Docker Enterprise secret management commands must be used for managing secrets in a Swarm cluster.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-235824	DKER-EE-002410	SV-235824r627599_rule		Medium

Description
Use Docker's in-built secret management commands for managing sensitive data that which can be stored in key/value pairs. Examples include API tokens, database connection strings and credentials, SSL certificates, and the like.

STIG	Date
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide	2021-03-26

Details

Check Text ( C-39043r627597_chk )
Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster. Refer to the System Security Plan (SSP) and verify that it includes documented processes for using Docker secrets commands to manage sensitive data that can be stored in key/value pairs. Examples include API tokens, database connection strings and credentials, SSL certificates, and the like. If the SSP does not have this documented, then this is a finding.

Check Text ( C-39043r627597_chk )

Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster.

Refer to the System Security Plan (SSP) and verify that it includes documented processes for using Docker secrets commands to manage sensitive data that can be stored in key/value pairs. Examples include API tokens, database connection strings and credentials, SSL certificates, and the like.

If the SSP does not have this documented, then this is a finding.

Fix Text (F-39006r627598_fix)
Update the SSP so that it includes documented processes for using Docker secrets commands to manage sensitive data that can be stored in key/value pairs. Examples include API tokens, database connection strings and credentials, SSL certificates, and the like. Follow docker secret documentation and use it to manage secrets effectively. This documentation can be found at https://docs.docker.com/engine/swarm/secrets/.

Fix Text (F-39006r627598_fix)

Update the SSP so that it includes documented processes for using Docker secrets commands to manage sensitive data that can be stored in key/value pairs. Examples include API tokens, database connection strings and credentials, SSL certificates, and the like. Follow docker secret documentation and use it to manage secrets effectively. This documentation can be found at https://docs.docker.com/engine/swarm/secrets/.