STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Docker Trusted Registry (DTR) must be integrated with a trusted certificate authority (CA) in Docker Enterprise.

DISA Rule

SV-235842r627653_rule

Vulnerability Number

V-235842

Group Title

SRG-APP-000427

Rule Version

DKER-EE-003930

Severity

CAT II

CCI(s)

• CCI-002470 - The information system only allows the use of organization-defined certificate authorities for verification of the establishment of protected sessions.

Weight

10

Fix Recommendation

This fix only applies to the DTR component of Docker Enterprise.

Integrate DTR with a trusted CA.

via UI:

In the DTR web console, navigate to "System" | "General" and click on the "Show TLS Settings" link in the "Domain & Proxies" section. Fill in the "TLS Root CA" field with the contents of the trusted CA certificate. Assuming the user has generated a server certificate from that CA for DTR, also fill in the "TLS Certificate Chain" and "TLS Private Key" fields with the contents of the public/private certificates respectively. The "TLS Certificate Chain" field must include both the DTR server certificate and any intermediate certificates. Click on the "Save" button.

via CLI:

Linux: Execute the following command as a superuser on one of the UCP Manager nodes in the cluster:

docker run -it --rm docker/dtr:[dtr_version] reconfigure --dtr-ca "$(cat [ca.pem])" --dtr-cert "$(cat [dtr_cert.pem])" --dtr-key "$(cat [dtr_private_key.pem])"

Check Contents

This check only applies to the DTR component of Docker Enterprise.

Check that DTR has been integrated with a trusted CA.

via UI:

In the DTR web console, navigate to "System" | "General" and click on the "Show TLS settings" link in the "Domain & Proxies" section. Verify the certificate chain in "TLS Root CA" box is valid and matches that of the trusted CA.

via CLI:

Linux: Execute the following command and verify the certificate chain in the output is valid and matches that of the trusted CA:

echo "" | openssl s_client -connect [dtr_url]:443 | openssl x509 -noout -text

If the certificate chain is not valid or does not match the trusted CA, this is a finding.

Vulnerability Number

V-235842

Documentable

False

Rule Version

DKER-EE-003930

Severity Override Guidance

This check only applies to the DTR component of Docker Enterprise.

Check that DTR has been integrated with a trusted CA.

via UI:

In the DTR web console, navigate to "System" | "General" and click on the "Show TLS settings" link in the "Domain & Proxies" section. Verify the certificate chain in "TLS Root CA" box is valid and matches that of the trusted CA.

via CLI:

Linux: Execute the following command and verify the certificate chain in the output is valid and matches that of the trusted CA:

echo "" | openssl s_client -connect [dtr_url]:443 | openssl x509 -noout -text

If the certificate chain is not valid or does not match the trusted CA, this is a finding.

Check Content Reference

M

Target Key

5281

Comments