Detections
Analytics

DKER-EE-001100 - LDAP integration in Docker Enterprise must be configured.

Information

Both the Universal Control Plane (UCP) and Docker Trusted Registry (DTR) components of Docker Enterprise leverage the same authentication and authorization backplane known as eNZi. The eNZi backplane provides automated mechanisms for supporting account management functions and allows for LDAP integration in UCP and DTR. While eNZi includes its own managed user database, it is recommended that LDAP integration be configured to more completely satisfy the requirements of this control.

Satisfies: SRG-APP-000023, SRG-APP-000405, SRG-APP-000404, SRG-APP-000403, SRG-APP-000401, SRG-APP-000397, SRG-APP-000392, SRG-APP-000148, SRG-APP-000141, SRG-APP-000391

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Enable and configure LDAP integration in the UCP Admin Settings.

via UI:

In the UCP web console, navigate to 'Admin Settings' | 'Authentication & Authorization' and set 'LDAP Enabled' to 'Yes' and properly configure the LDAP/AD settings as per the appropriate OS STIG.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands on either a UCP Manager node or using a UCP client bundle. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.

AUTHTOKEN=$(curl -sk -d '{'username':'[ucp_username]','password':'[ucp_password]'}' https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H 'Authorization: Bearer $AUTHTOKEN' https://[ucp_url]/api/ucp/config-toml > ucp-config.toml

Open the 'ucp-config.toml' file, set the 'backend' entry under the '[auth]' section to 'ldap', and add an '[auth.ldap]' sub-section per the UCP configuration options as documented at https://docs.docker.com/ee/ucp/admin/configure/ucp-configuration-file/#authldap-optional. Save the file.

Execute the following commands to update UCP with the new configuration:

curl -sk -H 'Authorization: Bearer $AUTHTOKEN' --upload-file ucp-config.toml https://[ucp_url]/api/ucp/config-toml

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Docker_Enterprise_2-x_Linux-UNIX_V2R1_STIG.zip

Item Details

Category: ACCESS CONTROL, CONFIGURATION MANAGEMENT, IDENTIFICATION AND AUTHENTICATION

References: 800-53|AC-2(1), 800-53|CM-7a., 800-53|IA-2, 800-53|IA-2(12), 800-53|IA-5(1)(f), 800-53|IA-5(2)(d), 800-53|IA-8(1), 800-53|IA-8(2), 800-53|IA-8(4), CAT|II, CCI|CCI-000015, CCI|CCI-000381, CCI|CCI-000764, CCI|CCI-001953, CCI|CCI-001954, CCI|CCI-001991, CCI|CCI-002010, CCI|CCI-002011, CCI|CCI-002014, CCI|CCI-002041, Rule-ID|SV-235780r627467_rule, STIG-ID|DKER-EE-001100, STIG-Legacy|SV-104703, STIG-Legacy|V-95113, Vuln-ID|V-235780

Plugin: Unix

Control ID: a31a72362886feb42ffad2f96a42a9a622d0388c473ef3e8d026082e168698fb