Merge pull request #30 from docker/docs

Add auto-generating compliance docs

.gitignore

@@ -157,9 +157,6 @@ _testmain.go
 # Output of the go coverage tool, specifically when used with LiteIDE
 *.out
 
-# external packages folder
-vendor/*/
-
 nlp/DTR/
 nlp/CSEngine/
 nlp/UCP/

docs/Makefile

@@ -0,0 +1,27 @@
+.PHONY: vendor
+
+default: generate
+
+vendor:
+	cd generator; \
+	dep ensure
+
+test:
+	cd generator; \
+	go vet `go list ./... | grep -v /vendor/`; \
+	go test -v -race `go list ./... | grep -v /vendor/`
+
+build:
+	cp -r ../opencontrol/components generator/
+	docker build -t docker/compliance-doc-generator:latest generator/
+
+run: build
+	docker run -it --rm -v "$$PWD/compliance/reference/800-53":/800-53 docker/compliance-doc-generator:latest
+	rm -rf generator/components
+
+generate: run
+	cp -r compliance $$HOME/Development/docker.github.io/
+
+clean:
+	docker rmi -f docker/compliance-doc-generator:latest
+	rm -rf generator/components

docs/README.md

@@ -0,0 +1 @@
+The content in this folder is used to update the compliance documentation on docs.docker.com.

docs/compliance/cis.md

@@ -0,0 +1,9 @@
+---
+description: CIS Docker Benchmark information
+keywords: standards, compliance, security, benchmark
+title: CIS Docker Benchmark
+---
+
+The Center for Information Security (CIS) Docker Benchmark is a reference document that can be used by system administrators, security and audit professionals and other IT roles in order to establish a secure configuration baseline for the Docker Engine.
+
+The latest benchmark for Docker v1.13.0 can be found [here](https://benchmarks.cisecurity.org/tools2/docker/CIS_Docker_1.13.0_Benchmark_v1.0.0.pdf). The open source [Docker Bench for Security](https://github.com/docker/docker-bench-security) toolkit can also be used to validate a running instance of Docker against the CIS Docker Benchmark.

docs/compliance/fedramp.md

@@ -0,0 +1,11 @@
+---
+description: FedRAMP compliance guidance for Docker Enterprise Edition
+keywords: standards, compliance, security
+title: FedRAMP
+---
+
+The [Federal Risk and Authorization Management Program (FedRAMP)](https://www.fedramp.gov/) is a U.S. Federal Government-wide program that provides for a standardized apporach to security assessment and authorization. Federal agencies that choose to leverage cloud services must ensure that they're utilizing FedRAMP-authorized providers. The security controls FedRAMP requires a provider to adhere to are a subset of the controls documented by NIST Special Publication 800-53. As with the baselines set within NIST 800-53 (low, moderate and high), FedRAMP also incorporates these same baselines in its authorization process. In addition, when agencies deploy systems (like Docker Enterprise Edition) on top of these providers, they must acquire an Authority to Operate (ATO) for those system that are in line with those agencies' own security procedures.
+
+It is important to note that Docker, Inc is not a cloud service provider. While Docker does offer various SaaS-hosted services, which include Docker Hub, Docker Store and Docker Cloud, these services are *not* FedRAMP provisionally authorized. However, Docker's Enterprise product stack can be installed on top of compute services offered by a number of FedRAMP provisionally-authorized infrastructure-as-a-service (IaaS) providers. Examples include Microsoft Azure Government and Amazon Web Services GovCloud. Agencies can subsequently inherit the FedRAMP controls already satisfied by those providers and can combine those controls with the NIST 800-53 controls applicable to Docker Enterprise Edition and that which are documented on our site in order to gain an ATO for Docker Enterprise Edition.
+
+Refer to the [NIST 800-53](/compliance/nist/800_53/) section for more information on the applicable NIST 800-53 controls.

docs/compliance/index.md

@@ -0,0 +1,13 @@
+---
+description: Compliance guidance for Docker Enterprise Edition
+keywords: standards, compliance, security
+title: Docker standards and compliance
+---
+
+We want to ensure that Docker Enterprise Edition can be used in a manner that meets the requirements of various security and compliance standards. You can use this documentation in order to validate your Docker Enterprise Edition deployment against applicable security controls and configuration baselines. The documents that we've highlighted thus far are as follows:
+
+- [NIST Special Publication (SP) 800-53 Revision 4](/compliance/nist/800_53/)
+- [Federal Risk and Authorization Management Program (FedRAMP)](/compliance/fedramp/)
+- [CIS Docker Benchmark](/compliance/cis/)
+
+Docker also maintains an open source repository at [https://github.com/docker/compliance](https://github.com/docker/compliance) where you can find a number of compliance resources. These include tools for auto-generating security documentation, auditing Docker Enterprise Edition systems against the security controls and even an experimental natural language processing utility for proofreading security narratives.

docs/compliance/nist/800_53.md

@@ -0,0 +1,9 @@
+---
+description: NIST 800-53 compliance guidance for Docker Enterprise Edition
+keywords: standards, compliance, security
+title: NIST 800-53
+---
+
+NIST Special Publication 800-53 contains a listing of security controls that entities often reference for ensuring the security and validity of their technology systems. The official listing of controls can be found on the NIST website [here](https://nvd.nist.gov/800-53).
+
+Many of the NIST 800-53 controls are applicable to the components that make up the Docker Enterprise Edition software stack. Refer to the [NIST 800-53 reference](/compliance/reference/800-53/) for more details.