Check: DKER-EE-001100
Docker Enterprise 2.x Linux/UNIX STIG:
DKER-EE-001100
(in versions v2 r1 through v1 r1)
Title
LDAP integration in Docker Enterprise must be configured. (Cat II impact)
Discussion
Both the Universal Control Plane (UCP) and Docker Trusted Registry (DTR) components of Docker Enterprise leverage the same authentication and authorization backplane known as eNZi. The eNZi backplane provides automated mechanisms for supporting account management functions and allows for LDAP integration in UCP and DTR. While eNZi includes its own managed user database, it is recommended that LDAP integration be configured to more completely satisfy the requirements of this control. Satisfies: SRG-APP-000023, SRG-APP-000405, SRG-APP-000404, SRG-APP-000403, SRG-APP-000401, SRG-APP-000397, SRG-APP-000392, SRG-APP-000148, SRG-APP-000141, SRG-APP-000391
Check Content
Verify that LDAP integration is enabled and properly configured in the UCP Admin Settings and verify that the LDAP/AD server is configured per the requirements set forth in the appropriate OS STIG. via UI: In the UCP web console, navigate to "Admin Settings" | "Authentication & Authorization" and verify "LDAP Enabled" is set to "Yes" and that it is properly configured. If it is not set to yes and if the LDAP server is not configured then this is a finding. via CLI: Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator. AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token) curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml Look for the "backend" entry under the "[auth]" section in the output, and verify that it is set to "ldap". *NOTE: For security reasons, the "[auth.ldap]" section is not stored in the config file and can only be viewed from the UCP Admin Settings UI. If the "backend =" entry under the "[auth]" section in the output is not set to "ldap", then this is a finding.
Fix Text
Enable and configure LDAP integration in the UCP Admin Settings. via UI: In the UCP web console, navigate to "Admin Settings" | "Authentication & Authorization" and set "LDAP Enabled" to "Yes" and properly configure the LDAP/AD settings as per the appropriate OS STIG. via CLI: Linux (requires curl and jq): As a Docker EE Admin, execute the following commands on either a UCP Manager node or using a UCP client bundle. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator. AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token) curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml > ucp-config.toml Open the "ucp-config.toml" file, set the "backend" entry under the "[auth]" section to "ldap", and add an "[auth.ldap]" sub-section per the UCP configuration options as documented at https://docs.docker.com/ee/ucp/admin/configure/ucp-configuration-file/#authldap-optional. Save the file. Execute the following commands to update UCP with the new configuration: curl -sk -H "Authorization: Bearer $AUTHTOKEN" --upload-file ucp-config.toml https://[ucp_url]/api/ucp/config-toml
Additional Identifiers
Rule ID: SV-235780r627467_rule
Vulnerability ID: V-235780
Group Title: SRG-APP-000023
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000015 |
The organization employs automated mechanisms to support the information system account management functions. |
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
CCI-000764 |
The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). |
CCI-001953 |
The information system accepts Personal Identity Verification (PIV) credentials. |
CCI-001954 |
The information system electronically verifies Personal Identity Verification (PIV) credentials. |
CCI-001991 |
The information system, for PKI-based authentication, implements a local cache of revocation data to support path discovery and validation in case of inability to access revocation information via the network. |
CCI-002010 |
The information system electronically verifies Personal Identity Verification (PIV) credentials from other federal agencies. |
CCI-002011 |
The information system accepts FICAM-approved third-party credentials. |
CCI-002014 |
The information system conforms to FICAM-issued profiles. |
CCI-002041 |
The information system allows the use of a temporary password for system logons with an immediate change to a permanent password. |
Controls
Number | Title |
---|---|
AC-2 (1) |
Automated System Account Management |
CM-7 |
Least Functionality |
IA-2 |
Identification And Authentication (Organizational Users) |
IA-2 (12) |
Acceptance Of Piv Credentials |
IA-5 (1) |
Password-Based Authentication |
IA-5 (2) |
Pki-Based Authentication |
IA-8 (1) |
Acceptance Of Piv Credentials From Other Agencies |
IA-8 (2) |
Acceptance Of Third-Party Credentials |
IA-8 (4) |
Use Of Ficam-Issued Profiles |