diff --git a/docs/compliance/reference/800-53/AC.md b/docs/compliance/reference/800-53/AC.md index aab8d4e..8f1854d 100644 --- a/docs/compliance/reference/800-53/AC.md +++ b/docs/compliance/reference/800-53/AC.md @@ -44,11 +44,11 @@ The organization: **Implemenation Details:**
-
+
To assist the organization in meeting the requirements of this control, one can control which users and teams are allowed to create and manipulate Docker Enterprise Edition resources. By default, no one @@ -118,11 +118,11 @@ The organization: **Implemenation Details:**
-
+
To assist the organization in meeting the requirements of this control, an external identity management system (such as Microsoft's Active Directory or an LDAP endpoint) can be configured as mandated by @@ -169,13 +169,13 @@ The organization employs automated mechanisms to support the management of infor **Implemenation Details:**
-
+
To assist the organization in meeting the requirements of this control, supporting documentation for managing users and teams can found at the following resources: @@ -183,7 +183,7 @@ found at the following resources: - https://docs.docker.com/datacenter/dtr/2.2/guides/admin/manage-users/create-and-manage-users/ - https://docs.docker.com/datacenter/dtr/2.2/guides/admin/manage-users/create-and-manage-teams/
-
+
To assist the organization in meeting the requirements of this control, supporting documentation for managing users and teams can found at the following resources: @@ -191,7 +191,7 @@ found at the following resources: - https://docs.docker.com/datacenter/ucp/2.1/guides/admin/manage-users/create-and-manage-users/ - https://docs.docker.com/datacenter/ucp/2.1/guides/admin/manage-users/create-and-manage-teams/
-
+
To assist the organization in meeting the requirements of this control, an external identity management system (such as Microsoft's Active Directory or an LDAP endpoint) can be configured as mandated by @@ -228,11 +228,11 @@ The information system automatically [Selection: removes; disables] temporary an **Implemenation Details:**
-
+
Using Docker Enterprise Edition's LDAP integration capabilities, one can disable and/or remove temporary and emergency accounts in a connected directory service (such as Active Directory) after an @@ -270,11 +270,11 @@ The information system automatically disables inactive accounts after [Assignmen **Implemenation Details:**
-
+
Using Docker Enterprise Edition's LDAP integration capabilities, one can automatically disable inactive accounts in a connected directory service (such as Active Directory). When a user is removed from LDAP, @@ -311,11 +311,11 @@ The information system automatically audits account creation, modification, enab **Implemenation Details:**
-
+
Docker Enterprise Edition logs various authentication and authorization events to standard log files. One can configure Docker Enterprise Edition to direct these event logs to a remote logging @@ -358,11 +358,11 @@ The organization requires that users log out when [Assignment: organization-defi **Implemenation Details:**
-
+
To assist the organization in meeting the requirements of this control, Docker Enterprise Edition can be configured to enforce automated session termination of users after an organization-defined time period @@ -424,27 +424,27 @@ The organization: **Implemenation Details:**
-
+
To assist the organization in meeting the requirements of this control, supporting documentation can be found at the following resources: - https://docs.docker.com/datacenter/dtr/2.2/guides/admin/manage-users/permission-levels/
-
+
To assist the organization in meeting the requirements of this control, supporting documentation can be found at the following resources: - https://docs.docker.com/datacenter/ucp/2.1/guides/admin/manage-users/permission-levels/
-
+
To assist the organization in meeting the requirements of this control, Docker Enterprise Edition supports various levels of user permissions and role-based access control enforcements. Administrator @@ -501,11 +501,11 @@ The organization only permits the use of shared/group accounts that meet [Assign **Implemenation Details:**
-
+
To assist the organization in meeting the requirements of this control, users and/or groups synchronized to Docker Enterprise Edition via LDAP can be configured at the directory service. @@ -538,11 +538,11 @@ The information system terminates shared/group account credentials when members **Implemenation Details:**
-
+
Users and/or groups synchronized to Docker Enterprise Edition via LDAP can be configured at the directory service.
