To assist the organization in meeting the requirements of this
control, one can control which users and teams can create and
manipulate Universal Control Plane resources. By default, no one can
@@ -1463,8 +1480,8 @@ found at the following resources:
@@ -1480,7 +1497,47 @@ The organization employs the principle of least privilege, allowing only authori
#### Control Information
-Responsible role(s) - Organization
+Responsible role(s) - Docker system
+
+
+
+| Component |
+Implementation Status(es) |
+Control Origin(s) |
+
+
+| Universal Control Plane (UCP) |
+complete
|
+service provider hybrid
|
+
+
+
+#### Implementation Details
+
+
+
+
+
+To assist the organization in meeting the requirements of this
+control, one can control which users and teams can create and
+manipulate Universal Control Plane resources and employ principles of
+least privilege. By default, no one can make changes to the cluster.
+Permissions can be granted and managed to enforce fine-grained access
+control. Supporting documentation can be found at the following
+resources:
+
+
+
+
+
+
### AC-6 (1) Authorize Access To Security Functions
@@ -1490,7 +1547,47 @@ The organization explicitly authorizes access to [Assignment: organization-defin
#### Control Information
-Responsible role(s) - Organization
+Responsible role(s) - Docker system
+
+
+
+| Component |
+Implementation Status(es) |
+Control Origin(s) |
+
+
+| Universal Control Plane (UCP) |
+complete
|
+service provider hybrid
|
+
+
+
+#### Implementation Details
+
+
+
+
+
+To assist the organization in meeting the requirements of this
+control, one can control which users and teams can create and
+manipulate Universal Control Plane resources and explicitly authorize
+access as necessary. By default, no one can make changes to the
+cluster. Permissions can be granted and managed to enforce
+fine-grained access control. Supporting documentation can be found at
+the following resources:
+
+
+
+
+
+
### AC-6 (2) Non-Privileged Access For Nonsecurity Functions
@@ -1500,7 +1597,46 @@ The organization requires that users of information system accounts, or roles, w
#### Control Information
-Responsible role(s) - Organization
+Responsible role(s) - Docker system
+
+
+
+| Component |
+Implementation Status(es) |
+Control Origin(s) |
+
+
+| Universal Control Plane (UCP) |
+complete
|
+service provider hybrid
|
+
+
+
+#### Implementation Details
+
+
+
+
+
+To assist the organization in meeting the requirements of this
+control, one can control which users and teams can create and
+manipulate Universal Control Plane resources. By default, no one can
+make changes to the cluster. Permissions can be granted and managed to
+enforce fine-grained access control. Supporting documentation can be
+found at the following resources:
+
+
+
+
+
+
### AC-6 (3) Network Access To Privileged Commands
@@ -1510,7 +1646,48 @@ The organization authorizes network access to [Assignment: organization-defined
#### Control Information
-Responsible role(s) - Organization
+Responsible role(s) - Docker system
+
+
+
+| Component |
+Implementation Status(es) |
+Control Origin(s) |
+
+
+| Universal Control Plane (UCP) |
+complete
|
+service provider hybrid
|
+
+
+
+#### Implementation Details
+
+
+
+
+
+To assist the organization in meeting the requirements of this
+control, one can control which users and teams can create and
+manipulate Universal Control Plane resources, including Docker
+networking components. By default, no one can make changes to the
+cluster. Permissions can be granted and managed to enforce
+fine-grained access control. Supporting documentation can be found at
+the following resources:
+
+
+
+
+
+
### AC-6 (4) Separate Processing Domains
@@ -1530,7 +1707,47 @@ The organization restricts privileged accounts on the information system to [Ass
#### Control Information
-Responsible role(s) - Organization
+Responsible role(s) - Docker system
+
+
+
+| Component |
+Implementation Status(es) |
+Control Origin(s) |
+
+
+| Universal Control Plane (UCP) |
+complete
|
+service provider hybrid
|
+
+
+
+#### Implementation Details
+
+
+
+
+
+To assist the organization in meeting the requirements of this
+control, one can restrict privileged accounts within Universal Control
+Plane to custom-defined roles. By default, no one can make changes to
+the cluster. Permissions can be granted and managed to enforce
+fine-grained access control. Supporting documentation can be found at
+the following resources:
+
+
+
+
+
+
### AC-6 (6) Privileged Access By Non-Organizational Users
@@ -1554,7 +1771,46 @@ The organization:
#### Control Information
-Responsible role(s) - Organization
+Responsible role(s) - Docker system
+
+
+
+| Component |
+Implementation Status(es) |
+Control Origin(s) |
+
+
+| Universal Control Plane (UCP) |
+complete
|
+service provider hybrid
|
+
+
+
+#### Implementation Details
+
+
+
+
+
+To assist the organization in meeting the requirements of this
+control, one can review all implemented grants, accounts and roles
+within Universal Control Plane and reassign/revoke privileges as
+necessary. Supporting documentation can be found at the following
+resources:
+
+
+
+
+
+
### AC-6 (8) Privilege Levels For Code Execution
@@ -1575,18 +1831,18 @@ Responsible role(s) - Docker system
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+Docker EE system
|
#### Implementation Details
-
+
Universal Control Plane users can be assigned to one of a number of
different permission levels. The permission level assigned to a
specific user determines that user's ability to execute certain
@@ -1596,13 +1852,18 @@ restrictions. Users mapped to either the "View Only" or "No Access&#
roles cannot execute any Docker commands. Users assigned to the
"Restricted Control" role can only run Docker commands under their own
purview and cannot see other users UCP resources nor run commands that
-required privileged access to the host. Additional documentation
-regarding the various permission levels within UCP can be found at the
-following resource:
+required privileged access to the host. Furthermore, custom roles can
+be created for fine-grained access to specific UCP resources and
+functionality. Additional documentation regarding the various
+permission levels within UCP can be found at the following resource:
@@ -1627,18 +1888,18 @@ Responsible role(s) - Docker system
| Authentication and Authorization Service (eNZi) |
complete
|
-service provider system specific
|
+Docker EE system
|
#### Implementation Details
-
+
Docker Enterprise Edition logs privileged user events to standard log
files. One can configure Docker Enterprise Edition to direct these
event logs to a remote logging service such as an Elasticsearch,
@@ -1650,8 +1911,8 @@ logging and monitoring can be found at the following resources:
@@ -1674,31 +1935,53 @@ Responsible role(s) - Docker system
Control Origin(s) |
-| Authentication and Authorization Service (eNZi) |
+Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
|
+
+
+| Universal Control Plane (UCP) |
+complete
|
+Docker EE system
|
#### Implementation Details
-
+
One can control which users and teams can create and manipulate
-Docker Enterprise Edition resources. By default, no one can make changes to
-the cluster. Permissions can be granted and managed to enforce
-fine-grained access control. Supporting documentation for the configuration of this functionality can be found at the following resources:
+Docker Trusted Registry resources and prevent non-privileged users
+from executing privileged functions per the requirements of this
+control. By default, no one can make changes to the cluster.
+Permissions can be granted and managed to enforce fine-grained access
+control. Supporting documentation for the configuration of this
+functionality can be found at the following resources:
+
+
+
+One can control which users and teams can create and manipulate
+Universal Control Plane resources and prevent non-privileged users
+from executing privileged functions per the requirements of this
+control. By default, no one can make changes to the cluster.
+Permissions can be granted and managed to enforce fine-grained access
+control. Supporting documentation for the configuration of this
+functionality can be found at the following resources:
+
+
+
@@ -1727,21 +2010,21 @@ Responsible role(s) - Docker system
| Authentication and Authorization Service (eNZi) |
complete
|
-service provider system specific
|
+service provider hybrid
|
#### Implementation Details
-
-When Docker Enterprise Edition is integrated to a directory service via LDAP,
-one can reference the functionality of the directory service to
-configure the enforcement of a limit to the number of conesecutive
+
+When Docker Enterprise Edition is integrated to a directory service
+via LDAP, one can reference the functionality of the directory service
+to configure the enforcement of a limit to the number of conesecutive
invalid logon attempts by a user during a specified time period.When Docker Enterprise Edition is integrated to a directory service
via LDAP, one can reference the functionality of the directory service
to configure he ability to automatically lock/disable an account for a
@@ -1786,7 +2069,38 @@ The information system:
#### Control Information
-Responsible role(s) - Organization
+Responsible role(s) - Docker system
+
+
+
+| Component |
+Implementation Status(es) |
+Control Origin(s) |
+
+
+| Authentication and Authorization Service (eNZi) |
+planned
|
+Docker EE system
|
+
+
+
+#### Implementation Details
+
+
+
+
+
+The feature required to satisfy the requirements of this control has
+not yet been built in to Docker EE but is planned for a future
+release.The feature required to satisfy the requirements of this control has
+not yet been built in to Docker EE but is planned for a future
+release.The feature required to satisfy control has
+not yet been built in to Docker EE but is planned for a future
+release.
