II - Mission Support Sensitive
Rules and Groups employed by this XCCDF Profile
-
SRG-APP-000454
Group -
Docker Enterprise older Universal Control Plane (UCP) and Docker Trusted Registry (DTR) images must be removed from all cluster nodes upon upgrading.
When upgrading either the UCP or DTR components of Docker Enterprise, the newer images are pulled (or unpacked if offline) onto Engine nodes in a cluster. Once the upgrade is complete, one must man...Rule Medium Severity -
SRG-APP-000475
Group -
Only trusted, signed images must be stored in Docker Trusted Registry (DTR) in Docker Enterprise.
The Universal Control Plane (UCP) and DTR components of Docker Enterprise can be used in concert to perform an integrity check of organization-defined software at startup. In the context of Docker ...Rule Medium Severity -
SRG-APP-000485
Group -
Docker Content Trust enforcement must be enabled in Universal Control Plane (UCP).
The UCP and Docker Trusted Registry (DTR) components of Docker Enterprise can be used in concert with built-in audit logging capabilities to audit detected potential integrity violations per the re...Rule Medium Severity -
SRG-APP-000516
Group -
Docker Swarm must have the minimum number of manager nodes.
Ensure that the minimum number of required manager nodes is created in a swarm. Manager nodes within a swarm have control over the swarm and change its configuration modifying security parameters....Rule Medium Severity -
SRG-APP-000516
Group -
Docker Enterprise Swarm manager auto-lock key must be rotated periodically.
Rotate swarm manager auto-lock key periodically. Swarm manager auto-lock key is not automatically rotated. Rotate them periodically as a best practice. By default, keys are not rotated automatica...Rule Medium Severity -
SRG-APP-000516
Group -
Docker Enterprise node certificates must be rotated as defined in the System Security Plan (SSP).
Rotate swarm node certificates as appropriate. Docker Swarm uses mutual TLS for clustering operations amongst its nodes. Certificate rotation ensures that in an event such as compromised node or k...Rule Medium Severity -
SRG-APP-000516
Group -
Docker Enterprise docker.service file ownership must be set to root:root.
Verify that the docker.service file ownership and group-ownership are correctly set to root. docker.service file contains sensitive parameters that may alter the behavior of Docker daemon. Hence, ...Rule High Severity -
SRG-APP-000516
Group -
Docker Enterprise docker.service file permissions must be set to 644 or more restrictive.
Verify that the docker.service file permissions are correctly set to 644 or more restrictive. docker.service file contains sensitive parameters that may alter the behavior of Docker daemon. Hence,...Rule Medium Severity -
SRG-APP-000516
Group -
Docker Enterprise docker.socket file ownership must be set to root:root.
Verify that the docker.socket file ownership and group ownership is correctly set to root. docker.socket file contains sensitive parameters that may alter the behavior of Docker remote API. Hence,...Rule High Severity -
SRG-APP-000516
Group -
Docker Enterprise docker.socket file permissions must be set to 644 or more restrictive.
Verify that the docker.socket file permissions are correctly set to 644 or more restrictive. docker.socket file contains sensitive parameters that may alter the behavior of Docker remote API. Henc...Rule Medium Severity
Node 2
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.