STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-235821r627590_rule
V-235821
SRG-APP-000149
DKER-EE-002180
CAT II
10
Enable and configure SAML integration in the UCP Admin Settings.
via UI:
In the UCP web console, navigate to "Admin Settings" | "Authentication & Authorization" and set "SAML Enabled" to "Yes" and properly configure the SAML settings.
via CLI:
Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.
AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml > ucp-config.toml
Open the "ucp-config.toml" file. Set the "samlEnabled" entry under the "[auth]" section to "true". Set the "idpMetadataURL" and "spHost" entries under the "[auth.saml]" to appropriate values per the UCP configuration options as documented at https://docs.docker.com/ee/ucp/admin/configure/ucp-configuration-file/#authsaml-optional. Save the file.
Execute the following commands to update UCP with the new configuration:
curl -sk -H "Authorization: Bearer $AUTHTOKEN" --upload-file ucp-config.toml https://[ucp_url]/api/ucp/config-toml
Verify that SAML integration is enabled and properly configured in the UCP Admin Settings.
via UI:
In the UCP web console, navigate to "Admin Settings" | "Authentication & Authorization" and verify "SAML Enabled" is set to "Yes" and that it is properly configured. If SAML authentication is not enabled, this is a finding.
via CLI:
Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.
AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml
Verify that the "samlEnabled" entry under the "[auth]" section is set to "true".
If the "samlEnabled" entry under the "[auth]" section is not set to "true", then this is a finding.
V-235821
False
DKER-EE-002180
Verify that SAML integration is enabled and properly configured in the UCP Admin Settings.
via UI:
In the UCP web console, navigate to "Admin Settings" | "Authentication & Authorization" and verify "SAML Enabled" is set to "Yes" and that it is properly configured. If SAML authentication is not enabled, this is a finding.
via CLI:
Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.
AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml
Verify that the "samlEnabled" entry under the "[auth]" section is set to "true".
If the "samlEnabled" entry under the "[auth]" section is not set to "true", then this is a finding.
M
5281