+
+
## AC-9 Previous Logon (Access) Notification
@@ -1857,22 +2171,22 @@ Responsible role(s) - Docker system
| Authentication and Authorization Service (eNZi) |
complete
|
-service provider system specific
|
+Docker EE system
|
#### Implementation Details
-
+
Docker Enterprise Edition can be configured to limit the number of
concurrent sessions for each account. These options can be found
-within the Universal Control Plane Admin Settings under the "Auth"
-section.
+within the Universal Control Plane Admin Settings under the
+"Authentication & Authorization" section.
@@ -1899,24 +2213,25 @@ Responsible role(s) - Docker system
| Authentication and Authorization Service (eNZi) |
complete
|
-service provider system specific
|
+Docker EE system
|
#### Implementation Details
-
-Per the requirements of AC-2 (5), Docker Enterprise Edition
-can be configured to enforce user session lifetime limits and renewal
+
+Per the requirements of AC-2 (5), Docker Enterprise Edition can be
+configured to enforce user session lifetime limits and renewal
thresholds. These options can be found within the Universal Control
-Plane Admin Settings under the "Auth" section. Configurable options
-include the initial lifetime (in hours) of a user's session and the
-renewal threshold of a session (in hours).
+Plane Admin Settings under the "Authentication & Authorization"
+section. Configurable options include the initial lifetime (in hours)
+of a user's session and the renewal threshold of a session (in
+hours).
@@ -1939,26 +2254,27 @@ Responsible role(s) - Docker system
| Authentication and Authorization Service (eNZi) |
complete
|
-service provider system specific
|
+Docker EE system
|
#### Implementation Details
-
-Per the requirements of AC-2 (5), Docker Enterprise Edition
-can be configured to enforce user session lifetime limits and renewal
+
+Per the requirements of AC-2 (5), Docker Enterprise Edition can be
+configured to enforce user session lifetime limits and renewal
thresholds. These options can be found within the Universal Control
-Plane Admin Settings under the "Auth" section. Configurable options
-include the initial lifetime (in hours) of a user's session and the
-renewal threshold of a session (in hours). Upon the expiration of the
-configured session thresholds, a user will be locked out of his/her
-session.
+Plane Admin Settings under the "Authentication & Authorization"
+section. Configurable options include the initial lifetime (in hours)
+of a user's session and the renewal threshold of a session (in
+hours). Upon the expiration of the configured session thresholds, a
+user will be locked out of his/her session per the requirements of
+this controls.
@@ -1981,26 +2297,26 @@ Responsible role(s) - Docker system
| Authentication and Authorization Service (eNZi) |
complete
|
-service provider system specific
|
+Docker EE system
|
#### Implementation Details
-
-Per the requirements of AC-2 (5), Docker Enterprise Edition
-can be configured to enforce user session lifetime limits and renewal
+
+Per the requirements of AC-2 (5), Docker Enterprise Edition can be
+configured to enforce user session lifetime limits and renewal
thresholds. These options can be found within the Universal Control
-Plane Admin Settings under the "Auth" section. Configurable options
-include the initial lifetime (in hours) of a user's session and the
-renewal threshold of a session (in hours). Upon the expiration of the
-configured session thresholds, a user will be locked out of his/her
-session.
+Plane Admin Settings under the "Authentication & Authorization"
+section. Configurable options include the initial lifetime (in hours)
+of a user's session and the renewal threshold of a session (in
+hours). Upon the expiration of the configured session thresholds, a
+user will be locked out of his/her session.
@@ -2027,18 +2343,18 @@ Responsible role(s) - Docker system
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+Docker EE system
|
#### Implementation Details
-
+
Universal Control Plane includes a logout capability that allows a
user to terminate his/her current session.
@@ -2056,7 +2372,58 @@ The organization:
#### Control Information
-Responsible role(s) - Organization
+Responsible role(s) - Docker system
+
+
+
+| Component |
+Implementation Status(es) |
+Control Origin(s) |
+
+
+| Docker Trusted Registry (DTR) |
+complete
|
+Docker EE system
|
+
+
+| Docker Enterprise Edition Engine |
+complete
|
+Docker EE system
|
+
+
+| Universal Control Plane (UCP) |
+complete
|
+Docker EE system
|
+
+
+
+#### Implementation Details
+
+
+
+
+
+To help the organization meet the requirements of this control, a
+review of actions allowed by unauthenticated users can be performed
+within Docker Trusted Registry.
+
+
+To help the organization meet the requirements of this control, one
+can restrict membership to the 'docker' group on underlying Linux
+hosts or the local "Administrators" group (and any other groups
+defined within 'daemon.json') on underlying Windows Server 2016 hosts
+to only authorized users.
+
+
+To help the organization meet the requirements of this control, a
+review of actions allowed by unauthenticated users can be performed
+within Universal Control Plane.
+
+
## AC-16 Security Attributes
@@ -2186,7 +2553,56 @@ The organization:
#### Control Information
-Responsible role(s) - Organization
+Responsible role(s) - Docker system
+
+
+
+| Component |
+Implementation Status(es) |
+Control Origin(s) |
+
+
+| Docker Trusted Registry (DTR) |
+complete
|
+service provider hybrid
|
+
+
+| Docker Enterprise Edition Engine |
+complete
|
+service provider hybrid
|
+
+
+| Universal Control Plane (UCP) |
+complete
|
+service provider hybrid
|
+
+
+
+#### Implementation Details
+
+
+
+
+
+To help the organization meet the requirements of this control,
+Docker Trusted Registry can be configured to allow/prohibit remote
+access.
+
+
+To help the organization meet the requirements of this control,
+Docker Enterprise Edition can be configured to allow/prohibit remote
+access to the Engine.
+
+
+To help the organization meet the requirements of this control,
+Universal Control Plane can be configured to allow/prohibit remote
+access.
+
+
### AC-17 (1) Automated Monitoring / Control
@@ -2205,35 +2621,56 @@ Responsible role(s) - Docker system
Control Origin(s) |
+| Docker Trusted Registry (DTR) |
+complete
|
+Docker EE system
|
+
+
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+Docker EE system
|
+
+
+| Universal Control Plane (UCP) |
+complete
|
+Docker EE system
|
| Authentication and Authorization Service (eNZi) |
complete
|
-configured by customer
|
+Docker EE system
|
#### Implementation Details
-
+
+Docker Trusted Registry logs and controls all local and remote
+access events. In addition, auditing can be configured on the
+underlying operating system to meet this control.
+
+
Docker Enterprise Edition logs and controls all local and remote
access events. In addition, auditing can be configured on the
underlying operating system to meet this control.
-
-
-Docker Enterprise Edition logs and controls all local and remote access
-events. In addition, auditing can be configured on the underlying
-operating system to meet this control.
+
+Universal Control Plane logs and controls all local and remote
+access events. In addition, auditing can be configured on the
+underlying operating system to meet this control.
+
+
+Docker Enterprise Edition logs and controls all local and remote
+access events. In addition, auditing can be configured on the
+underlying operating system to meet this control.
@@ -2256,30 +2693,30 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+Docker EE system
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+Docker EE system
|
#### Implementation Details
-
+
All remote access sessions to Docker Trusted Registry are protected
with Transport Layer Security (TLS) 1.2. This is included at both the
HTTPS application layer for access to the DTR user interface and for
@@ -2287,14 +2724,13 @@ command-line based connections to the registry. In addition to this,
all communication to DTR is enforced by way of two-way mutual TLS
authentication.
-
+
All remote access sessions to Docker Enterprise Edition are protected
with Transport Layer Security (TLS) 1.2. In addition to this, all
communication to Docker Enterprise Edition is enforced by way of
two-way mutual TLS authentication.
-
-
+
All remote access sessions to Universal Control Plane are protected
with Transport Layer Security (TLS) 1.2. This is included at both the
HTTPS application layer for access to the UCP user interface and for
@@ -2323,43 +2759,42 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+service provider hybrid
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+service provider hybrid
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+service provider hybrid
|
#### Implementation Details
-
+
A combination of managed load balancers, firewalls and access control
lists, and virtual networking resources can be used to ensure traffic
destined for Docker Trusted Registry replicas is routed through
managed network access control points.
-
+
A combination of managed load balancers, firewalls and access control
lists, and virtual networking resources can be used to ensure traffic
-destined for Docker Enterprise Edition is routed through managed network access
-control points.
-
+destined for Docker Enterprise Edition is routed through managed
+network access control points.
-
+
A combination of managed load balancers, firewalls and access control
lists, and virtual networking resources can be used to ensure traffic
destined for Universal Control Plane managers and worker nodes is
@@ -2379,7 +2814,34 @@ The organization:
#### Control Information
-Responsible role(s) - Organization
+Responsible role(s) - Docker system
+
+
+
+| Component |
+Implementation Status(es) |
+Control Origin(s) |
+
+
+| Universal Control Plane (UCP) |
+complete
|
+service provider hybrid
|
+
+
+
+#### Implementation Details
+
+
+
+
+
+To help the organization meet the requirements of this control,
+Universal Control Plane can be configured to authorize certain
+privileged functions via remote access.
