| Checked | Name | Title |
|---|
| ☐ | SV-235775r627452_rule | The Docker Enterprise Per User Limit Login Session Control in the Universal Control Plane (UCP) Admin Settings must be set to an organization-defined value for all accounts and/or account types. |
| ☐ | SV-235776r627455_rule | TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled. |
| ☐ | SV-235777r627458_rule | FIPS mode must be enabled on all Docker Engine - Enterprise nodes. |
| ☐ | SV-235778r627461_rule | The audit log configuration level must be set to request in the Universal Control Plane (UCP) component of Docker Enterprise. |
| ☐ | SV-235779r627464_rule | The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set. |
| ☐ | SV-235780r627467_rule | LDAP integration in Docker Enterprise must be configured. |
| ☐ | SV-235781r627470_rule | A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured. |
| ☐ | SV-235782r627473_rule | A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set. |
| ☐ | SV-235783r627476_rule | Docker Enterprise sensitive host system directories must not be mounted on containers. |
| ☐ | SV-235784r627479_rule | The Docker Enterprise hosts process namespace must not be shared. |
| ☐ | SV-235785r627482_rule | The Docker Enterprise hosts IPC namespace must not be shared. |
| ☐ | SV-235786r627485_rule | log-opts on all Docker Engine - Enterprise nodes must be configured. |
| ☐ | SV-235787r627488_rule | Docker Enterprise must alert the ISSO and SA (at a minimum) in the event of an audit processing failure. |
| ☐ | SV-235788r627491_rule | Docker Incs official GPG key must be added to the host using the users operating systems respective package repository management tooling. |
| ☐ | SV-235789r627494_rule | The insecure registry capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled. |
| ☐ | SV-235790r627497_rule | On Linux, a non-AUFS storage driver in the Docker Engine - Enterprise component of Docker Enterprise must be used. |
| ☐ | SV-235791r627500_rule | The userland proxy capability in the Docker Engine - Enterprise component of Docker Enterprise must be disabled. |
| ☐ | SV-235792r627503_rule | Experimental features in the Docker Engine - Enterprise component of Docker Enterprise must be disabled. |
| ☐ | SV-235793r627506_rule | The Docker Enterprise self-signed certificates in Universal Control Plane (UCP) must be replaced with DoD trusted, signed certificates. |
| ☐ | SV-235794r627509_rule | The Docker Enterprise self-signed certificates in Docker Trusted Registry (DTR) must be replaced with DoD trusted, signed certificates. |
| ☐ | SV-235795r627512_rule | The option in Universal Control Plane (UCP) allowing users and administrators to schedule containers on all nodes, including UCP managers and Docker Trusted Registry (DTR) nodes must be disabled in Docker Enterprise. |
| ☐ | SV-235796r627515_rule | The Create repository on push option in Docker Trusted Registry (DTR) must be disabled in Docker Enterprise. |
| ☐ | SV-235797r627518_rule | Periodic data usage and analytics reporting in Universal Control Plane (UCP) must be disabled in Docker Enterprise. |
| ☐ | SV-235798r627521_rule | Periodic data usage and analytics reporting in Docker Trusted Registry (DTR) must be disabled in Docker Enterprise. |
| ☐ | SV-235799r627524_rule | An appropriate AppArmor profile must be enabled on Ubuntu systems for Docker Enterprise. |
| ☐ | SV-235800r627527_rule | SELinux security options must be set on Red Hat or CentOS systems for Docker Enterprise. |
| ☐ | SV-235801r627530_rule | Linux Kernel capabilities must be restricted within containers as defined in the System Security Plan (SSP) for Docker Enterprise. |
| ☐ | SV-235802r672378_rule | Privileged Linux containers must not be used for Docker Enterprise. |
| ☐ | SV-235803r627536_rule | SSH must not run within Linux containers for Docker Enterprise. |
| ☐ | SV-235804r627539_rule | Only required ports must be open on the containers in Docker Enterprise. |
| ☐ | SV-235805r627542_rule | Docker Enterprise hosts network namespace must not be shared. |
| ☐ | SV-235806r627545_rule | Memory usage for all containers must be limited in Docker Enterprise. |
| ☐ | SV-235807r627548_rule | Docker Enterprise CPU priority must be set appropriately on all containers. |