@@ -574,11 +574,11 @@ The information system enforces [Assignment: organization-defined circumstances **Implemenation Details:**
-
+
Information system accounts synchronized to Docker Enterprise Edition via LDAP can be configured at the directory service to meet this requirement as necessary. @@ -630,14 +630,14 @@ The organization: **Implemenation Details:**
-
+
To assist the organization in meeting the requirements of this control, supporting documentation can be found at the following resources: @@ -645,7 +645,7 @@ resources: - https://docs.docker.com/datacenter/dtr/2.2/guides/admin/monitor-and-troubleshoot/ - https://docs.docker.com/datacenter/dtr/2.2/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/
-
+
To assist the organization in meeting the requirements of this control, Docker Enterprise Edition can be configured to aggregate container and daemon events via a number of logging drivers. @@ -656,7 +656,7 @@ Supporting documentation can be found at the following resources: - https://docs.docker.com/engine/admin/logging/log_tags/
-
+
To assist the organization in meeting the requirements of this control, Universal Control Plane can be configured to send system account log data to a remote logging service such as an Elasticsearch, @@ -667,7 +667,7 @@ at the following resources: - https://docs.docker.com/datacenter/ucp/2.1/guides/admin/monitor-and-troubleshoot/troubleshoot-with-logs/ - https://docs.docker.com/datacenter/ucp/2.1/guides/admin/configure/store-logs-in-an-external-system/
-
+
To assist the organization in meeting the requirements of this control, when Docker Enterprise Edition is configured for LDAP integration, one can refer to the directory service's existing @@ -701,11 +701,11 @@ The organization disables accounts of users posing a significant risk within [As **Implemenation Details:**
-
+
To assist the organization in meeting the requirements of this control, users and/or groups synchronized to Docker Enterprise Edition via LDAP can be managed at the directory service. @@ -748,13 +748,13 @@ The information system enforces approved authorizations for logical access to in **Implemenation Details:**
-
+
One can control which users and teams can create and manipulate Docker Trusted Registry resources. By default, no one can make changes to the cluster. Permissions can be granted and managed to enforce @@ -765,7 +765,7 @@ the following resources: - https://docs.docker.com/datacenter/dtr/2.2/guides/admin/manage-users/permission-levels/ - https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC
-
+
One can control which users and teams can create and manipulate Universal Control Plane resources. By default, no one can make changes to the cluster. Permissions can be granted and managed to enforce @@ -777,7 +777,7 @@ the following resources: - https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources - https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#RBAC
-
+
One can control which users and teams can create and manipulate Docker Enterprise Edition resources. By default, no one can make changes to the cluster. Permissions can be granted and managed to @@ -926,13 +926,13 @@ The information system enforces approved authorizations for controlling the flow **Implemenation Details:**
-
+
Supporting documentation to configure Docker Trusted Registry to meet the requirements of this control can be found at the following resources: @@ -941,7 +941,7 @@ resources: - https://docs.docker.com/datacenter/dtr/2.2/guides/admin/install/system-requirements/#/ports-used - https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations
-
+
Docker Enterprise Edition can be configured to control the flow of information that originates from applications running in containers. Supporting documentation can be found at the following resources: @@ -950,7 +950,7 @@ documentation can be found at the following resources: - http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks
-
+
Supporting documentation to configure Universal Control Plane to meet the requirements of this control can be found at the following resources: @@ -1071,13 +1071,13 @@ The information system enforces information flow control using [Assignment: orga **Implemenation Details:**
-
+
Supporting documentation to configure Docker Trusted Registry to meet the requirements of this control can be found at the following resources: @@ -1086,7 +1086,7 @@ resources: - https://docs.docker.com/datacenter/dtr/2.2/guides/admin/install/system-requirements/#/ports-used - https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations
-
+
Docker Enterprise Edition can be configured to control the flow of information that originates from applications running in containers per organization-defined security policy filters. Supporting @@ -1101,7 +1101,7 @@ alongside Docker Enterprise Edition to satisfy this control's requirements.
