STIGQter STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

LDAP integration in Docker Enterprise must be configured.

DISA Rule

SV-235780r627467_rule

Vulnerability Number

V-235780

Group Title

SRG-APP-000023

Rule Version

DKER-EE-001100

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Enable and configure LDAP integration in the UCP Admin Settings.

via UI:

In the UCP web console, navigate to "Admin Settings" | "Authentication & Authorization" and set "LDAP Enabled" to "Yes" and properly configure the LDAP/AD settings as per the appropriate OS STIG.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands on either a UCP Manager node or using a UCP client bundle. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml > ucp-config.toml

Open the "ucp-config.toml" file, set the "backend" entry under the "[auth]" section to "ldap", and add an "[auth.ldap]" sub-section per the UCP configuration options as documented at https://docs.docker.com/ee/ucp/admin/configure/ucp-configuration-file/#authldap-optional. Save the file.

Execute the following commands to update UCP with the new configuration:

curl -sk -H "Authorization: Bearer $AUTHTOKEN" --upload-file ucp-config.toml https://[ucp_url]/api/ucp/config-toml

Check Contents

Verify that LDAP integration is enabled and properly configured in the UCP Admin Settings and verify that the LDAP/AD server is configured per the requirements set forth
in the appropriate OS STIG.

via UI:

In the UCP web console, navigate to "Admin Settings" | "Authentication & Authorization" and verify "LDAP Enabled" is set to "Yes" and that it is properly configured.

If it is not set to yes and if the LDAP server is not configured then this is a finding.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml

Look for the "backend" entry under the "[auth]" section in the output, and verify that it is set to "ldap". *NOTE: For security reasons, the "[auth.ldap]" section is not stored in the config file and can only be viewed from the UCP Admin Settings UI.

If the "backend =" entry under the "[auth]" section in the output is not set to "ldap", then this is a finding.

Vulnerability Number

V-235780

Documentable

False

Rule Version

DKER-EE-001100

Severity Override Guidance

Verify that LDAP integration is enabled and properly configured in the UCP Admin Settings and verify that the LDAP/AD server is configured per the requirements set forth
in the appropriate OS STIG.

via UI:

In the UCP web console, navigate to "Admin Settings" | "Authentication & Authorization" and verify "LDAP Enabled" is set to "Yes" and that it is properly configured.

If it is not set to yes and if the LDAP server is not configured then this is a finding.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml

Look for the "backend" entry under the "[auth]" section in the output, and verify that it is set to "ldap". *NOTE: For security reasons, the "[auth.ldap]" section is not stored in the config file and can only be viewed from the UCP Admin Settings UI.

If the "backend =" entry under the "[auth]" section in the output is not set to "ldap", then this is a finding.

Check Content Reference

M

Target Key

5281

Comments