DKER-EE-001070 - FIPS mode must be enabled on all Docker Engine - Enterprise nodes. - docker info .SecurityOptions

Information

When FIPS mode is enabled on a Docker Engine - Enterprise node, it uses FIPS-validated cryptography to protect the confidentiality of remote access sessions to any bound TCP sockets with TLS enabled and configured. FIPS mode in Docker Engine - Enterprise is automatically enabled when FIPS mode is also enabled on the underlying host operating system.

This control is only configurable for the Docker Engine - Enterprise component of Docker Enterprise as only the Engine includes FIPS-validated cryptography. Neither Universal Control Plane (UCP) nor Docker Trusted Registry (DTR) include FIPS-validated cryptography at this time. However, both UCP and DTR will include FIPS-validated cryptography in a future release. Therefore, for UCP/DTR this control is applicable but not yet met.

Satisfies: SRG-APP-000015, SRG-APP-000231, SRG-APP-000014, SRG-APP-000570, SRG-APP-000395, SRG-APP-000514, SRG-APP-000416, SRG-APP-000156, SRG-APP-000172, SRG-APP-000179, SRG-APP-000224, SRG-APP-000411, SRG-APP-000412, SRG-APP-000555, SRG-APP-000635

Solution

Enable FIPS mode on the host operating system. Start the Engine after FIPS mode is enabled on the host to automatically enable FIPS mode on the Engine.

FIPS mode can also be enabled by explicitly setting the DOCKER_FIPS=1 environment variable in an active terminal session prior to the execution of any Docker commands.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Docker_Enterprise_2-x_Linux-UNIX_V1R1_STIG.zip

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-2(8), 800-53|IA-3(1), 800-53|IA-5(1), 800-53|IA-7, 800-53|MA-4(6), 800-53|SC-13, 800-53|SC-23(3), 800-53|SC-28, CAT|I, CCI|CCI-000068, CCI|CCI-000197, CCI|CCI-000803, CCI|CCI-001188, CCI|CCI-001199, CCI|CCI-001453, CCI|CCI-001941, CCI|CCI-001967, CCI|CCI-002450, CCI|CCI-002890, CCI|CCI-003123, Rule-ID|SV-104697r1_rule, STIG-ID|DKER-EE-001070, Vuln-ID|V-94867

Plugin: Unix

Control ID: b45b8975e84eb481ee9338cdb02c57922d5e7c627e3c2db8942c1123d4f778da