-
+
Supporting documentation to configure Universal Control Plane to meet the requirements of this control can be found at the following resources: @@ -1262,13 +1262,13 @@ The information system separates information flows logically or physically using **Implemenation Details:**
-
+
Supporting documentation to configure Docker Trusted Registry to meet the requirements of this control can be found at the following resources: @@ -1277,7 +1277,7 @@ resources: - https://docs.docker.com/datacenter/dtr/2.2/guides/admin/install/system-requirements/#/ports-used - https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Docker_Datacenter_Best_Practices_and_Design_Considerations#Infrastructure_Considerations
-
+
Docker Enterprise Edition can be configured to separate the flow of information that originates from applications running in containers. Supporting documentation can be found at the following resources: @@ -1286,7 +1286,7 @@ Supporting documentation can be found at the following resources: - http://success.docker.com/Datacenter/Apply/Docker_Reference_Architecture%3A_Designing_Scalable%2C_Portable_Docker_Container_Networks
-
+
Supporting documentation to configure Universal Control Plane to meet the requirements of this control can be found at the following resources: @@ -1347,12 +1347,12 @@ The organization: **Implemenation Details:**
-
+
To assist the organization in meeting the requirements of this control, one can control which users and teams can create and manipulate Docker Trusted Registry resources. By default, no one can @@ -1364,7 +1364,7 @@ found at the following resources: - https://docs.docker.com/datacenter/dtr/2.2/guides/admin/manage-users/permission-levels/ - https://success.docker.com/KBase/Docker_Reference_Architecture%3A_Securing_Docker_Datacenter_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC
-
+
To assist the organization in meeting the requirements of this control, one can control which users and teams can create and manipulate Universal Control Plane resources. By default, no one can @@ -1489,11 +1489,11 @@ The information system prevents [Assignment: organization-defined software] from **Implemenation Details:**
-
+
Universal Control Plane users can be assigned to one of a number of different permission levels. The permission level assigned to a specific user determines that user's ability to execute certain @@ -1537,11 +1537,11 @@ The information system audits the execution of privileged functions. **Implemenation Details:**
-
+
Docker Enterprise Edition logs privileged user events to standard log files. One can configure Docker Enterprise Edition to direct these event logs to a remote logging service such as an Elasticsearch, @@ -1582,11 +1582,11 @@ The information system prevents non-privileged users from executing privileged f **Implemenation Details:**
-
+
One can control which users and teams can create and manipulate Docker Enterprise Edition resources. By default, no one can make changes to the cluster. Permissions can be granted and managed to enforce @@ -1629,11 +1629,11 @@ The information system: **Implemenation Details:**
-
+
When Docker Enterprise Edition is integrated to a directory service via LDAP, one can reference the functionality of the directory service to configure the enforcement of a limit to the number of conesecutive @@ -1759,11 +1759,11 @@ The information system limits the number of concurrent sessions for each [Assign **Implemenation Details:**
-
+
Docker Enterprise Edition can be configured to limit the number of concurrent sessions for each account. These options can be found within the Universal Control Plane Admin Settings under the "Auth" @@ -1801,11 +1801,11 @@ The information system: **Implemenation Details:**
-
+
Per the requirements of AC-2 (5), Docker Enterprise Edition can be configured to enforce user session lifetime limits and renewal thresholds. These options can be found within the Universal Control @@ -1841,11 +1841,11 @@ The information system conceals, via the session lock, information previously vi **Implemenation Details:**
-
+
Per the requirements of AC-2 (5), Docker Enterprise Edition can be configured to enforce user session lifetime limits and renewal thresholds. These options can be found within the Universal Control @@ -1883,11 +1883,11 @@ The information system automatically terminates a user session after [Assignment **Implemenation Details:**
-
+
Per the requirements of AC-2 (5), Docker Enterprise Edition can be configured to enforce user session lifetime limits and renewal thresholds. These options can be found within the Universal Control @@ -1929,11 +1929,11 @@ The information system: **Implemenation Details:**
-
+
Universal Control Plane includes a logout capability that allows a user to terminate his/her current session.
@@ -2114,18 +2114,18 @@ The information system monitors and controls remote access methods. **Implemenation Details:**
-
+
Docker Enterprise Edition logs and controls all local and remote access events. In addition, auditing can be configured on the underlying operating system to meet this control.
-
+
Docker Enterprise Edition logs and controls all local and remote access events. In addition, auditing can be configured on the underlying operating system to meet this control. @@ -2168,13 +2168,13 @@ The information system implements cryptographic mechanisms to protect the confid **Implemenation Details:**
-
+
All remote access sessions to Docker Trusted Registry are protected with Transport Layer Security (TLS) 1.2. This is included at both the HTTPS application layer for access to the DTR user interface and for @@ -2182,14 +2182,14 @@ command-line based connections to the registry. In addition to this, all communication to DTR is enforced by way of two-way mutual TLS authentication.