+
+
### AC-17 (6) Protection Of Information
@@ -2410,47 +2872,46 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-configured by customer
|
+configured by customer
service provider hybrid
|
| Docker Enterprise Edition Engine |
complete
|
-configured by customer
|
+configured by customer
service provider hybrid
|
| Universal Control Plane (UCP) |
-complete
|
-configured by customer
|
+complete
partial
|
+configured by customer
service provider hybrid
|
#### Implementation Details
-
+
Built-in firewall technology in Docker Trusted Registry's underlying
operating system can be used to force the disconnection of remote
connections to the host. In addition, UCP slave nodes running Docker
Trusted Registry replicas can be paused or drained, which subsequently
stops sessions to the DTR replica.
-
-Built-in firewall technology in Docker Enterprise Edition's underlying
-operating system can be used to force the disconnection of remote
-connections to the host. In addition, Docker Enterprise Edition provides the
-option to pause or drain a node in the cluster, which subsequently
-stops and/or removes sessions to the node. Individual services and/or
-applications running on Docker Enterprise Edition can also be stopped and/or
-removed.
-
+
+Built-in firewall technology in Docker Enterprise Edition's
+underlying operating system can be used to force the disconnection of
+remote connections to the host. In addition, Docker Enterprise Edition
+provides the option to pause or drain a node in the cluster, which
+subsequently stops and/or removes sessions to the node. Individual
+services and/or applications running on Docker Enterprise Edition can
+also be stopped and/or removed.
-
+
Built-in firewall technology in Universal Control Plane's underlying
operating system can be used to force the disconnection of remote
connections to the host. In addition, UCP provides the option to pause
@@ -2572,7 +3033,44 @@ The organization establishes terms and conditions, consistent with any trust rel
#### Control Information
-Responsible role(s) - Organization
+Responsible role(s) - Docker system
+
+
+
+| Component |
+Implementation Status(es) |
+Control Origin(s) |
+
+
+| Docker Trusted Registry (DTR) |
+complete
|
+service provider hybrid
|
+
+
+| Universal Control Plane (UCP) |
+complete
|
+service provider hybrid
|
+
+
+
+#### Implementation Details
+
+
+
+
+
+To help the organization meet the requirements of this control, one
+can control which external systems can access Docker Trusted Registry.
+
+
+To help the organization meet the requirements of this control, one
+can control which external systems can access Universal Control
+Plane.
+
+
### AC-20 (1) Limits On Authorized Use
@@ -2586,7 +3084,44 @@ The organization permits authorized individuals to use an external information s
#### Control Information
-Responsible role(s) - Organization
+Responsible role(s) - Docker system
+
+
+
+| Component |
+Implementation Status(es) |
+Control Origin(s) |
+
+
+| Docker Trusted Registry (DTR) |
+complete
|
+service provider hybrid
|
+
+
+| Universal Control Plane (UCP) |
+complete
|
+service provider hybrid
|
+
+
+
+#### Implementation Details
+
+
+
+
+
+To help the organization meet the requirements of this control, one
+can control which external systems can access Docker Trusted Registry.
+
+
+To help the organization meet the requirements of this control, one
+can control which external systems can access Universal Control
+Plane.
+
+
### AC-20 (2) Portable Storage Devices
@@ -2630,7 +3165,45 @@ The organization:
#### Control Information
-Responsible role(s) - Organization
+Responsible role(s) - Docker system
+
+
+
+| Component |
+Implementation Status(es) |
+Control Origin(s) |
+
+
+| Docker Trusted Registry (DTR) |
+complete
|
+service provider hybrid
shared
|
+
+
+| Universal Control Plane (UCP) |
+complete
|
+service provider hybrid
shared
|
+
+
+
+#### Implementation Details
+
+
+
+
+
+To help the organization meet the requirements of this control, one
+can validate the assigned roles and access levels within Docker
+Trusted Registry to control information sharing.
+
+
+To help the organization meet the requirements of this control, one
+can validate the assigned roles and access levels within Universal
+Control Plane to control information sharing.
+
+
### AC-21 (1) Automated Decision Support
diff --git a/docs/compliance/reference/800-53/au.md b/docs/compliance/reference/800-53/au.md
index 25dd9c4..3a020f4 100644
--- a/docs/compliance/reference/800-53/au.md
+++ b/docs/compliance/reference/800-53/au.md
@@ -53,42 +53,45 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
service provider corporate
service provider hybrid
shared
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+service provider hybrid
shared
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+service provider hybrid
shared
|
#### Implementation Details
-
+
All of the event types indicated by this control are logged by a
combination of the backend ucp-controller service within Universal
Control Plane and the backend services that make up Docker Trusted
-Registry. Additional documentation can be found at the following resource:
+Registry. Additional documentation can be found at the following
+resource:
-
+
Both Universal Control Plane and Docker Trusted Registry backend
service containers, all of which reside on Docker Enterprise Edition,
log all of the event types indicated by this control (as explained by
@@ -103,7 +106,7 @@ logging drivers can be found at the following resource:
-
+
All of the event types indicated by this control are logged by the
backend ucp-controller service within Universal Control Plane. In
addition, each container created on a Universal Control Plane cluster
@@ -112,7 +115,7 @@ can be referenced at the following resources:
@@ -147,36 +150,36 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Authentication and Authorization Service (eNZi) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
#### Implementation Details
-
+
Docker Trusted Registry generates all of the audit record information
indicated by this control. A sample audit event has been provided
below:
@@ -186,7 +189,7 @@ based auth
suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth
ok","username":"dockeruser"}
-
+
Both Universal Control Plane and Docker Trusted Registry are
pre-configured to take advantage of Docker Enterprise Edition's
built-in logging mechanisms. A sample audit event recorded by Docker
@@ -205,7 +208,7 @@ Additional documentation can be referenced at the following resource:
-
+
Universal Control Plane generates all of the audit record information
indicated by this control. A sample audit event has been provided
below:
@@ -215,7 +218,7 @@ based auth
suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth
ok","username":"dockeruser"}
-
+
Docker Enterprise Edition generates all of the audit record
information indicated by this control. A sample audit event has been
provided below:
@@ -246,30 +249,30 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
#### Implementation Details
-
+
Universal Control Plane can be configured to log data to a remote
logging stack, which in turn, sends the Docker Trusted Registry
backend container audit records to the remote logging stack. The
@@ -279,11 +282,11 @@ information can be found at the following resource:
-
+
Docker Enterprise Edition can be configured with various logging
drivers to send audit events to an external logging stack. The logging
stack can subsequently be used to interpolate the information defined
@@ -296,7 +299,7 @@ documentation can be found at the following resource:
-
+
Universal Control Plane can be configured to log data to a remote
logging stack. The logging stack can subsequently be used to
interpolate the information defined by this control from the logged
@@ -305,7 +308,7 @@ resource:
@@ -330,30 +333,30 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
#### Implementation Details
-
+
Universal Control Plane can be configured to log data to a remote
logging stack, which in turn, sends the Docker Trusted Registry
backend container audit records to the remote logging stack. The
@@ -363,11 +366,11 @@ information can be found at the following resource:
-
+
Docker Enterprise Edition can be configured with various logging
drivers to send audit events to an external logging stack. The logging
stack can subsequently be used to interpolate the information defined
@@ -380,7 +383,7 @@ documentation can be found at the following resource:
-
+
Universal Control Plane can be configured to log data to a remote
logging stack. The logging stack can subsequently be used to
interpolate the information defined by this control from the logged
@@ -389,7 +392,7 @@ resource:
@@ -438,12 +441,12 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Universal Control Plane (UCP) |
@@ -455,13 +458,13 @@ Responsible role(s) - Docker system
#### Implementation Details
-
+
Universal Control Plane can be configured to log data to a remote
logging stack, which in turn, sends the Docker Trusted Registry
backend container audit records to the remote logging stack. The
@@ -471,11 +474,11 @@ found at the following resources:
-
+
Docker Enterprise Edition can be configured with various logging
drivers to send audit events to an external logging stack. The logging
stack can be used to interpolate the information defined by this
@@ -489,7 +492,7 @@ resources:
-
+
Universal Control Plane can be configured to log data to a remote
logging stack. The logging stack can subsequently be configured to
alert individuals in the event of log processing failures. Additional
@@ -497,7 +500,7 @@ information can be found at the following resources:
@@ -522,30 +525,30 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
#### Implementation Details
-
+
Universal Control Plane can be configured to log data to a remote
logging stack, which in turn, sends the Docker Trusted Registry
backend container audit records to the remote logging stack. The
@@ -555,11 +558,11 @@ found at the following resources:
-
+
Docker Enterprise Edition can be configured with various logging
drivers to send audit events to an external logging stack. The logging
stack can subsequently be configured to warn the organization when the
@@ -572,7 +575,7 @@ the following resources:
-
+
Universal Control Plane can be configured to log data to a remote
logging stack. The logging stack can subsequently be configured to
warn the organization when the allocated log storage is full.
