DKER-EE-003310 - The Docker Enterprise max-size and max-file json-file drivers logging options in the daemon.json configuration file must be configured to allocate audit record storage capacity for Universal Control Plane (UCP) and Docker Trusted Registry (DTR) per the requirements set forth by the System Security Plan (SSP) - max-file

Information

By default, the UCP and DTR components of Docker Enterprise leverage the 'json-file' Engine logging driver. This driver has configurable 'max-size' and 'max-file' options which are applicable in the context of this control. The 'max-size' option defines the maximum size of the log before it is rolled. By default it is set to 'unlimited' and is never rolled. The 'max-file' option defines the maximum number of log files that can be present whereby if rolling the logs creates excess files, the oldest file is removed. This setting is only effective when 'max-size' is also set. By default, 'max-file' is set to '1'.

The Docker Engine - Enterprise audit logs are stored in default locations according to the chart on this site https://docs.docker.com/config/daemon/#read-the-logs. For the Engine's daemon logs, allocate sufficient storage for the default log locations on the underlying host operating system per the requirements set forth by the SSP.

Solution

This fix only applies to the Docker Engine - Enterprise component of Docker Enterprise.

via CLI:

Linux: Execute the following commands as a trusted user on the host operating system:

Open '/etc/docker/daemon.json' for editing. If the file doesn't exist, it must be created.

Set the 'log-opts' object and its 'max-size' and 'max-file' properties according to values defined in the SSP.

Save the file. Restart the Docker daemon.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Docker_Enterprise_2-x_Linux-Unix_V2R2_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4, CAT|II, CCI|CCI-001849, Rule-ID|SV-235832r961392_rule, STIG-ID|DKER-EE-003310, STIG-Legacy|SV-104835, STIG-Legacy|V-95697, Vuln-ID|V-235832

Plugin: Unix

Control ID: c75f03b89bcb0aa5bcc432e40919a75c2ac94eb7cd884a693ca9bc0b4b248005