Check: DKER-EE-001070
Docker Enterprise 2.x Linux/UNIX STIG:
DKER-EE-001070
(in versions v2 r1 through v1 r1)
Title
FIPS mode must be enabled on all Docker Engine - Enterprise nodes. (Cat I impact)
Discussion
When FIPS mode is enabled on a Docker Engine - Enterprise node, it uses FIPS-validated cryptography to protect the confidentiality of remote access sessions to any bound TCP sockets with TLS enabled and configured. FIPS mode in Docker Engine - Enterprise is automatically enabled when FIPS mode is also enabled on the underlying host operating system. This control is only configurable for the Docker Engine - Enterprise component of Docker Enterprise as only the Engine includes FIPS-validated cryptography. Neither Universal Control Plane (UCP) nor Docker Trusted Registry (DTR) include FIPS-validated cryptography at this time. However, both UCP and DTR will include FIPS-validated cryptography in a future release. Therefore, for UCP/DTR this control is applicable but not yet met. Satisfies: SRG-APP-000015, SRG-APP-000231, SRG-APP-000014, SRG-APP-000570, SRG-APP-000395, SRG-APP-000514, SRG-APP-000416, SRG-APP-000156, SRG-APP-000172, SRG-APP-000179, SRG-APP-000224, SRG-APP-000411, SRG-APP-000412, SRG-APP-000555, SRG-APP-000635
Check Content
This check only applies to Docker Engine - Enterprise. Verify FIPS mode is enabled on the host operating system. Execute the following command to verify that FIPS mode is enabled on the Engine: docker info The "Security Options" section in the response should show a "fips" label, indicating that, when configured, the remotely accessible Engine API uses FIPS-validated digital signatures in conjunction with an approved hash function to protect the integrity of remote access sessions. If the "fips" label is not shown in the "Security Options" section, then this is a finding.
Fix Text
Enable FIPS mode on the host operating system. Start the Engine after FIPS mode is enabled on the host to automatically enable FIPS mode on the Engine. FIPS mode can also be enabled by explicitly setting the DOCKER_FIPS=1 environment variable in an active terminal session prior to the execution of any Docker commands.
Additional Identifiers
Rule ID: SV-235777r627458_rule
Vulnerability ID: V-235777
Group Title: SRG-APP-000015
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000068 |
The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. |
CCI-000197 |
The information system, for password-based authentication, transmits only cryptographically-protected passwords. |
CCI-000803 |
The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. |
CCI-001188 |
The information system generates unique session identifiers for each session with organization-defined randomness requirements. |
CCI-001199 |
The information system protects the confidentiality and/or integrity of organization-defined information at rest. |
CCI-001453 |
The information system implements cryptographic mechanisms to protect the integrity of remote access sessions. |
CCI-001941 |
The information system implements replay-resistant authentication mechanisms for network access to privileged accounts. |
CCI-001967 |
The information system authenticates organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based. |
CCI-002450 |
The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. |
CCI-002890 |
The information system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications. |
CCI-003123 |
The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications. |
Controls
Number | Title |
---|---|
AC-17 (2) |
Protection Of Confidentiality / Integrity Using Encryption |
IA-2 (8) |
Network Access To Privileged Accounts - Replay Resistant |
IA-3 (1) |
Cryptographic Bidirectional Authentication |
IA-5 (1) |
Password-Based Authentication |
IA-7 |
Cryptographic Module Authentication |
MA-4 (6) |
Cryptographic Protection |
SC-13 |
Cryptographic Protection |
SC-23 (3) |
Unique Session Identifiers With Randomization |
SC-28 |
Protection Of Information At Rest |