@@ -580,7 +583,7 @@ Additional information can be found at the following resources:
@@ -605,30 +608,30 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
#### Implementation Details
-
+
Universal Control Plane can be configured to log data to a remote
logging stack, which in turn, sends the Docker Trusted Registry
backend container audit records to the remote logging stack. The
@@ -638,11 +641,11 @@ the following resources:
-
+
Docker Enterprise Edition can be configured with various logging
drivers to send audit events to an external logging stack. The
logging stack can subsequently be configured to warn the organization
@@ -655,7 +658,7 @@ the following resources:
-
+
Universal Control Plane can be configured to log data to a remote
logging stack. The logging stack can subsequently be configured to
warn the organization when audit log failures occur. Additional
@@ -663,7 +666,7 @@ information can be found at the following resources:
@@ -742,30 +745,30 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
#### Implementation Details
-
+
Universal Control Plane can be configured to log data to a remote
logging stack, which in turn, sends the Docker Trusted Registry
backend container audit records to the remote logging stack. The
@@ -775,11 +778,11 @@ following resources:
-
+
Docker Enterprise Edition can be configured with various logging
drivers to send audit events to an external logging stack. The
organization can subsequently centrally review and analyze all of the
@@ -792,7 +795,7 @@ following resources:
-
+
Universal Control Plane can be configured to log data to a remote
logging stack. The organization can subsequently centrally review and
analyze all of the Docker EE audit records. Additional information can
@@ -800,7 +803,7 @@ be found at the following resources:
@@ -888,31 +891,31 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
-complete
|
-service provider system specific
|
+ |
+Docker EE system
shared
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
#### Implementation Details
-
+
Universal Control Plane can be configured to log data to a remote
logging stack, which in turn, sends the Docker Trusted Registry
backend container audit records to the remote logging stack. The
@@ -924,11 +927,11 @@ The underlying operating system chosen to support Docker Trusted
Registry should be certified to ensure that logs are not altered
during generation and transmission to a remote logging stack.
-
+
Docker Enterprise Edition can be configured with various logging
drivers to send audit events to an external logging stack. The logging
stack can subsequently be used to facilitate the audit reduction and
@@ -938,13 +941,12 @@ can be found at the following resources:
The underlying operating system chosen to support Docker Enterprise
Edition should be certified to ensure that logs are not altered during
generation and transmission to a remote logging stack.
-
-
+
Universal Control Plane can be configured to log data to a remote
logging stack. The logging stack can subsequently be used to
facilitate the audit reduction and report generation requirements of
@@ -955,7 +957,7 @@ The underlying operating system chosen to support Universal Control
Plane should be certified to ensure that logs are not altered during
generation and transmission to a remote logging stack.
@@ -980,30 +982,30 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
#### Implementation Details
-
+
Universal Control Plane can be configured to log data to a remote
logging stack, which in turn, sends the Docker Trusted Registry
backend container audit records to the remote logging stack. The
@@ -1013,11 +1015,11 @@ at the following resources:
-
+
Docker Enterprise Edition can be configured with various logging
drivers to send audit events to an external logging stack. The logging
stack can subsequently be configured to parse information by
@@ -1030,7 +1032,7 @@ at the following resources:
-
+
Universal Control Plane can be configured to log data to a remote
logging stack. The logging stack can subsequently be configured to
parse information by organization-defined audit fields. Additional
@@ -1038,7 +1040,7 @@ information can be found at the following resources:
@@ -1077,46 +1079,44 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-configured by customer
|
+service provider hybrid
|
| Docker Enterprise Edition Engine |
complete
|
-configured by customer
|
+service provider hybrid
|
| Universal Control Plane (UCP) |
complete
|
-configured by customer
|
+service provider hybrid
|
#### Implementation Details
-
+
Docker Trusted Registry uses the system clock of the underlying
operating system on which it runs. This behavior cannot be modified.The underlying operating system on which Docker Trusted Registry runs
should be configured such that its system clock uses Coordinated
Universal Time (UTC) as indicated by this control. Refer to the
operating system's instructions for doing so.
-
+
Docker Enterprise Edition uses the system clock of the underlying
-operating system on which it runs. This behavior cannot be modified.
-The underlying operating system on which Docker Enterprise Edition
+operating system on which it runs. This behavior cannot be modified.The underlying operating system on which Docker Enterprise Edition
runs should be configured such that its system clock uses Coordinated
Universal Time (UTC) as indicated by this control. Refer to the
operating system's instructions for doing so.
-
-
+
Universal Control Plane uses the system clock of the underlying
operating system on which it runs. This behavior cannot be modified.The underlying operating system on which Universal Control Plane runs
should be configured such that its system clock uses Coordinated
@@ -1148,30 +1148,30 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+service provider hybrid
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+service provider hybrid
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+service provider hybrid
|
#### Implementation Details
-
+
The underlying operating system on which Docker Trusted Registry runs
should be configured such that its system clock compares itself with
an authoritative time source as indicated by this control. This can be
@@ -1184,22 +1184,20 @@ time period. This can be accomplished by utilizing the Network Time
Protocol (NTP). Refer to the operating system's instructions for doing
so.
-
+
The underlying operating system on which Docker Enterprise Edition runs should
be configured such that its system clock compares itself with an
authoritative time source as indicated by this control. This can be
accomplished by utilizing the Network Time Protocol (NTP). Refer to
-the operating system's instructions for doing so.
-The underlying operating system on which Docker Enterprise Edition
+the operating system's instructions for doing so.The underlying operating system on which Docker Enterprise Edition
runs should be configured such that its system clock synchronizes
itself to an authoritative time source as defined by part (a) of this
control any time the time difference exceeds that of the
organization-defined time period. This can be accomplished by
utilizing the Network Time Protocol (NTP). Refer to the operating
system's instructions for doing so.
-
-
+
The underlying operating system on which Universal Control Plane runs
should be configured such that its system clock compares itself with
an authoritative time source as indicated by this control. This can be
@@ -1243,30 +1241,30 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+service provider hybrid
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+service provider hybrid
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+service provider hybrid
|
#### Implementation Details
-
+
By default, Docker Trusted Registry is configured to use the
underlying logging capabilities of Docker Enterprise Edition. As such,
on the underlying Linux operating system, only root and sudo users and
@@ -1278,7 +1276,7 @@ logging stack. In this case, the organization is responsible for
configuring the remote logging stack per the provisions of this
control.
-
+
On the underlying Linux operating system supporting Docker Enterprise
Edition, only root and sudo users and users that have been added to
the "docker" group have the ability to access the logs generated by
@@ -1286,8 +1284,12 @@ UCP backend service containers. Should the organization decide to
configure Docker Enterprise Edition to use a logging driver other than
the default json-file driver, the organization is subsequently
responsible for configuring the chosen logging stack per the
-provisions of this control. Additional information can be found at the
-following resources:
+provisions of this control. In addition, for Linux operating systems
+supporting Docker Enterprise Edition that use the systemd daemon, it
+is imperative that the Journal is secured per the requirements of this
+control. The same applies for Linux operating systems supporting
+Docker Enterprise Edition that instead use upstart. Additional
+information can be found at the following resources:
@@ -1295,7 +1297,7 @@ following resources:
-
+
By default, Universal Control Plane is configured to use the
underlying logging capabilities of Docker Enterprise Edition. As such,
on the underlying Linux operating system, only root and sudo users and
@@ -1338,42 +1340,43 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+service provider hybrid
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+service provider hybrid
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+service provider hybrid
|
#### Implementation Details
-
+
Docker Trusted Registry resides as an Application on a Universal
-Control Plane cluster, acan be configured to send logs to a remote
-logging stack. Additional information can be found at the following
-resources:
+Control Plane cluster, and can be configured to send logs to a remote
+logging stack. The logging stack can subsequently be configured to
+back up audit records per the schedule defined by this control.
+Additional information can be found at the following resources:
-
+
Docker Enterprise Edition can be configured to use a logging driver
that can subsequently meet the backup requirements of this control.
Additional information can be found at the following resources:
@@ -1384,14 +1387,15 @@ Additional information can be found at the following resources:
-
+
Universal Control Plane can be configured to send logs to a remote
-logging stack. Additional information can be found at the following
-resources:
+logging stack. The logging stack can subsequently be configured to
+back up audit records per the schedule defined by this control.
+Additional information can be found at the following resources:
@@ -1416,36 +1420,43 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+service provider hybrid
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+service provider hybrid
|
+
+
+| Universal Control Plane (UCP) |
+complete
|
+service provider hybrid
|
#### Implementation Details
-
+
Docker Trusted Registry resides as an Application on a Universal
-Control Plane cluster, acan be configured to send logs to a remote
-logging stack. Additional information can be found at the following
-resources:
+Control Plane cluster, and can be configured to send logs to a remote
+logging stack. The logging stack can subsequently be configured to
+meet the encryption mechanisms required by this control. Additional
+information can be found at the following resources:
-
+
Docker Enterprise Edition can be configured to use a logging driver
that can subsequently meet the encryption mechanisms required by this
control. Additional information can be found at the following
@@ -1456,6 +1467,18 @@ resources:
https://docs.docker.com/engine/admin/logging/overview/
+
+
+Universal Control Plane can be configured to send logs to a remote
+logging stack. The logging stack can subsequently be configured to
+meet the encryption mechanisms required by this control. Additional
+information can be found at the following resources:
+
+
+
+
@@ -1508,18 +1531,18 @@ Responsible role(s) - Docker system
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+Docker EE system
|
#### Implementation Details
-
+
Docker Enterprise Edition includes functionality known as Docker
Content Trust which allows one to cryptographically sign Docker
images. It enforces client-side signing and verification of image tags
@@ -1612,44 +1635,45 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
service provider corporate
service provider hybrid
shared
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+service provider hybrid
shared
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+service provider hybrid
shared
|
#### Implementation Details
-
+
The organization will be responsible for meeting the requirements of
this control. To assist with these requirements, Docker Trusted
Registry resides as an Application on a Universal Control Plane
cluster, and as such, can be configured to send logs to a remote
-logging stack. Additional information can be found at the following
-resources:
+logging stack. This logging stack can subsequently be configured to
+retain logs for the duration required by this control. Additional
+information can be found at the following resources:
-
+
The organization will be responsible for meeting the requirements of
this control. To assist with these requirements, Docker Enterprise
Edition can be configured to use a logging driver that stores data in
@@ -1662,15 +1686,17 @@ information can be found at the following resources:
-
+
The organization will be responsible for meeting the requirements of
this control. To assist with these requirements, Universal Control
-Plane can be configured to send logs to a remote logging stack.
