UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Docker Secrets must be used to store configuration files and small amounts of user-generated data (up to 500 kb in size) in Docker Enterprise.


Overview

Finding ID Version Rule ID IA Controls Severity
V-235826 DKER-EE-002660 SV-235826r627605_rule Medium
Description
By leveraging Docker Secrets or Kubernetes secrets to store configuration files and small amounts of user-generated data (up to 500 kb in size), the data is encrypted at rest by the Engine's FIPS-validated cryptography.
STIG Date
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide 2021-03-26

Details

Check Text ( C-39045r627603_chk )
Review System Security Plan (SSP) and identify applications that leverage configuration files and/or small amounts of user-generated data, ensure that data is stored in Docker Secrets or Kubernetes Secrets.

Using a Universal Control Plane (UCP) client bundle, verify that secrets are in use by executing the following commands:

docker secret ls

Confirm containerized applications identified in SSP as utilizing Docker secrets have a corresponding secret configured.
If the SSP requires Docker secrets be used but the containerized application does not use Docker secrets, this is a finding.
Fix Text (F-39008r627604_fix)
For all containerized applications that leverage configuration files and/or small amounts of user-generated data, store that data in Docker Secrets.

All secrets should be created and managed using a UCP client bundle.

A reference for the use of docker secrets can be found at https://docs.docker.com/engine/swarm/secrets/.