A policy set using the built-in role-based access control (RBAC) capabilities in the Universal Control Plane (UCP) component of Docker Enterprise must be configured.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-235781	DKER-EE-001170	SV-235781r627470_rule		Medium

Description
Both the UCP and Docker Trusted Registry (DTR) components of Docker Enterprise leverage the same authentication and authorization backplane known as eNZi. eNZi provides UCP and DTR with role-based access control functionality to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. The eNZi backplane includes its own managed user database, and also allows for LDAP integration in UCP and DTR. While role-based access control mechanisms are provided regardless of whether or not LDAP integration is enabled, it is recommended to enable LDAP integration to better meet the requirements of this control. Satisfies: SRG-APP-000033, SRG-APP-000038, SRG-APP-000039, SRG-APP-000080, SRG-APP-000243, SRG-APP-000246, SRG-APP-000247, SRG-APP-000267, SRG-APP-000311, SRG-APP-000313, SRG-APP-000314, SRG-APP-000328, SRG-APP-000340, SRG-APP-000342, SRG-APP-000378, SRG-APP-000380, SRG-APP-000384

Description

Both the UCP and Docker Trusted Registry (DTR) components of Docker Enterprise leverage the same authentication and authorization backplane known as eNZi. eNZi provides UCP and DTR with role-based access control functionality to enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies. The eNZi backplane includes its own managed user database, and also allows for LDAP integration in UCP and DTR. While role-based access control mechanisms are provided regardless of whether or not LDAP integration is enabled, it is recommended to enable LDAP integration to better meet the requirements of this control. Satisfies: SRG-APP-000033, SRG-APP-000038, SRG-APP-000039, SRG-APP-000080, SRG-APP-000243, SRG-APP-000246, SRG-APP-000247, SRG-APP-000267, SRG-APP-000311, SRG-APP-000313, SRG-APP-000314, SRG-APP-000328, SRG-APP-000340, SRG-APP-000342, SRG-APP-000378, SRG-APP-000380, SRG-APP-000384

STIG	Date
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide	2021-03-26

Details

Check Text ( C-39000r627468_chk )
This check only applies to the UCP component of Docker Enterprise. Verify that the applied RBAC policy sets in UCP are configured per the requirements set forth by the System Security Plan (SSP). via UI: As a Docker EE Admin, navigate to "Access Control" \| "Grants" in the UCP web console. Verify that all grants and cluster role bindings applied to Swarm are configured per the requirements set forth by the System Security Plan (SSP). If the applied RBAC policy sets in UCP are not configured per the requirements set forth by the SSP, then this is a finding. via CLI: Linux (requires curl and jq): As a Docker EE Admin, execute the following commands on a machine that can communicate with the UCP management console: AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login \| jq -r .auth_token) curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/collectionGrants?subjectType=all&expandUser=true&showPaths=true Verify that all grants applied to Swarm in the API response are configured per the requirements set forth by the System Security Plan (SSP). If the applied RBAC policy sets in UCP are not configured per the requirements set forth by the SSP, then this is a finding.

Check Text ( C-39000r627468_chk )

This check only applies to the UCP component of Docker Enterprise.

Verify that the applied RBAC policy sets in UCP are configured per the requirements set forth by the System Security Plan (SSP).

via UI:

As a Docker EE Admin, navigate to "Access Control" | "Grants" in the UCP web console. Verify that all grants and cluster role bindings applied to Swarm are configured per the requirements set forth by the System Security Plan (SSP).

If the applied RBAC policy sets in UCP are not configured per the requirements set forth by the SSP, then this is a finding.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands on a machine that can communicate with the UCP management console:

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)

curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/collectionGrants?subjectType=all&expandUser=true&showPaths=true

Verify that all grants applied to Swarm in the API response are configured per the requirements set forth by the System Security Plan (SSP).

If the applied RBAC policy sets in UCP are not configured per the requirements set forth by the SSP, then this is a finding.

Fix Text (F-38963r627469_fix)
This fix only applies to the UCP component of Docker Enterprise. Apply RBAC policy sets in UCP per the requirements set forth by the SSP. via UI: As a Docker EE Admin, navigate to "Access Control" \| "Grants" in the UCP web console. Create grants and cluster role bindings for Swarm per the requirements set forth by the SSP. via CLI: Linux (requires curl and jq): As a Docker EE Admin, execute the following commands on a machine that can communicate with the UCP management console: AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login \| jq -r .auth_token) Create grants for Swarm for applicable subjects, objects and roles using the following command: curl -sk -H "Authorization: Bearer $AUTHTOKEN" -X PUT https://[ucp_url]/collectionGrants/[subjectID]/[objectID]/[roleID]

Fix Text (F-38963r627469_fix)

This fix only applies to the UCP component of Docker Enterprise.

Apply RBAC policy sets in UCP per the requirements set forth by the SSP.

via UI:

As a Docker EE Admin, navigate to "Access Control" | "Grants" in the UCP web console. Create grants and cluster role bindings for Swarm per the requirements set forth by the SSP.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands on a machine that can communicate with the UCP management console:

AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)

Create grants for Swarm for applicable subjects, objects and roles using the following command:

curl -sk -H "Authorization: Bearer $AUTHTOKEN" -X PUT https://[ucp_url]/collectionGrants/[subjectID]/[objectID]/[roleID]