-Additional information can be found at the following resources:
+Plane can be configured to send logs to a remote logging stack. This
+logging stack can subsequently be configured retain logs for the
+duration required by this control. Additional information can be found
+at the following resources:
@@ -1710,74 +1736,84 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
#### Implementation Details
-
+
All of the event types indicated by AU-2 a. are logged by a
combination of the backend services within Universal Control Plane and
-Docker Trusted Registry. Additional information can be found at the
-following resources:
+Docker Trusted Registry. The underlying Linux operating system
+supporting DTR can be configured to audit Docker-specific events with
+the auditd daemon. Refer to the specific Linux distribution in use for
+instructions on configuring this service. Additional information can
+be found at the following resources:
Using auditd on the Linux operating system supporting DTR, the
organization can configure audit rules to select which Docker-specific
events are to be audited. Refer to the specific Linux distribution in
use for instructions on configuring this service.
-
+
Both Universal Control Plane and Docker Trusted Registry backend
service containers, all of which reside on Docker Enterprise Edition,
log all of the event types indicated by this AU-2 a. These and other
application containers that reside on Docker Enterprise Edition can be
-configured to log data via an appropriate Docker logging driver.
-Additional information can be found at the following resources:
+configured to log data via an appropriate Docker logging driver. The
+underlying Linux operating system supporting Docker Enterprise Edition
+can be configured to audit Docker-specific events with the auditd
+daemon. Refer to the specific Linux distribution in use for
+instructions on configuring this service. Additional information can
+be found at the following resources:
Using auditd on the Linux operating system supporting CS Docker
Engine, the organization can configure audit rules to select which
Docker-specific events are to be audited. Refer to the specific Linux
distribution in use for instructions on configuring this service.
-
-
+
All of the event types indicated by AU-2 a. are logged by the backend
ucp-controller service within Universal Control Plane. In addition,
each container created on a Universal Control Plane cluster logs event
-data. Additional information can be found at the following resources:
+data. The underlying Linux operating system supporting UCP can be
+configured to audit Docker-specific events with the auditd daemon.
+Refer to the specific Linux distribution in use for instructions on
+configuring this service. Additional information can be found at the
+following resources:
Using auditd on the Linux operating system supporting UCP, the
organization can configure audit rules to select which Docker-specific
events are to be audited. Refer to the specific Linux distribution in
use for instructions on configuring this service.
@@ -1802,42 +1838,44 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
#### Implementation Details
-
+
Docker Trusted Registry resides as an Application on a Universal
Control Plane cluster, and as such, can be configured to send logs to
-a remote logging stack. Additional information can be found at the
-following resources:
+a remote logging stack. This logging stack can subsequently be used to
+compile audit records in to a system-wide audit trail that is
+time-correlated per the requirements of this control. Additional
+information can be found at the following resources:
-
+
Docker Enterprise Edition can be configured with various logging
drivers to send audit events to an external logging stack. This
logging stack can subsequently be used to compile audit records in to
@@ -1851,14 +1889,16 @@ resources:
-
+
Universal Control Plane can be configured to send logs to a remote
-logging stack. Additional information can be found at the following
-resources:
+logging stack. This logging stack can subsequently be used to compile
+audit records in to a system-wide audit trail that is time-correlated
+per the requirements of this control. Additional information can be
+found at the following resources:
@@ -1893,42 +1933,43 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+service provider hybrid
shared
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+service provider hybrid
shared
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+service provider hybrid
shared
|
#### Implementation Details
-
+
Docker Trusted Registry resides as an Application on a Universal
Control Plane cluster, and as such, can be configured to send logs to
-a remote logging stack. Additional information can be found at the
-following resources:
+a remote logging stack. This logging stack can subsequently be used to
+meet the requirements of this control. Additional information can be
+found at the following resources:
-
+
Docker Enterprise Edition can be configured with various logging
drivers to send audit events to an external logging stack. This
logging stack can subsequently be used to meet the requirements of
@@ -1941,14 +1982,15 @@ resources:
-
+
Universal Control Plane can be configured to send logs to a remote
-logging stack. Additional information can be found at the following
-resources:
+logging stack. This logging stack can subsequently be used to meet the
+requirements of this control. Additional information can be found at
+the following resources:
diff --git a/docs/compliance/reference/800-53/ca.md b/docs/compliance/reference/800-53/ca.md
index 03fff86..2d765df 100644
--- a/docs/compliance/reference/800-53/ca.md
+++ b/docs/compliance/reference/800-53/ca.md
@@ -201,43 +201,7 @@ The organization develops a continuous monitoring strategy and implements a cont
#### Control Information
-Responsible role(s) - Docker system
-
-
-
-| Component |
-Implementation Status(es) |
-Control Origin(s) |
-
-
-| Docker Enterprise Edition Engine |
-complete
|
-service provider system specific
|
-
-
-
-#### Implementation Details
-
-
-
-
-
-The CIS Docker Benchmark can be used as a baseline for securing Docker
-Enterprise Edition and for helping the organization meet the
-continuous monitoring requirements of this control. Additional
-information can be found at the following resources:
-
-
-
-
-
-
+Responsible role(s) - Organization
### CA-7 (1) Independent Assessment
diff --git a/docs/compliance/reference/800-53/cm.md b/docs/compliance/reference/800-53/cm.md
index d534294..b1207f5 100644
--- a/docs/compliance/reference/800-53/cm.md
+++ b/docs/compliance/reference/800-53/cm.md
@@ -37,26 +37,26 @@ Responsible role(s) - Docker system
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+service provider hybrid
shared
|
#### Implementation Details
-
-The CIS Docker Benchmark can be used as a baseline for securing Docker
-Enterprise Edition and for helping the organization meet the
-configurmation management requirements of this control. Additional
+
+The CIS Docker Benchmark can be used as a baseline for securing
+Docker Enterprise Edition and for helping the organization meet the
+configuration management requirements of this control. Additional
information can be found at the following resources:
@@ -83,26 +83,26 @@ Responsible role(s) - Docker system
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+service provider hybrid
shared
|
#### Implementation Details
-
+
The CIS Docker Benchmark can be used as a baseline for securing Docker
Enterprise Edition and for helping the organization meet the
-configurmation management requirements of this control. Additional
+configuration management requirements of this control. Additional
information can be found at the following resources:
@@ -134,26 +134,26 @@ Responsible role(s) - Docker system
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+service provider hybrid
shared
|
#### Implementation Details
-
-The CIS Docker Benchmark can be used as a baseline for securing Docker
-Enterprise Edition and for helping the organization meet the
+
+The CIS Docker Benchmark can be used as a baseline for securing
+Docker Enterprise Edition and for helping the organization meet the
configurmation management requirements of this control. Additional
information can be found at the following resources:
@@ -180,20 +180,20 @@ Responsible role(s) - Docker system
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+service provider hybrid
|
#### Implementation Details
-
-The CIS Docker Benchmark can be used as a baseline for securing Docker
-Enterprise Edition and for helping the organization meet the
+
+The CIS Docker Benchmark can be used as a baseline for securing
+Docker Enterprise Edition and for helping the organization meet the
configurmation management requirements of this control. CIS regularly
updates their benchmark to reflect the latest updates in the stable
release of Docker Engine. Various configuration management tools such
@@ -204,7 +204,7 @@ information can be found at the following resources:
@@ -231,18 +231,18 @@ Responsible role(s) - Docker system
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+service provider hybrid
|
#### Implementation Details
-
+
The CIS Docker Benchmark can be used as a baseline for securing
Docker Enterprise Edition and for helping the organization meet the
configurmation management requirements of this control. CIS regularly
@@ -256,7 +256,7 @@ found at the following resources:
@@ -316,18 +316,18 @@ Responsible role(s) - Docker system
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+service provider hybrid
|
#### Implementation Details
-
+
The CIS Docker Benchmark can be used as a baseline for securing
Docker Enterprise Edition and for helping the organization meet the
configurmation management change control requirements of this control.
