STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:SV-235840r627647_rule
V-235840
SRG-APP-000414
DKER-EE-003840
CAT II
10
This fix only applies to the DTR component of Docker Enterprise.
Enable vulnerability scanning:
via UI:
As a Docker EE Admin, navigate to "System" | "Security" in the DTR management console. Click the "Enable Scanning" slider to enable this capability. Sync (online) or upload (offline) the vulnerability database.
via CLI:
Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the DTR management console:
AUTHTOKEN=$(curl -sk -u <username>:<password> "https://[dtr_url]/auth/token" | jq -r .token)
curl -k -H "Authorization: Bearer $AUTHTOKEN" -X POST -d '{"scanningEnabled":true}' -H 'Content-Type: application/json' "https://[dtr_url]/api/v0/meta/settings"
If DTR is offline, upload the latest vulnerability database (retrievable via Docker Enterprise subscription):
AUTHTOKEN=$(curl -sk -u <username>:<password> "https://[dtr_url]/auth/token" | jq -r .token)
UPDATE_FILE="[path_to_cve_database].tar"
curl -k -H "Authorization: Bearer $AUTHTOKEN" -H "Content-Type: multipart/form-data" -H "Accept: application/json" -X PUT -F upload=@${UPDATE_FILE} "https://[dtr_url]/api/v0/imagescan/scan/update?online=false"
This check only applies to the DTR component of Docker Enterprise.
Check image vulnerability scanning enabled for all repositories:
via UI:
As a Docker EE Admin, navigate to "System" | "Security" in the DTR management console. Verify that the "Enable Scanning" slider is turned on and that the vulnerability database has been successfully synced (online)/uploaded (offline).
If "Enable Scanning" is tuned off or if the vulnerability database is not synced or uploaded, this is a finding.
via CLI:
Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the DTR management console:
AUTHTOKEN=$(curl -sk -u <username>:<password> "https://[dtr_url]/auth/token" | jq -r .token)
curl -k -H "Authorization: Bearer $AUTHTOKEN" -X GET "https://[dtr_url]/api/v0/imagescan/status"
Verify that that the response is successful with HTTP Status Code 200, and look for the "lastDBUpdateFailed" and "lastVulnOverridesDBUpdateFailed" properties in the "Response body", and verify that are both "false".
If they are both not "false", this is a finding.
V-235840
False
DKER-EE-003840
This check only applies to the DTR component of Docker Enterprise.
Check image vulnerability scanning enabled for all repositories:
via UI:
As a Docker EE Admin, navigate to "System" | "Security" in the DTR management console. Verify that the "Enable Scanning" slider is turned on and that the vulnerability database has been successfully synced (online)/uploaded (offline).
If "Enable Scanning" is tuned off or if the vulnerability database is not synced or uploaded, this is a finding.
via CLI:
Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the DTR management console:
AUTHTOKEN=$(curl -sk -u <username>:<password> "https://[dtr_url]/auth/token" | jq -r .token)
curl -k -H "Authorization: Bearer $AUTHTOKEN" -X GET "https://[dtr_url]/api/v0/imagescan/status"
Verify that that the response is successful with HTTP Status Code 200, and look for the "lastDBUpdateFailed" and "lastVulnOverridesDBUpdateFailed" properties in the "Response body", and verify that are both "false".
If they are both not "false", this is a finding.
M
5281