Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-235874 | DKER-EE-006280 | SV-235874r627749_rule | Medium |
Description |
---|
By default docker UCP is configured to use TLS v1.2, if this setting is misconfigured, older protocols containing security weaknesses could be utilized. TLS requires a handshake between client and server which is where the TLS version utilized in the connection is negotiated. For DoD use cases, all TLS must be at version 1.2. |
STIG | Date |
---|---|
Docker Enterprise 2.x Linux/UNIX Security Technical Implementation Guide | 2021-03-26 |
Check Text ( C-39093r627747_chk ) |
---|
This check only applies to the UCP component of Docker Enterprise. Via CLI: Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine that can communicate with the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator. AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token) curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml Look for the "min_TLS_version =" entry under the "[cluster_config]" section in the output, and verify that it is set to "TLSv1.2". If the "min_TLS_version" entry under the "[cluster_config]" section in the output is not set to "TLSv1.2", then this is a finding. |
Fix Text (F-39056r627748_fix) |
---|
This fix only applies to the UCP component of Docker Enterprise. via CLI: Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine that can communicate with the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator. AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token) curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml > ucp-config.toml Open the "ucp-config.toml" file under the "[cluster_config]" section set "min_TLS_version = TLSv1.2". Save the file. Execute the following commands to update UCP with the new configuration: curl -sk -H "Authorization: Bearer $AUTHTOKEN" --upload-file ucp-config.toml https://[ucp_url]/api/ucp/config-toml |