UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

FIPS mode must be enabled.


Overview

Finding ID Version Rule ID IA Controls Severity
V-260908 CNTR-MK-000870 SV-260908r966081_rule High
Description
During any user authentication, MKE must use FIPS-validated SHA-2 or later protocol to protect the integrity of the password authentication process. FIPS mode enforces the use of cryptographic algorithms and modules. This ensures a higher level of cryptographic security, reducing the risk of vulnerabilities related to cryptographic functions. FIPS-compliant cryptographic modules are designed to provide strong protection for sensitive data. Enabling FIPS mode helps safeguard cryptographic operations, securing data both at rest and in transit within containerized applications.
STIG Date
Mirantis Kubernetes Engine Security Technical Implementation Guide 2024-04-10

Details

Check Text ( C-64637r966079_chk )
On the MKE controller, verify FIPS mode is enabled.

Execute the following command through the CLI:

docker info

The "Security Options" section in the response must show a "fips" label, indicating that, when configured, the remotely accessible MKE UI uses FIPS-validated digital signatures in conjunction with an approved hash function to protect the integrity of remote access sessions.

If the "fips" label is not shown in the "Security Options" section, then this is a finding.
Fix Text (F-64545r966080_fix)
If the operating system has FIPS enabled, FIPS mode is enabled by default in MCR. The preferred method is to ensure FIPS mode is set on the operating system prior to installation.

If a change is required on a deployed system, create the directory if it does not exist by executing the following:

mkdir -p /etc/systemd/system/docker.service.d/

Create a file called /etc/systemd/system/docker.service.d/fips-module.conf and add the following:

[Service]
Environment="DOCKER_FIPS=1"

Reload the Docker configuration to systemd by executing the following:

sudo systemctl daemon-reload

Restart the Docker service by executing the following:

sudo systemctl restart docker