Detections
Analytics

DKER-EE-001170 - A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.

Information

Both the UCP and Docker Trusted Registry (DTR) components of Docker Enterprise leverage the same authentication and authorization backplane known as eNZi. eNZi provides UCP and DTR with role-based access control functionality to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. The eNZi backplane includes its own managed user database, and also allows for LDAP integration in UCP and DTR. While role-based access control mechanisms are provided regardless of whether or not LDAP integration is enabled, it is recommended to enable LDAP integration to better meet the requirements of this control.

Satisfies: SRG-APP-000033, SRG-APP-000038, SRG-APP-000039, SRG-APP-000080, SRG-APP-000243, SRG-APP-000246, SRG-APP-000247, SRG-APP-000267, SRG-APP-000311, SRG-APP-000313, SRG-APP-000314, SRG-APP-000328, SRG-APP-000340, SRG-APP-000342, SRG-APP-000378, SRG-APP-000380, SRG-APP-000384

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

This fix only applies to the UCP component of Docker Enterprise.

Apply RBAC policy sets in UCP per the requirements set forth by the SSP.

via UI:

As a Docker EE Admin, navigate to 'Access Control' | 'Grants' in the UCP web console. Create grants and cluster role bindings for Swarm per the requirements set forth by the SSP.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands on a machine that can communicate with the UCP management console:

AUTHTOKEN=$(curl -sk -d '{'username':'[ucp_username]','password':'[ucp_password]'}' https://[ucp_url]/auth/login | jq -r .auth_token)

Create grants for Swarm for applicable subjects, objects and roles using the following command:

curl -sk -H 'Authorization: Bearer $AUTHTOKEN' -X PUT https://[ucp_url]/collectionGrants/[subjectID]/[objectID]/[roleID]

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Docker_Enterprise_2-x_Linux-UNIX_V2R1_STIG.zip

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-3, 800-53|AC-3(4), 800-53|AC-4, 800-53|AC-6(8), 800-53|AC-6(10), 800-53|AC-16a., 800-53|AU-10, 800-53|CM-5(1), 800-53|CM-7(2), 800-53|CM-11(2), 800-53|SC-4, 800-53|SC-5(1), 800-53|SC-5(2), 800-53|SI-11b., CAT|II, CCI|CCI-000166, CCI|CCI-000213, CCI|CCI-001090, CCI|CCI-001094, CCI|CCI-001095, CCI|CCI-001314, CCI|CCI-001368, CCI|CCI-001414, CCI|CCI-001764, CCI|CCI-001812, CCI|CCI-001813, CCI|CCI-002165, CCI|CCI-002233, CCI|CCI-002235, CCI|CCI-002262, CCI|CCI-002263, CCI|CCI-002264, Rule-ID|SV-235781r627470_rule, STIG-ID|DKER-EE-001170, STIG-Legacy|SV-104705, STIG-Legacy|V-95355, Vuln-ID|V-235781

Plugin: Unix

Control ID: 720a2cae48d0e41b94f51e42bc13e8f87615246b631057ab75cd2103003b119d