| ☐ | SV-235808r627551_rule | All Docker Enterprise containers root filesystem must be mounted as read only. |
| ☐ | SV-235809r627554_rule | Docker Enterprise host devices must not be directly exposed to containers. |
| ☐ | SV-235810r627557_rule | Mount propagation mode must not set to shared in Docker Enterprise. |
| ☐ | SV-235811r627560_rule | The Docker Enterprise hosts UTS namespace must not be shared. |
| ☐ | SV-235812r627563_rule | The Docker Enterprise default seccomp profile must not be disabled. |
| ☐ | SV-235813r627566_rule | Docker Enterprise exec commands must not be used with privileged option. |
| ☐ | SV-235814r627569_rule | Docker Enterprise exec commands must not be used with the user option. |
| ☐ | SV-235815r627572_rule | cgroup usage must be confirmed in Docker Enterprise. |
| ☐ | SV-235816r672380_rule | All Docker Enterprise containers must be restricted from acquiring additional privileges. |
| ☐ | SV-235817r627578_rule | The Docker Enterprise hosts user namespace must not be shared. |
| ☐ | SV-235818r627581_rule | The Docker Enterprise socket must not be mounted inside any containers. |
| ☐ | SV-235819r627584_rule | Docker Enterprise privileged ports must not be mapped within containers. |
| ☐ | SV-235820r627587_rule | Docker Enterprise incoming container traffic must be bound to a specific host interface. |
| ☐ | SV-235821r627590_rule | SAML integration must be enabled in Docker Enterprise. |
| ☐ | SV-235822r627593_rule | The certificate chain used by Universal Control Plane (UCP) client bundles must match what is defined in the System Security Plan (SSP) in Docker Enterprise. |
| ☐ | SV-235823r627596_rule | Docker Enterprise Swarm manager must be run in auto-lock mode. |
| ☐ | SV-235824r627599_rule | Docker Enterprise secret management commands must be used for managing secrets in a Swarm cluster. |
| ☐ | SV-235825r627602_rule | The Lifetime Minutes and Renewal Threshold Minutes Login Session Controls must be set to 10 and 0 respectively in Docker Enterprise. |
| ☐ | SV-235826r627605_rule | Docker Secrets must be used to store configuration files and small amounts of user-generated data (up to 500 kb in size) in Docker Enterprise. |
| ☐ | SV-235827r627608_rule | Docker Enterprise container health must be checked at runtime. |
| ☐ | SV-235828r627611_rule | PIDs cgroup limits must be used in Docker Enterprise. |
| ☐ | SV-235829r627614_rule | The Docker Enterprise per user limit login session control must be set per the requirements in the System Security Plan (SSP). |
| ☐ | SV-235830r627617_rule | Docker Enterprise images must be built with the USER instruction to prevent containers from running as root. |
| ☐ | SV-235831r627620_rule | An appropriate Docker Engine - Enterprise log driver plugin must be configured to collect audit events from Universal Control Plane (UCP) and Docker Trusted Registry (DTR). |
| ☐ | SV-235832r695335_rule | The Docker Enterprise max-size and max-file json-file drivers logging options in the daemon.json configuration file must be configured to allocate audit record storage capacity for Universal Control Plane (UCP) and Docker Trusted Registry (DTR) per the requirements set forth by the System Security Plan (SSP). |
| ☐ | SV-235833r627626_rule | All Docker Engine - Enterprise nodes must be configured with a log driver plugin that sends logs to a remote log aggregation system (SIEM). |
| ☐ | SV-235834r627629_rule | Log aggregation/SIEM systems must be configured to alarm when audit storage space for Docker Engine - Enterprise nodes exceed 75% usage. |
| ☐ | SV-235835r627632_rule | Log aggregation/SIEM systems must be configured to notify SA and ISSO on Docker Engine - Enterprise audit failure events. |
| ☐ | SV-235836r627635_rule | The Docker Enterprise log aggregation/SIEM systems must be configured to send an alert the ISSO/ISSM when unauthorized software is installed. |
| ☐ | SV-235837r627638_rule | Docker Enterprise network ports on all running containers must be limited to what is needed. |
| ☐ | SV-235838r627641_rule | Content Trust enforcement must be enabled in Universal Control Plane (UCP) in Docker Enterprise. |
| ☐ | SV-235839r627644_rule | Only trusted, signed images must be on Universal Control Plane (UCP) in Docker Enterprise. |
