Docker Secrets must be used to store configuration files and small amounts of user-generated data (up to 500 kb in size) in Docker Enterprise.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-235826 | DKER-EE-002660 | SV-235826r627605_rule | Medium |
| Description |
|---|
| By leveraging Docker Secrets or Kubernetes secrets to store configuration files and small amounts of user-generated data (up to 500 kb in size), the data is encrypted at rest by the Engine's FIPS-validated cryptography. |
| STIG | Date |
|---|---|
| Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide | 2021-03-26 |
Details
| Check Text ( C-39045r627603_chk ) |
|---|
| Review System Security Plan (SSP) and identify applications that leverage configuration files and/or small amounts of user-generated data, ensure that data is stored in Docker Secrets or Kubernetes Secrets. Using a Universal Control Plane (UCP) client bundle, verify that secrets are in use by executing the following commands: docker secret ls Confirm containerized applications identified in SSP as utilizing Docker secrets have a corresponding secret configured. If the SSP requires Docker secrets be used but the containerized application does not use Docker secrets, this is a finding. |
| Fix Text (F-39008r627604_fix) |
|---|
| For all containerized applications that leverage configuration files and/or small amounts of user-generated data, store that data in Docker Secrets. All secrets should be created and managed using a UCP client bundle. A reference for the use of docker secrets can be found at https://docs.docker.com/engine/swarm/secrets/. |