STIGQter STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Universal Control Plane (UCP) must be integrated with a trusted certificate authority (CA) in Docker Enterprise.

DISA Rule

SV-235841r627650_rule

Vulnerability Number

V-235841

Group Title

SRG-APP-000427

Rule Version

DKER-EE-003920

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

This fix only applies to the UCP component of Docker Enterprise.

Integrate UCP with a trusted CA.

via UI:

In the UCP web console, navigate to "Admin Settings" | "Certificates". Fill in (or click on the "Upload" links) the "CA Certificate" field with the contents of your public CA certificate. Assuming the user has generated a server certificate from that CA for UCP, also fill in the "Server Certificate" and "Private Key" fields with the contents of the public/private certificates respectively. The "Server Certificate" field must include both the UCP server certificate and any intermediate certificates. Click on the "Save" button.

If DTR was previously integrated with this UCP cluster, execute a "dtr reconfigure" command as a superuser on one of the UCP Manager nodes in the cluster to re-configure DTR with the updated UCP certificates.

via CLI:
Linux : As a superuser, execute the following commands on each UCP Manager node in the cluster and in the directory where keys and certificates are stored:

Create a container that attaches to the same volume where certificates are stored:

docker create --name replace-certs -v ucp-controller-server-certs:/data busybox

Copy keys and certificates to the container's volumes:

docker cp cert.pem replace-certs:/data/cert.pem
docker cp ca.pem replace-certs:/data/ca.pem
docker cp key.pem replace-certs:/data/key.pem

Remove the container, since it is no longer needed:

docker rm replace-certs

Restart the container, since it is no longer needed:

docker rm replace-certs

Restart the ucp-controller container:

docker restart ucp-controller

If DTR was previously integrated with this UCP cluster, execute a "dtr reconfigure" command as a superuser on one of the UCP Manager nodes in the cluster to re-configure DTR with the updated UCP certificates.

Check Contents

This check only applies to the UCP component of Docker Enterprise.

Check that UCP has been integrated with a trusted CA.

via UI:

In the UCP web console, navigate to "Admin Settings" | "Certificates" and click on the "Download UCP Server CA Certificate" link. Verify that the contents of the downloaded "ca.pem" file match that of the trusted CA certificate.

If the certificate chain is not valid or does not match the trusted CA, this is a finding.

via CLI:

Linux: Execute the following command and verify the certificate chain in the output is valid and matches that of the trusted CA:

echo "" | openssl s_client -connect [ucp_url]:443 | openssl x509 -noout -text

If the certificate chain is not valid or does not match the trusted CA, this is a finding.

Vulnerability Number

V-235841

Documentable

False

Rule Version

DKER-EE-003920

Severity Override Guidance

This check only applies to the UCP component of Docker Enterprise.

Check that UCP has been integrated with a trusted CA.

via UI:

In the UCP web console, navigate to "Admin Settings" | "Certificates" and click on the "Download UCP Server CA Certificate" link. Verify that the contents of the downloaded "ca.pem" file match that of the trusted CA certificate.

If the certificate chain is not valid or does not match the trusted CA, this is a finding.

via CLI:

Linux: Execute the following command and verify the certificate chain in the output is valid and matches that of the trusted CA:

echo "" | openssl s_client -connect [ucp_url]:443 | openssl x509 -noout -text

If the certificate chain is not valid or does not match the trusted CA, this is a finding.

Check Content Reference

M

Target Key

5281

Comments