STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

The Create repository on push option in Docker Trusted Registry (DTR) must be disabled in Docker Enterprise.

DISA Rule

SV-235796r627515_rule

Vulnerability Number

V-235796

Group Title

SRG-APP-000141

Rule Version

DKER-EE-001900

Severity

CAT II

CCI(s)

• CCI-000381 - The organization configures the information system to provide only essential capabilities.

Weight

10

Fix Recommendation

This fix only applies to the DTR component of Docker Enterprise.

Disable the "Create repository on push" option in DTR:

via UI:

As a Docker EE Admin, navigate to "System" | "General" in the DTR management console. Click the "Create repository on push" slider to disable this capability.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the DTR management console:

AUTHTOKEN=$(curl -sk -u <username>:<password> "https://[dtr_url]/auth/token" | jq -r .token)
curl -k -H "Authorization: Bearer $AUTHTOKEN" -X POST -d '{"createRepositoryOnPush":true}' -H 'Content-Type: application/json' "https://[dtr_url]/api/v0/meta/settings"

Check Contents

This check only applies to the DTR component of Docker Enterprise.

Verify that the "Create repository on push" option is disabled in DTR:

via UI:

As a Docker EE Admin, navigate to "System" | "General" in the DTR management console. Verify that the "Create repository on push" slider is turned off.

via CLI:

Linux (requires curl and jq):

AUTHTOKEN=$(curl -sk -u <username>:<password> "https://[dtr_url]/auth/token" | jq -r .token)
curl -k -H "Authorization: Bearer $AUTHTOKEN"" -X GET ""https://[dtr_url]/api/v0/meta/settings"

Look for the "createRepositoryOnPush" field in the output and verify that it is set to "false". If it is not, then this is a finding.

Vulnerability Number

V-235796

Documentable

False

Rule Version

DKER-EE-001900

Severity Override Guidance

This check only applies to the DTR component of Docker Enterprise.

Verify that the "Create repository on push" option is disabled in DTR:

via UI:

As a Docker EE Admin, navigate to "System" | "General" in the DTR management console. Verify that the "Create repository on push" slider is turned off.

via CLI:

Linux (requires curl and jq):

AUTHTOKEN=$(curl -sk -u <username>:<password> "https://[dtr_url]/auth/token" | jq -r .token)
curl -k -H "Authorization: Bearer $AUTHTOKEN"" -X GET ""https://[dtr_url]/api/v0/meta/settings"

Look for the "createRepositoryOnPush" field in the output and verify that it is set to "false". If it is not, then this is a finding.

Check Content Reference

M

Target Key

5281

Comments