STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

A policy set using the built-in role-based access control (RBAC) capabilities in the Docker Trusted Registry (DTR) component of Docker Enterprise must be set.

DISA Rule

SV-235782r627473_rule

Vulnerability Number

V-235782

Group Title

SRG-APP-000033

Rule Version

DKER-EE-001180

Severity

CAT II

CCI(s)

• CCI-000166 - The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.
• CCI-000213 - The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
• CCI-001414 - The information system enforces approved authorizations for controlling the flow of information between interconnected systems based on organization-defined information flow control policies.
• CCI-001314 - The information system reveals error messages only to organization-defined personnel or roles.
• CCI-001368 - The information system enforces approved authorizations for controlling the flow of information within the system based on organization-defined information flow control policies.
• CCI-001095 - The information system manages excess capacity, bandwidth, or other redundancy to limit the effects of information flooding types of denial of service attacks.
• CCI-001090 - The information system prevents unauthorized and unintended information transfer via shared system resources.
• CCI-001094 - The information system restricts the ability of individuals to launch organization-defined denial of service attacks against other information systems.
• CCI-001764 - The information system prevents program execution in accordance with organization-defined policies regarding software program usage and restrictions, and/or rules authorizing the terms and conditions of software program usage.
• CCI-001812 - The information system prohibits user installation of software without explicit privileged status.
• CCI-001813 - The information system enforces access restrictions.
• CCI-002263 - The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in process.
• CCI-002264 - The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in transmission.
• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.
• CCI-002262 - The organization provides the means to associate organization-defined types of security attributes having organization-defined security attribute values with information in storage.
• CCI-002233 - The information system prevents organization-defined software from executing at higher privilege levels than users executing the software.
• CCI-002165 - The information system enforces organization-defined discretionary access control policies over defined subjects and objects.

Weight

10

Fix Recommendation

This fix only applies to the DTR component of Docker Enterprise.

Verify that the applied organization, team and user permissions in DTR are configured per the SSP.

via UI:

As a Docker EE Admin, navigate to "Organizations" and setup the list of organizations and teams within those organizations per the requirements set forth by the SSP. Navigate to "Users" and assign users to appropriate organizations, teams and repositories per the SSP.

via CLI:

Linux (requires curl and jq): As a Docker EE admin, execute the following commands on a machine that can communicate with the DTR management console:

AUTHTOKEN=$(curl -kLsS -u <username>:<password> "https://[dtr_url]/auth/token" | jq -r .token)

Execute the following command to give teams in an organization access to the appropriate repositories per the System Security Plan:

curl -k -H "Authorization: Bearer $AUTHTOKEN" -X PUT "https://[dtr_url]/api/v0/repositories/[namespace]/[reponame]/teamAccess/[teamname]"

Execute the following commands on a machine that can communicate with the UCP management console to add/remove members to/from the team with access to these repositories as appropriate per the SSP:

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)

Add: curl -sk -H "Authorization: Bearer $AUTHTOKEN" -X PUT https://[ucp_url]/accounts/[orgNameOrID]/teams/[teamNameOrID]/members/[memberNameOrID]
Remove: curl -sk -H "Authorization: Bearer $AUTHTOKEN" -X DELETE https://[ucp_url]/accounts/[orgNameOrID]/teams/[teamNameOrID]/members/[memberNameOrID]

Check Contents

This check only applies to the DTR component of Docker Enterprise.

Verify that the organization, team and user permissions in DTR are configured per the System Security Plan (SSP). Obtain and review SSP. Identify organization roles, teams and users.

via UI:

As a Docker EE Admin, navigate to "Organizations" and verify the list of organizations and teams within those organizations are setup per the SSP. Navigate to "Users" and verify that the list of users are assigned to appropriate organizations, teams and repositories per the SSP.

If the organization, team and user permissions in DTR are not configured per the SSP, this is a finding.

via CLI:

Linux (requires curl and jq): As a Docker EE admin, execute the following commands on a machine that can communicate with the DTR management console:

AUTHTOKEN=$(curl -kLsS -u <username>:<password> "https://[dtr_url]/auth/token" | jq -r .token)

Execute the following command to verify that the teams associated with an organization have access to the appropriate repositories per the System Security Plan:

curl -k -H "Authorization: Bearer $AUTHTOKEN" -X GET "https://[dtr_url]/api/v0/accounts/[org_name]/teams/[team_name]/repositoryAccess"

Execute the following commands on a machine that can communicate with the UCP management console to verify that the members of the team with access to these repositories is appropriate per the SSP:

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/accounts/[orgNameOrID]/teams/[teamNameOrID]/members

If the organization, team and user permissions in DTR are not configured per the SSP, this is a finding.

Vulnerability Number

V-235782

Documentable

False

Rule Version

DKER-EE-001180

Severity Override Guidance

This check only applies to the DTR component of Docker Enterprise.

Verify that the organization, team and user permissions in DTR are configured per the System Security Plan (SSP). Obtain and review SSP. Identify organization roles, teams and users.

via UI:

As a Docker EE Admin, navigate to "Organizations" and verify the list of organizations and teams within those organizations are setup per the SSP. Navigate to "Users" and verify that the list of users are assigned to appropriate organizations, teams and repositories per the SSP.

If the organization, team and user permissions in DTR are not configured per the SSP, this is a finding.

via CLI:

Linux (requires curl and jq): As a Docker EE admin, execute the following commands on a machine that can communicate with the DTR management console:

AUTHTOKEN=$(curl -kLsS -u <username>:<password> "https://[dtr_url]/auth/token" | jq -r .token)

Execute the following command to verify that the teams associated with an organization have access to the appropriate repositories per the System Security Plan:

curl -k -H "Authorization: Bearer $AUTHTOKEN" -X GET "https://[dtr_url]/api/v0/accounts/[org_name]/teams/[team_name]/repositoryAccess"

Execute the following commands on a machine that can communicate with the UCP management console to verify that the members of the team with access to these repositories is appropriate per the SSP:

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/accounts/[orgNameOrID]/teams/[teamNameOrID]/members

If the organization, team and user permissions in DTR are not configured per the SSP, this is a finding.

Check Content Reference

M

Target Key

5281

Comments