-
+
All remote access sessions to Docker Enterprise Edition are protected with Transport Layer Security (TLS) 1.2. In addition to this, all communication to Docker Enterprise Edition is enforced by way of two-way mutual TLS authentication.
-
+
All remote access sessions to Universal Control Plane are protected with Transport Layer Security (TLS) 1.2. This is included at both the HTTPS application layer for access to the UCP user interface and for @@ -2235,26 +2235,26 @@ The information system routes all remote accesses through [Assignment: organizat **Implemenation Details:**
-
+
A combination of managed load balancers, firewalls and access control lists, and virtual networking resources can be used to ensure traffic destined for Docker Trusted Registry replicas is routed through managed network access control points.
-
+
A combination of managed load balancers, firewalls and access control lists, and virtual networking resources can be used to ensure traffic destined for Docker Enterprise Edition is routed through managed network access control points.
-
+
A combination of managed load balancers, firewalls and access control lists, and virtual networking resources can be used to ensure traffic destined for Universal Control Plane managers and worker nodes is @@ -2322,20 +2322,20 @@ The organization provides the capability to expeditiously disconnect or disable **Implemenation Details:**
-
+
Built-in firewall technology in Docker Trusted Registry's underlying operating system can be used to force the disconnection of remote connections to the host. In addition, UCP slave nodes running Docker Trusted Registry replicas can be paused or drained, which subsequently stops sessions to the DTR replica.
-
+
Built-in firewall technology in Docker Enterprise Edition's underlying operating system can be used to force the disconnection of remote connections to the host. In addition, Docker Enterprise Edition provides the @@ -2345,7 +2345,7 @@ applications running on Docker Enterprise Edition can also be stopped and/or removed.
-
+
Built-in firewall technology in Universal Control Plane's underlying operating system can be used to force the disconnection of remote connections to the host. In addition, UCP provides the option to pause diff --git a/docs/compliance/reference/800-53/AU.md b/docs/compliance/reference/800-53/AU.md index 49ec928..dc6794d 100644 --- a/docs/compliance/reference/800-53/AU.md +++ b/docs/compliance/reference/800-53/AU.md @@ -70,13 +70,13 @@ The organization: **Implemenation Details:**
-
+
All of the event types indicated by this control are logged by a combination of the backend ucp-controller service within Universal Control Plane and the backend services that make up Docker Trusted @@ -84,7 +84,7 @@ Registry. Additional documentation can be found at the following resource: - https://docs.docker.com/datacenter/dtr/2.2/guides/admin/monitor-and-troubleshoot/
-
+
Both Universal Control Plane and Docker Trusted Registry backend service containers, all of which reside on Docker Enterprise Edition, log all of the event types indicated by this control (as explained by @@ -96,7 +96,7 @@ logging drivers can be found at the following resource: - https://docs.docker.com/engine/admin/logging/overview/
-
+
All of the event types indicated by this control are logged by the backend ucp-controller service within Universal Control Plane. In addition, each container created on a Universal Control Plane cluster @@ -158,14 +158,14 @@ The information system generates audit records containing information that estab **Implemenation Details:**
-
+
Docker Trusted Registry generates all of the audit record information indicated by this control. A sample audit event has been provided below: @@ -175,7 +175,7 @@ based auth suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth ok","username":"dockeruser"}
-
+
Both Universal Control Plane and Docker Trusted Registry are pre-configured to take advantage of Docker Enterprise Edition's built-in logging mechanisms. A sample audit event recorded by Docker @@ -191,7 +191,7 @@ Additional documentation can be referenced at the following resource: - https://docs.docker.com/engine/admin/logging/overview/
-
+
Universal Control Plane generates all of the audit record information indicated by this control. A sample audit event has been provided below: @@ -201,7 +201,7 @@ based auth suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth ok","username":"dockeruser"}
-
+
Docker Enterprise Edition generates all of the audit record information indicated by this control. A sample audit event has been provided below: @@ -249,13 +249,13 @@ The information system generates audit records containing the following addition **Implemenation Details:**
-
+
Universal Control Plane can be configured to log data to a remote logging stack, which in turn, sends the Docker Trusted Registry backend container audit records to the remote logging stack. The @@ -265,7 +265,7 @@ information can be found at the following resource: - https://docs.docker.com/datacenter/ucp/2.1/guides/admin/configure/store-logs-in-an-external-system/