| ☐ | SV-235840r627647_rule | Vulnerability scanning must be enabled for all repositories in the Docker Trusted Registry (DTR) component of Docker Enterprise. |
| ☐ | SV-235841r627650_rule | Universal Control Plane (UCP) must be integrated with a trusted certificate authority (CA) in Docker Enterprise. |
| ☐ | SV-235842r627653_rule | Docker Trusted Registry (DTR) must be integrated with a trusted certificate authority (CA) in Docker Enterprise. |
| ☐ | SV-235843r627656_rule | The on-failure container restart policy must be is set to 5 in Docker Enterprise. |
| ☐ | SV-235844r627659_rule | The Docker Enterprise default ulimit must not be overwritten at runtime unless approved in the System Security Plan (SSP). |
| ☐ | SV-235845r627662_rule | Docker Enterprise older Universal Control Plane (UCP) and Docker Trusted Registry (DTR) images must be removed from all cluster nodes upon upgrading. |
| ☐ | SV-235846r627665_rule | Only trusted, signed images must be stored in Docker Trusted Registry (DTR) in Docker Enterprise. |
| ☐ | SV-235847r627668_rule | Docker Content Trust enforcement must be enabled in Universal Control Plane (UCP). |
| ☐ | SV-235848r627671_rule | Docker Swarm must have the minimum number of manager nodes. |
| ☐ | SV-235849r627674_rule | Docker Enterprise Swarm manager auto-lock key must be rotated periodically. |
| ☐ | SV-235850r627677_rule | Docker Enterprise node certificates must be rotated as defined in the System Security Plan (SSP). |
| ☐ | SV-235851r627680_rule | Docker Enterprise docker.service file ownership must be set to root:root. |
| ☐ | SV-235852r627683_rule | Docker Enterprise docker.service file permissions must be set to 644 or more restrictive. |
| ☐ | SV-235853r627686_rule | Docker Enterprise docker.socket file ownership must be set to root:root. |
| ☐ | SV-235854r627689_rule | Docker Enterprise docker.socket file permissions must be set to 644 or more restrictive. |
| ☐ | SV-235855r627692_rule | Docker Enterprise /etc/docker directory ownership must be set to root:root. |
| ☐ | SV-235856r627695_rule | Docker Enterprise /etc/docker directory permissions must be set to 755 or more restrictive. |
| ☐ | SV-235857r627698_rule | Docker Enterprise registry certificate file ownership must be set to root:root. |
| ☐ | SV-235858r627701_rule | Docker Enterprise registry certificate file permissions must be set to 444 or more restrictive. |
| ☐ | SV-235859r627704_rule | Docker Enterprise TLS certificate authority (CA) certificate file ownership must be set to root:root. |
| ☐ | SV-235860r627707_rule | Docker Enterprise TLS certificate authority (CA) certificate file permissions must be set to 444 or more restrictive. |
| ☐ | SV-235861r627710_rule | Docker Enterprise server certificate file ownership must be set to root:root. |
| ☐ | SV-235862r627713_rule | Docker Enterprise server certificate file permissions must be set to 444 or more restrictive. |
| ☐ | SV-235863r627716_rule | Docker Enterprise server certificate key file ownership must be set to root:root. |
| ☐ | SV-235864r627719_rule | Docker Enterprise server certificate key file permissions must be set to 400. |
| ☐ | SV-235865r627722_rule | Docker Enterprise socket file ownership must be set to root:docker. |
| ☐ | SV-235866r627725_rule | Docker Enterprise socket file permissions must be set to 660 or more restrictive. |
| ☐ | SV-235867r627728_rule | Docker Enterprise daemon.json file ownership must be set to root:root. |
| ☐ | SV-235868r627731_rule | Docker Enterprise daemon.json file permissions must be set to 644 or more restrictive. |
| ☐ | SV-235869r627734_rule | Docker Enterprise /etc/default/docker file ownership must be set to root:root. |
| ☐ | SV-235870r627737_rule | Docker Enterprise /etc/default/docker file permissions must be set to 644 or more restrictive. |
| ☐ | SV-235871r627740_rule | Docker Enterprise Universal Control Plane (UCP) must be integrated with a trusted certificate authority (CA). |
| ☐ | SV-235872r627743_rule | Docker Enterprise data exchanged between Linux containers on different nodes must be encrypted on the overlay network. |
| ☐ | SV-235873r627746_rule | Docker Enterprise Swarm services must be bound to a specific host interface. |
| ☐ | SV-235874r627749_rule | Docker Enterprise Universal Control Plane (UCP) must be configured to use TLS 1.2. |
STIGQter: STIG Summary: