UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Periodic data usage and analytics reporting in Docker Trusted Registry (DTR) must be disabled in Docker Enterprise.


Overview

Finding ID Version Rule ID IA Controls Severity
V-95629 DKER-EE-001920 SV-104767r1_rule Medium
Description
Docker Enterprise includes the following capabilities that are considered non-essential: *NOTE: disabling these capabilities negatively affects the operation of Universal Control Plane (UCP) and DTR and should be disregarded when UCP and DTR are installed. The security capabilities provided by UCP and DTR offset any potential vulnerabilities associated with not disabling these essential capabilities the Engine provides. (Docker Engine - Enterprise: Standalone) - The majority of these items were originally identified as part of the CIS Docker Benchmark, which as of the CIS Docker Benchmark v1.2.0, are still applicable to Docker Engine - Enterprise 18.09 - inter-container communication (icc)* (CIS Docker Benchmark Recommendation 2.1) - insecure registry communication (CIS Docker Benchmark Recommendation 2.4) - AUFS storage driver (applicable on Linux only) (CIS Docker Benchmark Recommendation 2.5) - listening on the TCP Daemon socket - userland proxy for loopback traffic* (CIS Docker Benchmark Recommendation 2.15) - experimental features (CIS Docker Benchmark Recommendation 2.17) - Swarm Mode (CIS Docker Benchmark Recommendation 7.1) (Docker Engine - Enterprise: As part of a UCP cluster) - insecure registry communication (CIS Docker Benchmark Recommendation 2.4) - AUFS storage driver (applicable on Linux only) (CIS Docker Benchmark Recommendation 2.5) - listening on the TCP Daemon socket - experimental features (CIS Docker Benchmark Recommendation 2.17) (UCP) - Managed user database - self-signed certificates - periodic usage reporting and API tracking - allow users and administrators to schedule containers on all nodes, including UCP managers and DTR nodes (DTR) - periodic data usage/analytics reporting - create repository on push - self-signed certificates
STIG Date
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide 2019-09-13

Details

Check Text ( C-94457r1_chk )
This check only applies to the DTR component of Docker Enterprise.

Verify that usage and API analytics tracking is disabled in DTR:

via UI:

As a Docker EE Admin, navigate to "System" | "General" in the DTR management console. Verify that the "Send data" option is disabled.

via CLI:

Linux (requires curl and jq):

AUTHTOKEN=$(curl -sk -u : "https://[dtr_url]/auth/token" | jq -r .token)
curl -k -H "Authorization: Bearer $AUTHTOKEN"" -X GET ""https://[dtr_url]/api/v0/meta/settings"

Look for the "reportAnalytics" field in the output and verify that it is set to "false". If it is not, then this is a finding.
Fix Text (F-101295r1_fix)
This fix only applies to the DTR component of Docker Enterprise.

Disable usage and API analytics tracking in DTR:

via UI:

As a Docker EE Admin, navigate to "System" | "General" in the DTR management console. Click the "Send data" slider to disable this capability.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the DTR management console:

AUTHTOKEN=$(curl -sk -u : "https://[dtr_url]/auth/token" | jq -r .token)
curl -k -H "Authorization: Bearer $AUTHTOKEN" -X POST -d '{"reportAnalytics":false}' -H 'Content-Type: application/json' "https://[dtr_url]/api/v0/meta/settings"