Check: DKER-EE-001080
Docker Enterprise 2.x Linux/UNIX STIG:
DKER-EE-001080
(in versions v2 r1 through v1 r1)
Title
The audit log configuration level must be set to request in the Universal Control Plane (UCP) component of Docker Enterprise. (Cat II impact)
Discussion
The UCP and Docker Trusted Registry (DTR) components of Docker Enterprise provide audit record generation capabilities. Audit logs capture all HTTP actions for the following endpoints: Kubernetes API, Swarm API and UCP API. The following UCP API endpoints are excluded from audit logging (where "*" designates a wildcard of exclusions): "/_ping", "/ca", "/auth", "/trustedregistryca", "/kubeauth", "/metrics", "/info", "/version*", "/debug", "/openid_keys", "/apidocs", "kubernetesdocs" and "/manage". Audit log verbosity can be set to one of the following levels: "none", "metadata", or "request". To meet the requirements of this control, the "request" verbosity level must be configured in UCP. The data captured at each level for UCP and the eNZI authentication and authorization backplane is described below: "none": audit logging is disabled "metadata": - method and API endpoint for the request - UCP user which made the request - response status (success/failure) - timestamp of the call - object ID of created/updated resource (for create/update calls) - license key - remote address "request": includes all fields from the "metadata" level, as well as the request payload DTR audits all events associated with repository activities. Events are considered as follows: create, get, delete, update, send, fail, and scan. The following types are associated with the defined audit events: repository, tag, blob, manifest, webhook, uri, promotion, push mirroring, poll mirroring, garbage collector, system. The Docker Engine - Enterprise component of Docker Enterprise relies on the underlying host operating system's auditing capabilities. By default, the host OS is not configured to audit Docker Engine - Enterprise. Satisfies: SRG-APP-000016, SRG-APP-000089, SRG-APP-000515, SRG-APP-000510, SRG-APP-000509, SRG-APP-000508, SRG-APP-000507, SRG-APP-000506, SRG-APP-000505, SRG-APP-000504, SRG-APP-000503, SRG-APP-000502, SRG-APP-000501, SRG-APP-000500, SRG-APP-000499, SRG-APP-000498, SRG-APP-000497, SRG-APP-000496, SRG-APP-000495, SRG-APP-000494, SRG-APP-000493, SRG-APP-000492, SRG-APP-000484, SRG-APP-000447, SRG-APP-000381, SRG-APP-000343, SRG-APP-000101, SRG-APP-000100, SRG-APP-000099, SRG-APP-000098, SRG-APP-000097, SRG-APP-000096, SRG-APP-000095, SRG-APP-000093, SRG-APP-000092, SRG-APP-000091
Check Content
This check only applies to the UCP component of Docker Enterprise. Verify that the audit log configuration level in UCP is set to "request": Via UI: As a Docker EE Admin, navigate to "Admin Settings" | "Audit Logs" in the UCP management console, and verify "Audit Log Level" is set to "Request". If the audit log configuration level is not set to "Request", this is a finding. via CLI: Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine that can communicate with the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator. AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token) curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml Look for the "level" entry under the "[audit_log_configuration]" section in the output, and verify that it is set to "request". If the "level" entry under the "[audit_log_configuration]" section in the output is not set to "request", then this is a finding.
Fix Text
This fix only applies to the UCP component of Docker Enterprise. Set the remote syslog configuration in UCP: via UI: As a Docker EE Admin, navigate to "Admin Settings" | "Audit Logs" in the UCP management console, and set the "Audit Log Level" to "Request". via CLI: Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine that can communicate with the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator. AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token) curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml > ucp-config.toml Open the "ucp-config.toml" file under the "[audit_log_configuration]" section set "level = request". Save the file. Execute the following commands to update UCP with the new configuration: curl -sk -H "Authorization: Bearer $AUTHTOKEN" --upload-file ucp-config.toml https://[ucp_url]/api/ucp/config-toml
Additional Identifiers
Rule ID: SV-235778r627461_rule
Vulnerability ID: V-235778
Group Title: SRG-APP-000016
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000067 |
The information system monitors remote access methods. |
CCI-000130 |
The information system generates audit records containing information that establishes what type of event occurred. |
CCI-000131 |
The information system generates audit records containing information that establishes when an event occurred. |
CCI-000132 |
The information system generates audit records containing information that establishes where the event occurred. |
CCI-000133 |
The information system generates audit records containing information that establishes the source of the event. |
CCI-000134 |
The information system generates audit records containing information that establishes the outcome of the event. |
CCI-000135 |
The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records. |
CCI-000169 |
The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. |
CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
CCI-001462 |
The information system provides the capability for authorized users to capture/record and log content related to a user session. |
CCI-001464 |
The information system initiates session audits at system start-up. |
CCI-001487 |
The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event. |
CCI-001814 |
The Information system supports auditing of the enforcement actions. |
CCI-001851 |
The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited. |
CCI-002234 |
The information system audits the execution of privileged functions. |
CCI-002723 |
The information system, upon detection of a potential integrity violation, provides the capability to audit the event. |
CCI-002754 |
The information system behaves in a predictable and documented manner that reflects organizational and system objectives when invalid inputs are received. |
Controls
Number | Title |
---|---|
AC-6 (9) |
Auditing Use Of Privileged Functions |
AC-17 (1) |
Automated Monitoring / Control |
AU-3 |
Content Of Audit Records |
AU-3 (1) |
Additional Audit Information |
AU-4 (1) |
Transfer To Alternate Storage |
AU-12 |
Audit Generation |
AU-14 (1) |
System Start-Up |
AU-14 (2) |
Capture/Record And Log Content |
CM-5 (1) |
Automated Access Enforcement / Auditing |
SI-7 (8) |
Auditing Capability For Significant Events |
SI-10 (3) |
Predictable Behavior |