Details

Both the Universal Control Plane (UCP) and Docker Trusted Registry (DTR) components of Docker Enterprise leverage the same authentication and authorization backplane known as eNZi. The eNZi backplane includes its own managed user database, and also allows for LDAP and SAML integration in UCP and DTR. To meet the requirements of this control, configure LDAP and SAML integration.

Satisfies: SRG-APP-000149, SRG-APP-000150, SRG-APP-000151, SRG-APP-000152, SRG-APP-000153, SRG-APP-000391, SRG-APP-000392, SRG-APP-000402, SRG-APP-000403, SRG-APP-000404, SRG-APP-000405

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Enable and configure SAML integration in the UCP Admin Settings.

via UI:

In the UCP web console, navigate to ‘Admin Settings’ | ‘Authentication & Authorization’ and set ‘SAML Enabled’ to ‘Yes’ and properly configure the SAML settings.

via CLI:

Linux (requires curl and jq): As a Docker EE Admin, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with the UCP URL, [ucp_username] with the username of a UCP administrator and [ucp_password] with the password of a UCP administrator.

AUTHTOKEN=$(curl -sk -d ‘{‘username’:'[ucp_username]’,’password’:'[ucp_password]’}’ https://[ucp_url]/auth/login | jq -r .auth_token)
curl -sk -H ‘Authorization: Bearer $AUTHTOKEN’ https://[ucp_url]/api/ucp/config-toml > ucp-config.toml

Open the ‘ucp-config.toml’ file. Set the ‘samlEnabled’ entry under the ‘[auth]’ section to ‘true’. Set the ‘idpMetadataURL’ and ‘spHost’ entries under the ‘[auth.saml]’ to appropriate values per the UCP configuration options as documented at https://docs.docker.com/ee/ucp/admin/configure/ucp-configuration-file/#authsaml-optional. Save the file.

Execute the following commands to update UCP with the new configuration:

curl -sk -H ‘Authorization: Bearer $AUTHTOKEN’ –upload-file ucp-config.toml https://[ucp_url]/api/ucp/config-toml

Supportive Information

The following resource is also helpful.

• https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Docker_Enterprise_2-x_Linux-UNIX_V2R1_STIG.zip

This security hardening control applies to the following category of controls within NIST 800-53: Identification and Authentication.This control applies to the following type of system Unix.

References

• 800-53|IA-2(1)
• 800-53|IA-2(2)
• 800-53|IA-2(3)
• 800-53|IA-2(4)
• 800-53|IA-2(5)
• 800-53|IA-2(12)
• 800-53|IA-8(1)
• 800-53|IA-8(2)
• 800-53|IA-8(4)
• CAT|II
• CCI|CCI-000765
• CCI|CCI-000766
• CCI|CCI-000767
• CCI|CCI-000768
• CCI|CCI-000770
• CCI|CCI-001953
• CCI|CCI-001954
• CCI|CCI-002009
• CCI|CCI-002010
• CCI|CCI-002011
• CCI|CCI-002014
• Rule-ID|SV-235821r627590_rule
• STIG-ID|DKER-EE-002180
• STIG-Legacy|SV-104815
• STIG-Legacy|V-95677
• Vuln-ID|V-235821

Source

• Tenable.com/audits