DKER-EE-003840 - Vulnerability scanning must be enabled for all repositories in the Docker Trusted Registry (DTR) component of Docker Enterprise.

Information

DTR can scan Docker images for vulnerabilities and this capability should be enabled to meet the requirements of this control.

When enabled, for every Docker image that is pushed to DTR, a scan of each of the image layers is conducted. An analysis of all packages and compiled binaries is done for each image layer and if a package or binary is associated with a known vulnerability as identified by the MITRE CVE or NIST NVD databases, then it is flagged in DTR.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

This fix only applies to the DTR component of Docker Enterprise.

Enable vulnerability scanning:

via UI:

As a Docker EE Admin, navigate to 'System' | 'Security' in the DTR management console. Click the 'Enable Scanning' slider to enable this capability. Sync (online) or upload (offline) the vulnerability database.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the DTR management console:

AUTHTOKEN=$(curl -sk -u <username>:<password> 'https://[dtr_url]/auth/token' | jq -r .token)
curl -k -H 'Authorization: Bearer $AUTHTOKEN' -X POST -d '{'scanningEnabled':true}' -H 'Content-Type: application/json' 'https://[dtr_url]/api/v0/meta/settings'

If DTR is offline, upload the latest vulnerability database (retrievable via Docker Enterprise subscription):

AUTHTOKEN=$(curl -sk -u <username>:<password> 'https://[dtr_url]/auth/token' | jq -r .token)
UPDATE_FILE='[path_to_cve_database].tar'
curl -k -H 'Authorization: Bearer $AUTHTOKEN' -H 'Content-Type: multipart/form-data' -H 'Accept: application/json' -X PUT -F upload=@${UPDATE_FILE} 'https://[dtr_url]/api/v0/imagescan/scan/update?online=false'

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Docker_Enterprise_2-x_Linux-UNIX_V2R1_STIG.zip

Item Details

Category: RISK ASSESSMENT

References: 800-53|RA-5(5), CAT|II, CCI|CCI-001067, Rule-ID|SV-235840r627647_rule, STIG-ID|DKER-EE-003840, STIG-Legacy|SV-104851, STIG-Legacy|V-95713, Vuln-ID|V-235840

Plugin: Unix

Control ID: 9f79f075f2bd348288f1098f51b8427f32a6900f5e0b7b58b3e5b5d9f1d6c6c8