Check: DKER-EE-001170
Docker Enterprise 2.x Linux/UNIX STIG:
DKER-EE-001170
(in versions v2 r1 through v1 r1)
Title
A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured. (Cat II impact)
Discussion
Both the UCP and Docker Trusted Registry (DTR) components of Docker Enterprise leverage the same authentication and authorization backplane known as eNZi. eNZi provides UCP and DTR with role-based access control functionality to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. The eNZi backplane includes its own managed user database, and also allows for LDAP integration in UCP and DTR. While role-based access control mechanisms are provided regardless of whether or not LDAP integration is enabled, it is recommended to enable LDAP integration to better meet the requirements of this control. Satisfies: SRG-APP-000033, SRG-APP-000038, SRG-APP-000039, SRG-APP-000080, SRG-APP-000243, SRG-APP-000246, SRG-APP-000247, SRG-APP-000267, SRG-APP-000311, SRG-APP-000313, SRG-APP-000314, SRG-APP-000328, SRG-APP-000340, SRG-APP-000342, SRG-APP-000378, SRG-APP-000380, SRG-APP-000384
Check Content
This check only applies to the UCP component of Docker Enterprise. Verify that the applied RBAC policy sets in UCP are configured per the requirements set forth by the System Security Plan (SSP). via UI: As a Docker EE Admin, navigate to "Access Control" | "Grants" in the UCP web console. Verify that all grants and cluster role bindings applied to Swarm are configured per the requirements set forth by the System Security Plan (SSP). If the applied RBAC policy sets in UCP are not configured per the requirements set forth by the SSP, then this is a finding. via CLI: Linux (requires curl and jq): As a Docker EE Admin, execute the following commands on a machine that can communicate with the UCP management console: AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token) curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/collectionGrants?subjectType=all&expandUser=true&showPaths=true Verify that all grants applied to Swarm in the API response are configured per the requirements set forth by the System Security Plan (SSP). If the applied RBAC policy sets in UCP are not configured per the requirements set forth by the SSP, then this is a finding.
Fix Text
This fix only applies to the UCP component of Docker Enterprise. Apply RBAC policy sets in UCP per the requirements set forth by the SSP. via UI: As a Docker EE Admin, navigate to "Access Control" | "Grants" in the UCP web console. Create grants and cluster role bindings for Swarm per the requirements set forth by the SSP. via CLI: Linux (requires curl and jq): As a Docker EE Admin, execute the following commands on a machine that can communicate with the UCP management console: AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token) Create grants for Swarm for applicable subjects, objects and roles using the following command: curl -sk -H "Authorization: Bearer $AUTHTOKEN" -X PUT https://[ucp_url]/collectionGrants/[subjectID]/[objectID]/[roleID]
Additional Identifiers
Rule ID: SV-235781r627470_rule
Vulnerability ID: V-235781
Group Title: SRG-APP-000033
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000166 |
The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation. |
CCI-000213 |
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies. |
CCI-001090 |
The information system prevents unauthorized and unintended information transfer via shared system resources. |
CCI-001094 |
The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems. |
CCI-001095 |
The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks. |
CCI-001314 |
The information system reveals error messages only to organization-defined personnel or roles. |
CCI-001368 |
The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies. |
CCI-001414 |
The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies. |
CCI-001764 |
The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage. |
CCI-001812 |
The information system prohibits user installation of software without explicit privileged status. |
CCI-001813 |
The information system enforces access restrictions. |
CCI-002165 |
The information system enforces organization-defined discretionary access control policies over defined subjects and objects. |
CCI-002233 |
The information system prevents organization-defined software from executing at higher privilege levels than users executing the software. |
CCI-002235 |
The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. |
CCI-002262 |
The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in storage. |
CCI-002263 |
The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in process. |
CCI-002264 |
The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission. |
Controls
Number | Title |
---|---|
AC-3 |
Access Enforcement |
AC-3 (4) |
Discretionary Access Control |
AC-4 |
Information Flow Enforcement |
AC-6 (8) |
Privilege Levels For Code Execution |
AC-6 (10) |
Prohibit Non-Privileged Users From Executing Privileged Functions |
AC-16 |
Security Attributes |
AU-10 |
Non-Repudiation |
CM-5 (1) |
Automated Access Enforcement / Auditing |
CM-7 (2) |
Prevent Program Execution |
CM-11 (2) |
Prohibit Installation Without Privileged Status |
SC-4 |
Information In Shared Resources |
SC-5 (1) |
Restrict Internal Users |
SC-5 (2) |
Excess Capacity / Bandwidth / Redundancy |
SI-11 |
Error Handling |