@@ -335,7 +335,7 @@ Additional information can be found at the following resources:
@@ -370,18 +370,18 @@ Responsible role(s) - Docker system
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+service provider hybrid
|
#### Implementation Details
-
+
The CIS Docker Benchmark can be used as a baseline for securing
Docker Enterprise Edition and for helping the organization meet the
configurmation management change control requirements of this control.
@@ -393,7 +393,7 @@ be found at the following resources:
@@ -420,18 +420,18 @@ Responsible role(s) - Docker system
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+service provider hybrid
|
#### Implementation Details
-
+
The CIS Docker Benchmark can be used as a baseline for securing
Docker Enterprise Edition and for helping the organization meet the
configurmation management change control requirements of this control.
@@ -443,7 +443,7 @@ be found at the following resources:
@@ -500,18 +500,18 @@ Responsible role(s) - Docker system
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+service provider hybrid
|
#### Implementation Details
-
+
The CIS Docker Benchmark can be used as a baseline for securing
Docker Enterprise Edition and for helping the organization meet the
cryptography management requirements of this control. Additional
@@ -519,7 +519,7 @@ information can be found at the following resources:
@@ -586,45 +586,44 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+Docker EE system
|
#### Implementation Details
-
+
Role-based access control can be configured within Docker Trusted
Registry to meet the requirements of this control. Additional
information can be found at the following resources:
-
+
Role-based access control can be configured within Universal Control
Plane to meet the requirements of this control. Additional information
can be found at the following resources:
@@ -651,18 +650,18 @@ Responsible role(s) - Docker system
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+Docker EE system
|
#### Implementation Details
-
+
The CIS Docker Benchmark can be used as a baseline for securing
Docker Enterprise Edition and for helping the organization meet the
system change requirements of this control. Additional information can
@@ -670,7 +669,7 @@ be found at the following resources:
@@ -697,30 +696,30 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+service provide hybrid
shared
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+service provide hybrid
shared
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+service provide hybrid
shared
|
#### Implementation Details
-
+
Docker Content Trust is a capability provided by Docker Enterprise
Edition that enforces client-side signing and verification of Docker
image tags. It provides the ability to use digital signatures for data
@@ -737,28 +736,29 @@ Additional information can be found at teh following resources:
-
+
Before installing Docker Enterprise Edition, ensure that your
supporting Linux operating system's packager manager supports package
signature verification and that it is enabled. It is also required
-that you import the Docker public key for CS packages so as to
+that you import the Docker public key for EE packages so as to
retrieve the validated and signed package from Docker, Inc. Refer to
your Linux OS documentation for instructions on completing the above
steps.
-In addition, Docker Content Trust is a capability provided by CS
-Docker Engine that enforces client-side signing and verification of
-Docker image tags. It provides the ability to use digital signatures
-for data sent to and received from Docker Trusted Registry and the
-public Docker Store. These signatures allow client-side verification
-of the integrity and publisher of specific image tags. When enabling
-Docker Content Trust in Docker Enterprise Edition you can enforce the
-use of signed Docker images. Additional information can be found at
-the following resources:
+In addition, Docker Content Trust is a capability provided by Docker
+Engine that enforces client-side signing and verification of Docker
+image tags. It provides the ability to use digital signatures for data
+sent to and received from Docker Trusted Registry and the public
+Docker Store. These signatures allow client-side verification of the
+integrity and publisher of specific image tags. When enabling Docker
+Content Trust in Docker Enterprise Edition you can enforce the use of
+signed Docker images. Additional information can be found at the
+following resources:
@@ -766,24 +766,23 @@ the following resources:
-
-Docker Content Trust is a capability provided by Docker Enterprise Edition
-that enforces client-side signing and verification of Docker image
-tags. It provides the ability to use digital signatures for data sent
-to and received from Docker Trusted Registry and the public Docker
-Store. These signatures allow client-side verification of the
+
+Docker Content Trust is a capability provided by Docker Enterprise
+Edition that enforces client-side signing and verification of Docker
+image tags. It provides the ability to use digital signatures for data
+sent to and received from Docker Trusted Registry and the public
+Docker Store. These signatures allow client-side verification of the
integrity and publisher of specific image tags. All Universal Control
Plane Docker images are officially signed and verified by Docker, Inc.
When configuring Universal Control Plane, you should enforce
applications to only use Docker images signed by trusted UCP users
-within your organization. Additional information can be found at the following resources:
+within your organization. Additional information can be found at the
+following resources:
@@ -858,47 +857,63 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+service provider hybrid
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+service provider hybrid
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+service provider hybrid
|
#### Implementation Details
-
+
The organization is responsible for meeting the requirements of this
control. To assist with these requirements, the organization can
incorporate the use of an external configuration management system to
-meet the requirements of this control.
-
-
-The organization is responsible for meeting the requirements of this
-control. The organization can incorporate the use of an external
-configuration management system to meet the requirements of this
-control.
+meet the requirements of this control. Docker Trusted Registry's
+configuration can also be backed up and stored an appropriate location
+per the requirements of this control. Additional documenation can be
+found at the following resources:
+
+
+
+
+
+The organization can incorporate the use of an external configuration
+management system to meet the requirements of this control.
-
+
The organization is responsible for meeting the requirements of this
- control. To assist with these requirements, the organization can
- incorporate the use of an external configuration management system to
- meet the requirements of this control.
+control. To assist with these requirements, the organization can
+incorporate the use of an external configuration management system to
+meet the requirements of this control. Universal Control Plane's
+configuration can also be managed, backed up and stored in another
+location per the requirements of this control. Additional documentation
+can be found at the following resources:
+
+
+
+
@@ -924,7 +939,41 @@ The organization:
#### Control Information
-Responsible role(s) - Organization
+Responsible role(s) - Docker system
+
+
+
+| Component |
+Implementation Status(es) |
+Control Origin(s) |
+
+
+| Docker Enterprise Edition Engine |
+complete
|
+service provider hybrid
|
+
+
+
+#### Implementation Details
+
+
+
+
+
+To help the organization meet the requirements of this control, the
+latest CIS Docker Benchmark can be used as a secure configuration
+baseline. Additional information can be found at the following
+resources:
+
+
+
+
+
+
### CM-7 (1) Periodic Review
@@ -938,7 +987,34 @@ The organization:
#### Control Information
-Responsible role(s) - Organization
+Responsible role(s) - Docker system
+
+
+
+| Component |
+Implementation Status(es) |
+Control Origin(s) |
+
+
+| Universal Control Plane (UCP) |
+complete
|
+Docker EE system
service provider corporate
service provider hybrid
|
+
+
+
+#### Implementation Details
+
+
+
+
+
+To help the organization meet the requirements of this control,
+Universal Control Plane includes a robust access control model to
+disable any functionality as mandated by this control.
+
+
### CM-7 (2) Prevent Program Execution
@@ -959,48 +1035,47 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+Docker EE system
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+Docker EE system
|
#### Implementation Details
-
+
The organization can define a list of allowed base Docker images and
make them available via Docker Trusted Registry. The organization can
also prevent users from being able to pull Docker images from
untrusted sources.
-
+
In order to restrict which Docker images can be used to deploy
-applications to Docker Enterprise Edition, the organization must define a list
-of allowed base Docker images and make them available via Docker
-Trusted Registry. The organization must also prevent users from being
-able to pull Docker images from untrusted sources.
-
+applications to Docker Enterprise Edition, the organization can define
+a list of allowed base Docker images and make them available via
+Docker Trusted Registry. The organization can also prevent users from
+being able to pull Docker images from untrusted sources.
-
+
In order to restrict which Docker images can be used to deploy
-applications to Universal Control Plane, the organization must define a
+applications to Universal Control Plane, the organization can define a
list of allowed base Docker images and make them available via Docker
-Trusted Registry. The organization must also prevent users from being
+Trusted Registry. The organization can also prevent users from being
able to pull Docker images from untrusted sources.
@@ -1054,34 +1129,34 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+service provider hybrid
shared
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+service provider hybrid
shared
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+service provider hybrid
shared
|
#### Implementation Details
-
+
The organization is responsible for meeting the requirements of this
control. To assist with these requirements, the organization can
define a list of allowed base Docker images and make them available
-via Docker Trusted Registry. The organization must also prevent users
+via Docker Trusted Registry. The organization can also prevent users
from being able to pull Docker images from untrusted sources.The organization is responsible for meeting the requirements of this
control. To assist with these requirements, the organization can
configure its systems to ensure that only approved Docker images are
@@ -1089,17 +1164,16 @@ stored in Docker Trusted Registry. This can be accomplished by using
Docker Content Trust to sign Docker images which can subsequently be
stored in Docker Trusted Registry.
-
+
The organization is responsible for meeting the requirements of this
control. To assist with these requirements and in order to restrict
-which Docker images can be used to deploy applications to CS Docker
+which Docker images can be used to deploy applications to Docker EE
Engine, the organization must define a list of allowed base Docker
images and make them available via Docker Trusted Registry. The
organization must also prevent users from being able to pull Docker
images from untrusted sources.
