterprise /etc/docker directory ownership must be set to root:root.
SV-104887r1_ruleDocker Enterprise /etc/docker directory permissions must be set to 755 or more restrictive.
SV-104889r1_ruleDocker Enterprise registry certificate file ownership must be set to root:root.
SV-104891r1_ruleDocker Enterprise registry certificate file permissions must be set to 444 or more restrictive.
SV-104893r1_ruleDocker Enterprise TLS certificate authority (CA) certificate file ownership must be set to root:root.
SV-104895r1_ruleDocker Enterprise TLS certificate authority (CA) certificate file permissions must be set to 444 or more restrictive.
SV-104897r1_ruleDocker Enterprise server certificate file ownership must be set to root:root.
SV-104899r1_ruleDocker Enterprise server certificate file permissions must be set to 444 or more restrictive.
SV-104901r1_ruleDocker Enterprise server certificate key file ownership must be set to root:root.
SV-104903r1_ruleDocker Enterprise server certificate key file permissions must be set to 400.
SV-104905r1_ruleDocker Enterprise socket file ownership must be set to root:docker.
SV-104907r1_ruleDocker Enterprise socket file permissions must be set to 660 or more restrictive.
SV-104909r1_ruleDocker Enterprise daemon.json file ownership must be set to root:root.
SV-104911r1_ruleDocker Enterprise daemon.json file permissions must be set to 644 or more restrictive.
SV-104913r1_ruleDocker Enterprise /etc/default/docker file ownership must be set to root:root.
SV-104915r1_ruleDocker Enterprise /etc/default/docker file permissions must be set to 644 or more restrictive.
SV-104917r1_ruleDocker Enterprise Universal Control Plane (UCP) must be integrated with a trusted certificate authority (CA).
SV-104919r1_ruleDocker Enterprise data exchanged between Linux containers on different nodes must be encrypted on the overlay network.
SV-104921r1_ruleDocker Enterprise Swarm services must be bound to a specific host interface.
SV-104923r1_ruleDocker Enterprise Universal Control Plane (UCP) must be configured to use TLS 1.2.
SV-105141r1_ruleDocker Enterprise Swarm manager must be run in auto-lock mode.