STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Docker Enterprise Swarm manager must be run in auto-lock mode.

DISA Rule

SV-235823r627596_rule

Vulnerability Number

V-235823

Group Title

SRG-APP-000176

Rule Version

DKER-EE-002400

Severity

CAT II

CCI(s)

• CCI-000186 - The information system, for PKI-based authentication, enforces authorized access to the corresponding private key.

Weight

10

Fix Recommendation

If initializing swarm, use the below command.

docker swarm init --autolock
If setting --autolock on an existing swarm manager node, use the below command.

docker swarm update --autolock

Check Contents

Ensure swarm manager is run in auto-lock mode.

via CLI:

Linux: As a Docker EE Admin, follow the steps below using a Universal Control Plane (UCP) client bundle:

Run the below command. If it outputs the key, it means swarm was initialized with the --autolock flag.

docker swarm unlock-key

If the output is no unlock key is set, it means that swarm was NOT initialized with the --autolock flag and this is a finding.

Vulnerability Number

V-235823

Documentable

False

Rule Version

DKER-EE-002400

Severity Override Guidance

Ensure swarm manager is run in auto-lock mode.

via CLI:

Linux: As a Docker EE Admin, follow the steps below using a Universal Control Plane (UCP) client bundle:

Run the below command. If it outputs the key, it means swarm was initialized with the --autolock flag.

docker swarm unlock-key

If the output is no unlock key is set, it means that swarm was NOT initialized with the --autolock flag and this is a finding.

Check Content Reference

M

Target Key

5281

Comments