UCF STIG Viewer Logo

Docker Enterprise Swarm manager must be run in auto-lock mode.


Overview

Finding ID Version Rule ID IA Controls Severity
V-235823 DKER-EE-002400 SV-235823r627596_rule Medium
Description
Run Docker swarm manager in auto-lock mode. When Docker restarts, both the TLS key used to encrypt communication among swarm nodes, and the key used to encrypt and decrypt Raft logs on disk, are loaded into each manager node's memory. Protect the mutual TLS encryption key and the key used to encrypt and decrypt Raft logs at rest. This protection could be enabled by initializing swarm with --autolock flag. With --autolock enabled, when Docker restarts, unlock the swarm first, using a key encryption key generated by Docker when the swarm was initialized.
STIG Date
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide 2021-03-26

Details

Check Text ( C-39042r627594_chk )
Ensure swarm manager is run in auto-lock mode.

via CLI:

Linux: As a Docker EE Admin, follow the steps below using a Universal Control Plane (UCP) client bundle:

Run the below command. If it outputs the key, it means swarm was initialized with the --autolock flag.

docker swarm unlock-key

If the output is no unlock key is set, it means that swarm was NOT initialized with the --autolock flag and this is a finding.
Fix Text (F-39005r627595_fix)
If initializing swarm, use the below command.

docker swarm init --autolock
If setting --autolock on an existing swarm manager node, use the below command.

docker swarm update --autolock