Docker Enterprise data exchanged between Linux containers on different nodes must be encrypted on the overlay network.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-235872 | DKER-EE-006240 | SV-235872r627743_rule | Medium |
| Description |
|---|
| Encrypt data exchanged between containers on different nodes on the overlay network. By default, data exchanged between containers on different nodes on the overlay network is not encrypted. This could potentially expose traffic between the container nodes. |
| STIG | Date |
|---|---|
| Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide | 2021-03-26 |
Details
| Check Text ( C-39091r627741_chk ) |
|---|
| Ensure data exchanged between containers are encrypted on different nodes on the overlay network. via CLI: Linux: As a Docker EE Admin, follow the steps below using a Universal Control Plane (UCP) client bundle: Run the below command and ensure that each overlay network has been encrypted. docker network ls --filter driver=overlay --quiet | xargs docker network inspect --format '{{.Name}} {{ .Options }}' | grep -v "dtr\|interlock map\|ingress map" If the network overlay drivers do not show [com.docker.network.driver.overlay"encrypted:" ask for evidence that encryption is being handled at the application layer, if no evidence of encryption at the network or application layer is provided, this is a finding. |
| Fix Text (F-39054r627742_fix) |
|---|
| Create overlay network with --opt encrypted flag. Example: docker network create --opt encrypted --driver overlay my-network |