STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The option in Universal Control Plane (UCP) allowing users and administrators to schedule containers on all nodes, including UCP managers and Docker Trusted Registry (DTR) nodes must be disabled in Docker Enterprise.

DISA Rule

SV-235795r627512_rule

Vulnerability Number

V-235795

Group Title

SRG-APP-000141

Rule Version

DKER-EE-001890

Severity

CAT II

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

This fix only applies to the UCP component of Docker Enterprise.

Prevent admins and users from being able to schedule containers on manager nodes and DTR nodes.

via UI:

As a Docker EE Admin, navigate to "Admin Settings" | "Scheduler" in the UCP management console. Uncheck both the "Allow administrators to deploy containers on UCP managers or nodes running DTR" and "Allow users to schedule on all nodes, including UCP managers and DTR nodes" options. Click "Save".

via CLI:

Linux: As a Docker EE Admin, execute the following commands on a machine that can communicate with the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator:

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml > ucp-config.toml

Open the "ucp-config.toml" file, set the "enable_admin_ucp_scheduling" entry under the "[scheduling_configuration]" section to "false". Save the file.

Execute the following commands to update UCP with the new configuration:

curl -sk -H "Authorization: Bearer $AUTHTOKEN" --upload-file ucp-config.toml https://[ucp_url]/api/ucp/config-toml

Delete the Grant for the "Scheduler" role against the "/" collection for the "docker-datacenter" organization by executing the following command:

curl -sk -H "Authorization: Bearer $AUTHTOKEN" -X DELETE https://[ucp_url]/collectionGrants/[subjectID]/[objectID]/[roleID]

Check Contents

Verify that admins and users are not allowed to schedule containers on manager nodes and DTR nodes.

via UI:

As a Docker EE Admin, navigate to "Admin Settings" | "Scheduler" in the UCP management console. Verify that the "Allow administrators to deploy containers on UCP managers or nodes running DTR" and "Allow users to schedule on all nodes, including UCP managers and DTR nodes" options are both unchecked.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands on a machine that can communicate with the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml

Look for the "enable_admin_ucp_scheduling" entry under the "[scheduling_configuration]" section in the output, and verify that it is set to "false".
If "enable_admin_ucp_scheduling" is not set to "false", this is a finding.

Execute the following command:

curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/collectionGrants?subjectType=all&expandUser=true&showPaths=true

Ensure a Grant for the "Scheduler" role against the "/" collection for the "docker-datacenter" organization does not exist in the output. If it does, then this is a finding.

Vulnerability Number

V-235795

Documentable

False

Rule Version

DKER-EE-001890

Severity Override Guidance

Verify that admins and users are not allowed to schedule containers on manager nodes and DTR nodes.

via UI:

As a Docker EE Admin, navigate to "Admin Settings" | "Scheduler" in the UCP management console. Verify that the "Allow administrators to deploy containers on UCP managers or nodes running DTR" and "Allow users to schedule on all nodes, including UCP managers and DTR nodes" options are both unchecked.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands on a machine that can communicate with the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml

Look for the "enable_admin_ucp_scheduling" entry under the "[scheduling_configuration]" section in the output, and verify that it is set to "false".
If "enable_admin_ucp_scheduling" is not set to "false", this is a finding.

Execute the following command:

curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/collectionGrants?subjectType=all&expandUser=true&showPaths=true

Ensure a Grant for the "Scheduler" role against the "/" collection for the "docker-datacenter" organization does not exist in the output. If it does, then this is a finding.

Check Content Reference

M

Target Key

5281

Comments