Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-95677 | DKER-EE-002180 | SV-104815r1_rule | Medium |
Description |
---|
Both the Universal Control Plane (UCP) and Docker Trusted Registry (DTR) components of Docker Enterprise leverage the same authentication and authorization backplane known as eNZi. The eNZi backplane includes its own managed user database, and also allows for LDAP and SAML integration in UCP and DTR. To meet the requirements of this control, configure LDAP and SAML integration. Satisfies: SRG-APP-000149, SRG-APP-000150, SRG-APP-000151, SRG-APP-000152, SRG-APP-000153, SRG-APP-000391, SRG-APP-000392, SRG-APP-000402, SRG-APP-000403, SRG-APP-000404, SRG-APP-000405 |
STIG | Date |
---|---|
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide | 2019-09-13 |
Check Text ( C-94505r1_chk ) |
---|
Verify that SAML integration is enabled and properly configured in the UCP Admin Settings. via UI: In the UCP web console, navigate to "Admin Settings" | "Authentication & Authorization" and verify "SAML Enabled" is set to "Yes" and that it is properly configured. If SAML authentication is not enabled, this is a finding. via CLI: Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator. AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token) curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml Verify that the "samlEnabled" entry under the "[auth]" section is set to "true". If the "samlEnabled" entry under the "[auth]" section is not set to "true", then this is a finding. |
Fix Text (F-101343r1_fix) |
---|
Enable and configure SAML integration in the UCP Admin Settings. via UI: In the UCP web console, navigate to "Admin Settings" | "Authentication & Authorization" and set "SAML Enabled" to "Yes" and properly configure the SAML settings. via CLI: Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator. AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token) curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml > ucp-config.toml Open the "ucp-config.toml" file. Set the "samlEnabled" entry under the "[auth]" section to "true". Set the "idpMetadataURL" and "spHost" entries under the "[auth.saml]" to appropriate values per the UCP configuration options as documented at https://docs.docker.com/ee/ucp/admin/configure/ucp-configuration-file/#authsaml-optional. Save the file. Execute the following commands to update UCP with the new configuration: curl -sk -H "Authorization: Bearer $AUTHTOKEN" --upload-file ucp-config.toml https://[ucp_url]/api/ucp/config-toml |