Details

Run Docker swarm manager in auto-lock mode.

When Docker restarts, both the TLS key used to encrypt communication among swarm nodes, and the key used to encrypt and decrypt Raft logs on disk, are loaded into each manager node’s memory. Protect the mutual TLS encryption key and the key used to encrypt and decrypt Raft logs at rest. This protection could be enabled by initializing swarm with –autolock flag.

With –autolock enabled, when Docker restarts, unlock the swarm first, using a key encryption key generated by Docker when the swarm was initialized.

Solution

If initializing swarm, use the below command.

docker swarm init –autolock
If setting –autolock on an existing swarm manager node, use the below command.

docker swarm update –autolock

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Docker_Enterprise_2-x_Linux-UNIX_V2R1_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Unix.

References

• 800-53|IA-5(2)(b)
• CAT|II
• CCI|CCI-000186
• Rule-ID|SV-235823r627596_rule
• STIG-ID|DKER-EE-002400
• STIG-Legacy|SV-105141
• STIG-Legacy|V-96003
• Vuln-ID|V-235823

Source

• Tenable.com/audits