STIGQter STIGQter: STIG Summary: Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide Version: 2 Release: 1 Benchmark Date: 23 Apr 2021:

Docker Content Trust enforcement must be enabled in Universal Control Plane (UCP).

DISA Rule

SV-235847r627668_rule

Vulnerability Number

V-235847

Group Title

SRG-APP-000485

Rule Version

DKER-EE-004370

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

This fix only applies to the UCP component of Docker Enterprise.

Enable Content Trust enforcement in UCP.

via UI:

In the UCP web console, navigate to "Admin Settings" | "Docker Content Trust" and check the box next to "Run only signed images". Set the appropriate Orgs and Teams that images must be signed by in the dropdown that follows to match that of the organizational policies.

via CLI:

Linux: As a Docker EE Admin, execute the following commands on a machine that can communicate with the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator:

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml > ucp-config.toml

Open the "ucp-config.toml" file, set the "require_content_trust" entry under the "[trust_configuration]" section to "true". Save the file.

Execute the following commands to update UCP with the new configuration:

curl -sk -H "Authorization: Bearer $AUTHTOKEN" --upload-file ucp-config.toml https://[ucp_url]/api/ucp/config-toml

Check Contents

This check only applies to the UCP component of Docker Enterprise.

Check that UCP is configured to only run signed images by applicable Orgs and Teams.

via UI:

In the UCP web console, navigate to "Admin Settings" | "Docker Content Trust" and verify that "Run only signed images" is checked. Verify that the Orgs and Teams that images must be signed by in the dropdown that follows matches that of the organizational policies.

If "Run only signed images" is not checked, this is a finding.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands on a machine that can communicate with the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml

Look for the "require_content_trust" entry under the "[trust_configuration]" section in the output, and verify that it is set to "true".

If require_content_trust is not set to true, this is a finding.

Vulnerability Number

V-235847

Documentable

False

Rule Version

DKER-EE-004370

Severity Override Guidance

This check only applies to the UCP component of Docker Enterprise.

Check that UCP is configured to only run signed images by applicable Orgs and Teams.

via UI:

In the UCP web console, navigate to "Admin Settings" | "Docker Content Trust" and verify that "Run only signed images" is checked. Verify that the Orgs and Teams that images must be signed by in the dropdown that follows matches that of the organizational policies.

If "Run only signed images" is not checked, this is a finding.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands on a machine that can communicate with the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml

Look for the "require_content_trust" entry under the "[trust_configuration]" section in the output, and verify that it is set to "true".

If require_content_trust is not set to true, this is a finding.

Check Content Reference

M

Target Key

5281

Comments