UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Only trusted, signed images must be on Universal Control Plane (UCP) in Docker Enterprise.


Overview

Finding ID Version Rule ID IA Controls Severity
V-95711 DKER-EE-003610 SV-104849r1_rule Medium
Description
The UCP and Docker Trusted Registry (DTR) components of Docker Enterprise can be used in concert to perform an integrity check of organization-defined software at startup. In the context of Docker Enterprise, software would be analogous to Docker images that have been pulled from trusted or untrusted sources. Docker Hub is the most common upstream endpoint for retrieving Docker images. However, only "Docker Certified" images on Docker Hub are considered trusted and come with SLAs and trusted signatures from their respective vendors. All other images from Docker Hub or other external registries must be carefully inspected and triaged prior to use. Docker Content Trust (DCT) provides for content integrity checking mechanisms on Docker images. DCT can be combined with LDAP, DTR and UCP to enforce image signatures from users/accounts in LDAP. Therefore, to meet the requirements of this control, it is imperative that UCP has LDAP integration enabled and that content trust enforcement is enabled and properly configured. An operational requirement of this control is that of the required use of an established continuous integration and deployment workflow that effectively dictates exactly what software is allowed to run on UCP. Satisfies: SRG-APP-000386, SRG-APP-000480, SRG-APP-000484, SRG-APP-000485, SRG-APP-000475
STIG Date
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide 2019-09-13

Details

Check Text ( C-94541r1_chk )
This check only applies to the UCP component of Docker Enterprise.

Verify that all images sitting on a UCP cluster are signed.

via CLI:

Linux: As a Docker EE Admin, execute the following commands using a client bundle:

docker trust inspect $(docker images | awk '{print $1 ":" $2}')

Verify that all image tags in the output have valid signatures.

If the images are not signed, this is a finding.
Fix Text (F-101379r1_fix)
This fix only applies to the UCP component of Docker Enterprise.

Pull and run only signed images on a UCP cluster.

via CLI:

Linux: When using a client bundle, set the "DOCKER_CONTENT_TRUST" environment variable to a value of "1" prior the execution of any of the following commands: docker push, docker build, docker create, docker pull and docker run.