-
-
+
The organization is responsible for meeting the requirements of this
control. To assist with these requirements and in order to restrict
which Docker images can be used to deploy applications to Universal
@@ -1117,7 +1191,7 @@ following resources:
@@ -1267,18 +1341,18 @@ Responsible role(s) - Docker system
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+service provider hybrid
|
#### Implementation Details
-
+
The CIS Docker Benchmark can be used as a baseline for securing
Docker Enterprise Edition and for helping the organization meet the
configuration management plan requirements of this control. Additional
@@ -1286,7 +1360,7 @@ information can be found at the following resources:
@@ -1353,18 +1427,18 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+service provider hybrid
shared
|
#### Implementation Details
-
+
The organization is responsible for meeting the requirements of this
control. To assist with these requirements, the organization can
define a list of allowed base Docker images and make them available
@@ -1392,22 +1466,21 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+service provider hybrid
shared
|
#### Implementation Details
-
-The organization is responsible for meeting the requirements of this
-control. To assist with these requirements, the organization can
-define a list of allowed base Docker images and make them available
-via Docker Trusted Registry. The organization can also prevent users
+
+The organization can define a list of allowed base Docker images and
+make them available via Docker Trusted Registry to meet the
+requirements of this contorl. The organization can also prevent users
from being able to pull Docker images from untrusted sources.
diff --git a/docs/compliance/reference/800-53/cp.md b/docs/compliance/reference/800-53/cp.md
index d66c7c3..4b28944 100644
--- a/docs/compliance/reference/800-53/cp.md
+++ b/docs/compliance/reference/800-53/cp.md
@@ -513,24 +513,24 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+Docker EE system
|
#### Implementation Details
-
+
Docker Trusted Registry maintains its cluster state via an internal
key-value store. This, and other DTR transactions can be backed up and
recovered. Additional information can be found at the following
@@ -538,12 +538,12 @@ resources:
-
+
Universal Control Plane maintains its cluster state via an internal
key-value store. This, and other UCP transactions can be backed up and
recovered. Additional information can be found at the following
@@ -551,7 +551,7 @@ resources:
diff --git a/docs/compliance/reference/800-53/ia.md b/docs/compliance/reference/800-53/ia.md
index 42c2567..04d8b7a 100644
--- a/docs/compliance/reference/800-53/ia.md
+++ b/docs/compliance/reference/800-53/ia.md
@@ -47,28 +47,34 @@ Responsible role(s) - Docker system
| Authentication and Authorization Service (eNZi) |
complete
|
-service provider system specific
|
+Docker EE system
shared
|
#### Implementation Details
-
-Docker Enterprise Edition can be configured to identify and authenticate
-users via it's integrated support for LDAP. Users and groups managed
-within the organization's LDAP directory service (e.g. Active
-Directory) can be synchronized to UCP and DTR on a regular interval. When a
-user is removed from the LDAP-backed directory, that user becomes
-inactive within UCP and DTR. In addition, UCP and DTR teams can be mapped to groups
-synchronized via LDAP. When a user is added/removed to/from the LDAP
-group, that same user is automatically added/removed to/from the UCP and DTR
-team. Instructions for configuring LDAP integration can be found at
-https://docs.docker.com/datacenter/ucp/2.0/guides/configuration/integrate-with-ldap/.
+
+Docker Enterprise Edition can be configured to identify and
+authenticate users via it's integrated support for LDAP. Users and
+groups managed within the organization's LDAP directory service (e.g.
+Active Directory) can be synchronized to UCP and DTR on a regular
+interval. When a user is removed from the LDAP-backed directory, that
+user becomes inactive within UCP and DTR. In addition, UCP and DTR
+teams can be mapped to groups synchronized via LDAP. When a user is
+added/removed to/from the LDAP group, that same user is automatically
+added/removed to/from the UCP and DTR team. Additional information can
+be found at the following resources:
+
+
+
+
@@ -131,49 +137,49 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+service provider hybrid
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+service provider hybrid
|
| Authentication and Authorization Service (eNZi) |
complete
|
-service provider system specific
|
+service provider hybrid
|
#### Implementation Details
-
+
The organization is responsible for meeting the requirements of this
control. To assist with meeting these requirements, Docker Trusted
Registry requires individual users to be authenticated in order to
gain access to the system. Any permissions granted to the team(s) that
which the user is a member are subsequently applied.
-
+
The organization is responsible for meeting the requirements of this
control. To assist with meeting these requirements, Universal Control
Plane requires individual users to be authenticated in order to gain
access to the system. Any permissions granted to the team(s) that
which the user is a member are subsequently applied.
-
+
The organization is responsible for meeting the requirements of this
-control. To assist with meeting these requirements, Docker Enterprise Edition
-requires individual users to be authenticated in order to gain access
-to the system. Any permissions granted to the team(s) that which the
-user is a member are subsequently applied.
+control. To assist with meeting these requirements, Docker Enterprise
+Edition requires individual users to be authenticated in order to gain
+access to the system. Any permissions granted to the team(s) that
+which the user is a member are subsequently applied.
@@ -216,22 +222,22 @@ Responsible role(s) - Docker system
| Authentication and Authorization Service (eNZi) |
complete
|
-service provider system specific
|
+Docker EE system
|
#### Implementation Details
-
-Docker Enterprise Edition integrates with LDAP for authenticating users to an
-external directory service. You should configure your external
-directory service for ensuring that you are protected against replay
-attacks.
+
+Docker Enterprise Edition integrates with LDAP for authenticating
+users to an external directory service. You should configure your
+external directory service for ensuring that you are protected against
+replay attacks.
@@ -254,22 +260,22 @@ Responsible role(s) - Docker system
| Authentication and Authorization Service (eNZi) |
complete
|
-service provider system specific
|
+Docker EE system
|
#### Implementation Details
-
-Docker Enterprise Edition integrates with LDAP for authenticating users to an
-external directory service. You should configure your external
-directory service for ensuring that you are protected against replay
-attacks.
+
+Docker Enterprise Edition integrates with LDAP for authenticating
+users to an external directory service. You should configure your
+external directory service for ensuring that you are protected against
+replay attacks.
@@ -332,55 +338,58 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
|
| Docker Enterprise Edition Engine |
complete
|
-service provider system specific
|
+Docker EE system
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+Docker EE system
|
#### Implementation Details
-
+
Docker Trusted Registry replicas reside on Universal Control Plane
worker nodes. In order for UCP worker nodes to join a Universal
Control Plane cluster, they must be identified and authenticated via a
worker token. Additional Docker Trusted Registry replicas can only be
added after a UCP administrator user has authenticated in to the UCP
cluster and when mutual TLS authentication between the UCP worker and
-manager nodes has been established. Reference documentation can be
-found at
-https://docs.docker.com/datacenter/dtr/2.1/guides/install/#/step-7-join-replicas-to-the-cluster.
-
-
-In order for other CS Engine nodes to be able to join a cluster
-managed by Universal Control Plane, they must be identified and
-authenticated via either a manager or worker token. Use of the token
-includes trust on first use mutual TLS.
+manager nodes has been established. Additional information can be found at the following resources:
+
+
+
-
+
+In order for other Docker EE engine nodes to be able to join a
+cluster managed by Universal Control Plane, they must be identified
+and authenticated via either a manager or worker token. Use of the
+token includes trust on first use mutual TLS.
+
+
In order for nodes to join a Universal Control Plane cluster, they
must be identified and authenticated via either a manager or worker
token. Additional information can be found at the following resources:
@@ -446,34 +455,34 @@ Responsible role(s) - Docker system
| Authentication and Authorization Service (eNZi) |
complete
|
-service provider system specific
|
+service provider hybrid
|
#### Implementation Details
-
+
The organization is responsible for meeting the requirements of this
control. To assist with meeting these requirements, an external
-directory service integrated with Docker Enterprise Edition via LDAP can be
-configured to prevent the reuse of user identifiers for a specified
-period of time. Refer to your directory service's documentation for
-configuring thisThe organization is responsible for meeting the requirements of this
+directory service integrated with Docker Enterprise Edition via LDAP
+can be configured to prevent the reuse of user identifiers for a
+specified period of time. Refer to your directory service's
+documentation for configuring this.The organization is responsible for meeting the requirements of this
control. To assist with meeting these requirements, an external
-directory service integrated with Docker Enterprise Edition via LDAP can be
-configured to prevent the reuse of user identifiers for a specified
-period of time. Refer to your directory service's documentation for
-configuring this.The organization is responsible for meeting the requirements of this
+directory service integrated with Docker Enterprise Edition via LDAP
+can be configured to prevent the reuse of user identifiers for a
+specified period of time. Refer to your directory service's
+documentation for configuring this.The organization is responsible for meeting the requirements of this
control. To assist with meeting these requirements, an external
-directory service integrated with Docker Enterprise Edition via LDAP can be
-configured to prevent the reuse of user identifiers for a specified
-period of time. Refer to your directory service's documentation for
-configuring this.
+directory service integrated with Docker Enterprise Edition via LDAP
+can be configured to prevent the reuse of user identifiers for a
+specified period of time. Refer to your directory service's
+documentation for configuring this.
