UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Docker Enterprise data exchanged between Linux containers on different nodes must be encrypted on the overlay network.


Overview

Finding ID Version Rule ID IA Controls Severity
V-235872 DKER-EE-006240 SV-235872r627743_rule Medium
Description
Encrypt data exchanged between containers on different nodes on the overlay network. By default, data exchanged between containers on different nodes on the overlay network is not encrypted. This could potentially expose traffic between the container nodes.
STIG Date
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide 2021-03-26

Details

Check Text ( C-39091r627741_chk )
Ensure data exchanged between containers are encrypted on different nodes on the overlay network.

via CLI:

Linux: As a Docker EE Admin, follow the steps below using a Universal Control Plane (UCP) client bundle:

Run the below command and ensure that each overlay network has been encrypted.

docker network ls --filter driver=overlay --quiet | xargs docker network inspect --format '{{.Name}} {{ .Options }}' | grep -v "dtr\|interlock map\|ingress map"

If the network overlay drivers do not show [com.docker.network.driver.overlay"encrypted:" ask for evidence that encryption is being handled at the application layer, if no evidence of encryption at the network or application layer is provided, this is a finding.
Fix Text (F-39054r627742_fix)
Create overlay network with --opt encrypted flag.

Example:
docker network create --opt encrypted --driver overlay my-network