Skip to content

I - Mission Critical Public

Rules and Groups employed by this XCCDF Profile

  • SRG-APP-000454

    <GroupDescription></GroupDescription>
    Group
  • Docker Enterprise older Universal Control Plane (UCP) and Docker Trusted Registry (DTR) images must be removed from all cluster nodes upon upgrading.

    &lt;VulnDiscussion&gt;When upgrading either the UCP or DTR components of Docker Enterprise, the newer images are pulled (or unpacked if offline) on...
    Rule Medium Severity
  • SRG-APP-000475

    <GroupDescription></GroupDescription>
    Group
  • Only trusted, signed images must be stored in Docker Trusted Registry (DTR) in Docker Enterprise.

    &lt;VulnDiscussion&gt;The Universal Control Plane (UCP) and DTR components of Docker Enterprise can be used in concert to perform an integrity chec...
    Rule Medium Severity
  • SRG-APP-000485

    <GroupDescription></GroupDescription>
    Group
  • Docker Content Trust enforcement must be enabled in Universal Control Plane (UCP).

    &lt;VulnDiscussion&gt;The UCP and Docker Trusted Registry (DTR) components of Docker Enterprise can be used in concert with built-in audit logging ...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • Docker Swarm must have the minimum number of manager nodes.

    &lt;VulnDiscussion&gt;Ensure that the minimum number of required manager nodes is created in a swarm. Manager nodes within a swarm have control ov...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • Docker Enterprise Swarm manager auto-lock key must be rotated periodically.

    &lt;VulnDiscussion&gt;Rotate swarm manager auto-lock key periodically. Swarm manager auto-lock key is not automatically rotated. Rotate them perio...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • Docker Enterprise node certificates must be rotated as defined in the System Security Plan (SSP).

    &lt;VulnDiscussion&gt;Rotate swarm node certificates as appropriate. Docker Swarm uses mutual TLS for clustering operations amongst its nodes. Cer...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • Docker Enterprise docker.service file ownership must be set to root:root.

    &lt;VulnDiscussion&gt;Verify that the docker.service file ownership and group-ownership are correctly set to root. docker.service file contains se...
    Rule High Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • Docker Enterprise docker.service file permissions must be set to 644 or more restrictive.

    &lt;VulnDiscussion&gt;Verify that the docker.service file permissions are correctly set to 644 or more restrictive. docker.service file contains s...
    Rule Medium Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • Docker Enterprise docker.socket file ownership must be set to root:root.

    &lt;VulnDiscussion&gt;Verify that the docker.socket file ownership and group ownership is correctly set to root. docker.socket file contains sensi...
    Rule High Severity
  • SRG-APP-000516

    <GroupDescription></GroupDescription>
    Group
  • Docker Enterprise docker.socket file permissions must be set to 644 or more restrictive.

    &lt;VulnDiscussion&gt;Verify that the docker.socket file permissions are correctly set to 644 or more restrictive. docker.socket file contains sen...
    Rule Medium Severity

The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.

Capacity
Modules