@@ -526,23 +535,23 @@ Responsible role(s) - Docker system
| Authentication and Authorization Service (eNZi) |
complete
|
-service provider system specific
|
+service provider hybrid
|
#### Implementation Details
-
+
The organization is responsible for meeting the requirements of this
control. To assist with meeting these requirements, an external
-directory service integrated with Docker Enterprise Edition via LDAP can be
-configured to uniquely identify each individual according to the
-requirements of this control. Refer to your directory service's
+directory service integrated with Docker Enterprise Edition via LDAP
+can be configured to uniquely identify each individual according to
+the requirements of this control. Refer to your directory service's
documentation for configuring this.
@@ -608,65 +617,65 @@ Responsible role(s) - Docker system
| Authentication and Authorization Service (eNZi) |
complete
|
-service provider system specific
|
+service provider hybrid
|
#### Implementation Details
-
+
The organization is responsible for meeting the requirements of this
control. To assist with meeting these requirements, an external
-directory service integrated with Docker Enterprise Edition via LDAP can be
-configured to establish initial authenticator content according to the
-requirements of this control. Refer to your directory service's
+directory service integrated with Docker Enterprise Edition via LDAP
+can be configured to establish initial authenticator content according
+to the requirements of this control. Refer to your directory service's
documentation for configuring this.The organization is responsible for meeting the requirements of this
control. To assist with meeting these requirements, an external
-directory service integrated with Docker Enterprise Edition via LDAP can be
-configured to enforce strength requirements for authenticators
+directory service integrated with Docker Enterprise Edition via LDAP
+can be configured to enforce strength requirements for authenticators
according to the requirements of this control. Refer to your directory
service's documentation for configuring this.The organization is responsible for meeting the requirements of this
control. To assist with meeting these requirements, an external
-directory service integrated with Docker Enterprise Edition via LDAP can be
-configured to distribute, redistribute, and revoke authenticators
-according to the requirements of this control. Refer to your directory
-service's documentation for configuring this.The organization is responsible for meeting the requirements of this
+directory service integrated with Docker Enterprise Edition via LDAP
+can be configured to distribute, redistribute, and revoke
+authenticators according to the requirements of this control. Refer to
+your directory service's documentation for configuring this.The organization is responsible for meeting the requirements of this
control. To assist with meeting these requirements, an external
-directory service integrated with Docker Enterprise Edition via LDAP can be
-configured to change default authenticator content according to the
-requirements of this control. Refer to your directory service's
+directory service integrated with Docker Enterprise Edition via LDAP
+can be configured to change default authenticator content according to
+the requirements of this control. Refer to your directory service's
documentation for configuring this.The organization is responsible for meeting the requirements of this
control. To assist with meeting these requirements, an external
-directory service integrated with Docker Enterprise Edition via LDAP can be
-configured to set minimum and maximum lifetime restrictions and reuse
-conditions for authenticators according to the requirements of this
-control. Refer to your directory service's documentation for
+directory service integrated with Docker Enterprise Edition via LDAP
+can be configured to set minimum and maximum lifetime restrictions and
+reuse conditions for authenticators according to the requirements of
+this control. Refer to your directory service's documentation for
configuring this.The organization is responsible for meeting the requirements of this
control. To assist with meeting these requirements, an external
-directory service integrated with Docker Enterprise Edition via LDAP can be
-configured to refresh authenticators at a regular cadence according to
-the requirements of this control. Refer to your directory service's
-documentation for configuring this.The organization is responsible for meeting the requirements of this
+directory service integrated with Docker Enterprise Edition via LDAP
+can be configured to refresh authenticators at a regular cadence
+according to the requirements of this control. Refer to your directory
+service's documentation for configuring this.The organization is responsible for meeting the requirements of this
control. To assist with meeting these requirements, an external
-directory service integrated with Docker Enterprise Edition via LDAP can be
-configured to protect authenticator content from unauthorized
+directory service integrated with Docker Enterprise Edition via LDAP
+can be configured to protect authenticator content from unauthorized
disclosure or modification according to the requirements of this
control. Refer to your directory service's documentation for
configuring this.The organization is responsible for meeting the requirements of this
control. To assist with meeting these requirements, an external
-directory service integrated with Docker Enterprise Edition via LDAP can be
-configured to implement specific security safeguards to protect
+directory service integrated with Docker Enterprise Edition via LDAP
+can be configured to implement specific security safeguards to protect
authentications according to the requirements of this control. Refer
to your directory service's documentation for configuring this.The organization is responsible for meeting the requirements of this
control. To assist with meeting these requirements, an external
-directory service integrated with Docker Enterprise Edition via LDAP can be
-configured to change authenticators for group or role accounts when
-membership to those groups or roles changes according to the
+directory service integrated with Docker Enterprise Edition via LDAP
+can be configured to change authenticators for group or role accounts
+when membership to those groups or roles changes according to the
requirements of this control. Refer to your directory service's
documentation for configuring this.
@@ -699,18 +708,18 @@ Responsible role(s) - Docker system
| Authentication and Authorization Service (eNZi) |
complete
|
-service provider system specific
|
+service provider hybrid
|
#### Implementation Details
-
+
An external directory service integrated with Docker Enterprise
Edition via LDAP can be configured to enforce minimum password
complexity requirements. Refer to your directory service's
@@ -763,30 +772,30 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+Docker EE system
|
| Authentication and Authorization Service (eNZi) |
complete
|
-service provider system specific
|
+Docker EE system
|
#### Implementation Details
-
+
Docker Trusted Registry includes a Docker volume which holds the root
key material for the DTR root CA that issues certificats. In addition
Universal Control Plane contains two, built-in root certificate
@@ -812,13 +821,16 @@ subsequently grants that user access to Docker Trusted Registry, it is
attached to that user's Universal Control Plane profile. Bundles/keys
can be revoked by an Administrator or the user themselves. The
cluster's internal certificates can also be revoked and updated.
-Instructions for doing so can be found at
-https://docs.docker.com/datacenter/ucp/2.0/guides/configuration/#/replace-the-server-certificates.
-In addition, Docker Trusted Registry's server certificates can be
-replaced by following the instructions at
-https://docs.docker.com/datacenter/dtr/2.1/guides/configure/.
+Additional information can be found at the following resources:
+
+
+
+
-
+
Universal Control Plane contains two, built-in root certificate
authorities. One CA is used for signing client bundles generated by
users. The other CA is used for TLS communication between UCP cluster
@@ -841,11 +853,11 @@ can be found at the following resources:
-
+
All users within a Docker Enterprise Edition cluster can create a
client certificate bundle for authenticating in to the cluster from
the Docker client tooling. When a user attempts to authenticate in to
@@ -897,18 +909,18 @@ Responsible role(s) - Docker system
| Authentication and Authorization Service (eNZi) |
complete
|
-service provider system specific
|
+service provider hybrid
|
#### Implementation Details
-
+
The organization is responsible for meeting the requirements of this
control. To assist with meeting these requirements, an external
directory service integrated with Docker Enterprise Edition via LDAP can be
@@ -947,23 +959,24 @@ Responsible role(s) - Docker system
| Authentication and Authorization Service (eNZi) |
complete
|
-service provider system specific
|
+service provider hybrid
|
#### Implementation Details
-
+
The organization is responsible for meeting the requirements of this
control. To assist with meeting these requirements, an external
-directory service integrated with Docker Enterprise Edition via LDAP can be
-configured to protect authenticators as required by this control.
-Refer to your directory service's documentation for configuring this.
+directory service integrated with Docker Enterprise Edition via LDAP
+can be configured to protect authenticators as required by this
+control. Refer to your directory service's documentation for
+configuring this.
@@ -1076,29 +1089,29 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+Docker EE system
|
#### Implementation Details
-
+
Docker Trusted Registry obscures all feedback of authentication
information during the authentication process. This includes both
authentication via the web UI and the CLI.
-
+
Universal Control Plane obscures all feedback of authentication
information during the authentication process. This includes both
authentication via the web UI and the CLI.
@@ -1124,30 +1137,30 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+Docker EE system
|
#### Implementation Details
-
+
All access to Docker Trusted Registry is protected with Transport
Layer Security (TLS) 1.2 with the AES-GCM cipher. This includes both
SSH access to the individual UCP nodes and CLI-/web-based access to
the UCP management functions with mutual TLS and HTTPS respectively.
-
+
All access to Universal Control Plane is protected with Transport
Layer Security (TLS) 1.2 with the AES GCM cipher. This includes both
SSH access to the individual UCP nodes and CLI-/web-based access to
@@ -1174,29 +1187,29 @@ Responsible role(s) - Docker system
| Docker Trusted Registry (DTR) |
complete
|
-service provider system specific
|
+Docker EE system
|
| Universal Control Plane (UCP) |
complete
|
-service provider system specific
|
+Docker EE system
|
#### Implementation Details
-
+
Users managed by Docker Trusted Registry can be grouped per the
requirements of the organization and as defined by this control. This
can include groupings for non-organizational users.
-
+
Users managed by Universal Control Plane can be grouped per the
requirements of the organization and as defined by this control. This
can include groupings for non-organizational users.
@@ -1232,22 +1245,22 @@ Responsible role(s) - Docker system