STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

FIPS mode must be enabled on all Docker Engine - Enterprise nodes.

DISA Rule

SV-235777r627458_rule

Vulnerability Number

V-235777

Group Title

SRG-APP-000015

Rule Version

DKER-EE-001070

Severity

CAT I

CCI(s)

• CCI-001453 - The information system implements cryptographic mechanisms to protect the integrity of remote access sessions.
• CCI-001941 - The information system implements replay-resistant authentication mechanisms for network access to privileged accounts.
• CCI-001967 - The information system authenticates organization-defined devices and/or types of devices before establishing a local, remote, and/or network connection using bidirectional authentication that is cryptographically based.
• CCI-001188 - The information system generates unique session identifiers for each session with organization-defined randomness requirements.
• CCI-001199 - The information system protects the confidentiality and/or integrity of organization-defined information at rest.
• CCI-000803 - The information system implements mechanisms for authentication to a cryptographic module that meet the requirements of applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication.
• CCI-000068 - The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions.
• CCI-000197 - The information system, for password-based authentication, transmits only cryptographically-protected passwords.
• CCI-002450 - The information system implements organization-defined cryptographic uses and type of cryptography required for each use in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards.
• CCI-002890 - The information system implements cryptographic mechanisms to protect the integrity of nonlocal maintenance and diagnostic communications.
• CCI-003123 - The information system implements cryptographic mechanisms to protect the confidentiality of nonlocal maintenance and diagnostic communications.

Weight

10

Fix Recommendation

Enable FIPS mode on the host operating system. Start the Engine after FIPS mode is enabled on the host to automatically enable FIPS mode on the Engine.

FIPS mode can also be enabled by explicitly setting the DOCKER_FIPS=1 environment variable in an active terminal session prior to the execution of any Docker commands.

Check Contents

This check only applies to Docker Engine - Enterprise.

Verify FIPS mode is enabled on the host operating system.

Execute the following command to verify that FIPS mode is enabled on the Engine:

docker info

The "Security Options" section in the response should show a "fips" label, indicating that, when configured, the remotely accessible Engine API uses FIPS-validated digital signatures in conjunction with an approved hash function to protect the integrity of remote access sessions.

If the "fips" label is not shown in the "Security Options" section, then this is a finding.

Vulnerability Number

V-235777

Documentable

False

Rule Version

DKER-EE-001070

Severity Override Guidance

This check only applies to Docker Engine - Enterprise.

Verify FIPS mode is enabled on the host operating system.

Execute the following command to verify that FIPS mode is enabled on the Engine:

docker info

The "Security Options" section in the response should show a "fips" label, indicating that, when configured, the remotely accessible Engine API uses FIPS-validated digital signatures in conjunction with an approved hash function to protect the integrity of remote access sessions.

If the "fips" label is not shown in the "Security Options" section, then this is a finding.

Check Content Reference

M

Target Key

5281

Comments