Check: DKER-EE-001050
Docker Enterprise 2.x Linux/UNIX STIG:
DKER-EE-001050
(in versions v2 r1 through v1 r1)
Title
TCP socket binding for all Docker Engine - Enterprise nodes in a Universal Control Plane (UCP) cluster must be disabled. (Cat II impact)
Discussion
The UCP component of Docker Enterprise configures and leverages Swarm Mode for node-to-node cluster communication. Swarm Mode is built in to Docker Engine - Enterprise and uses TLS 1.2 at a minimum for encrypting communications. Under the hood, Swarm Mode includes an embedded public key infrastructure (PKI) system. When a UCP cluster is initialized, the first node in the cluster designates itself as a manager node. That node subsequently generates a new root Certificate Authority (CA) along with a key pair, which are used to secure communications with other UCP nodes that join the swarm. One can also specify his/her own externally-generated root CA upon initialization of a UCP cluster. The manager node also generates two tokens to use when joining additional nodes to the cluster: one worker token and one manager token. Each token includes the digest of the root CA’s certificate and a randomly generated secret. When a node joins the cluster, the joining node uses the digest to validate the root CA certificate from the remote manager. The remote manager uses the secret to ensure the joining node is an approved node. Each time a new node joins the cluster, the manager issues a certificate to the node. The certificate contains a randomly generated node ID to identify the node under the certificate common name (CN) and the role under the organizational unit (OU). The node ID serves as the cryptographically secure node identity for the lifetime of the node in the current swarm. In this mutual TLS architecture, all nodes encrypt communications using a minimum of TLS 1.2, thereby satisfying the requirements of this control. This information can also be referenced at https://docs.docker.com/engine/swarm/how-swarm-mode-works/pki/ and https://docs.docker.com/ee/ucp/ucp-architecture/. By itself, Docker Engine - Enterprise is configured by default to listen for API requests via a UNIX domain socket (or IPC socket) created at /var/run/docker.sock on supported Linux distributions and via a named pipe at npipe:////./pipe/docker_engine on Windows Server 2016 and newer. Docker Engine - Enterprise can also be configured to listen for API requests via additional socket types, including both TCP and FD (only on supported systemd-based Linux distributions). If configured to listen for API requests via the TCP socket type over TCP port 2376 and with the daemon flags and SSL certificates, then, at a minimum, TLS 1.2 is used for encryption; therefore this control is applicable and is inherently met in this configuration. If configured to listen for API requests via the TCP socket type, but without TLS verification and certifications, then the instance remains vulnerable and is not properly configured to meet the requirements of this control. If configured to listen for API requests via the FD socket type, then this control is not applicable. More information can be found at https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-socket-option. The TCP socket binding should be disabled when running Engine as part of a UCP cluster. Satisfies: SRG-APP-000014, SRG-APP-000141, SRG-APP-000219, SRG-APP-000383, SRG-APP-000439, SRG-APP-000440, SRG-APP-000441, SRG-APP-000442, SRG-APP-000142
Check Content
This check only applies to the Docker Engine - Enterprise component of Docker Enterprise. via CLI: Linux: Verify the daemon has not been started with the "-H TCP://[host]" argument by running the following command: ps -ef | grep dockerd If -H UNIX://, this is not a finding. If the "-H TCP://[host]" argument appears in the output, then this is a finding.
Fix Text
This fix only applies to Docker Engine - Enterprise nodes that are part of a UCP cluster. Apply this fix to every node in the cluster. (Linux) Execute the following command to open an override file for docker.service: sudo systemctl edit docker.service Remove any "-H" host daemon flags from the "ExecStart=/usr/bin/dockerd" line in the override file. Save the file and reload the config with the following command: sudo systemctl daemon-reload Restart Docker with the following command: sudo systemctl restart docker.service
Additional Identifiers
Rule ID: SV-235776r627455_rule
Vulnerability ID: V-235776
Group Title: SRG-APP-000014
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000068 |
The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. |
CCI-000381 |
The organization configures the information system to provide only essential capabilities. |
CCI-000382 |
The organization configures the information system to prohibit or restrict the use of organization-defined functions, ports, protocols, and/or services. |
CCI-001184 |
The information system protects the authenticity of communications sessions. |
CCI-001762 |
The organization disables organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure. |
CCI-002418 |
The information system protects the confidentiality and/or integrity of transmitted information. |
CCI-002420 |
The information system maintains the confidentiality and/or integrity of information during preparation for transmission. |
CCI-002421 |
The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detect changes to information during transmission unless otherwise protected by organization-defined alternative physical safeguards. |
CCI-002422 |
The information system maintains the confidentiality and/or integrity of information during reception. |
Controls
Number | Title |
---|---|
AC-17 (2) |
Protection Of Confidentiality / Integrity Using Encryption |
CM-7 |
Least Functionality |
CM-7 (1) |
Periodic Review |
SC-8 |
Transmission Confidentiality And Integrity |
SC-8 (1) |
Cryptographic Or Alternate Physical Protection |
SC-8 (2) |
Pre / Post Transmission Handling |
SC-23 |
Session Authenticity |