-
+
Docker Enterprise Edition can be configured with various logging drivers to send audit events to an external logging stack. The logging stack can subsequently be used to interpolate the information defined @@ -275,7 +275,7 @@ documentation can be found at the following resource: - https://docs.docker.com/engine/admin/logging/overview/
-
+
Universal Control Plane can be configured to log data to a remote logging stack. The logging stack can subsequently be used to interpolate the information defined by this control from the logged @@ -322,13 +322,13 @@ The information system provides centralized management and configuration of the **Implemenation Details:**
-
+
Universal Control Plane can be configured to log data to a remote logging stack, which in turn, sends the Docker Trusted Registry backend container audit records to the remote logging stack. The @@ -338,7 +338,7 @@ information can be found at the following resource: - https://docs.docker.com/datacenter/ucp/2.1/guides/admin/configure/store-logs-in-an-external-system/
-
+
Docker Enterprise Edition can be configured with various logging drivers to send audit events to an external logging stack. The logging stack can subsequently be used to interpolate the information defined @@ -348,7 +348,7 @@ documentation can be found at the following resource: - https://docs.docker.com/engine/admin/logging/overview/
-
+
Universal Control Plane can be configured to log data to a remote logging stack. The logging stack can subsequently be used to interpolate the information defined by this control from the logged @@ -419,13 +419,13 @@ The information system: **Implemenation Details:**
-
+
Universal Control Plane can be configured to log data to a remote logging stack, which in turn, sends the Docker Trusted Registry backend container audit records to the remote logging stack. The @@ -435,7 +435,7 @@ found at the following resources: - https://docs.docker.com/datacenter/ucp/2.1/guides/admin/configure/store-logs-in-an-external-system/
-
+
Docker Enterprise Edition can be configured with various logging drivers to send audit events to an external logging stack. The logging stack can be used to interpolate the information defined by this @@ -446,7 +446,7 @@ resources: - https://docs.docker.com/engine/admin/logging/overview/
-
+
Universal Control Plane can be configured to log data to a remote logging stack. The logging stack can subsequently be configured to alert individuals in the event of log processing failures. Additional @@ -492,13 +492,13 @@ The information system provides a warning to [Assignment: organization-defined p **Implemenation Details:**
-
+
Universal Control Plane can be configured to log data to a remote logging stack, which in turn, sends the Docker Trusted Registry backend container audit records to the remote logging stack. The @@ -508,7 +508,7 @@ found at the following resources: - https://docs.docker.com/datacenter/ucp/2.1/guides/admin/configure/store-logs-in-an-external-system/
-
+
Docker Enterprise Edition can be configured with various logging drivers to send audit events to an external logging stack. The logging stack can subsequently be configured to warn the organization when the @@ -518,7 +518,7 @@ the following resources: - https://docs.docker.com/engine/admin/logging/overview/
-
+
Universal Control Plane can be configured to log data to a remote logging stack. The logging stack can subsequently be configured to warn the organization when the allocated log storage is full. @@ -564,13 +564,13 @@ The information system provides an alert in [Assignment: organization-defined re **Implemenation Details:**
-
+
Universal Control Plane can be configured to log data to a remote logging stack, which in turn, sends the Docker Trusted Registry backend container audit records to the remote logging stack. The @@ -580,7 +580,7 @@ the following resources: - https://docs.docker.com/datacenter/ucp/2.1/guides/admin/configure/store-logs-in-an-external-system/
-
+
Docker Enterprise Edition can be configured with various logging drivers to send audit events to an external logging stack. The logging stack can subsequently be configured to warn the organization @@ -590,7 +590,7 @@ the following resources: - https://docs.docker.com/engine/admin/logging/overview/
-
+
Universal Control Plane can be configured to log data to a remote logging stack. The logging stack can subsequently be configured to warn the organization when audit log failures occur. Additional @@ -690,13 +690,13 @@ The information system provides the capability to centrally review and analyze a **Implemenation Details:**
-
+
Universal Control Plane can be configured to log data to a remote logging stack, which in turn, sends the Docker Trusted Registry backend container audit records to the remote logging stack. The @@ -706,7 +706,7 @@ following resources: - https://docs.docker.com/datacenter/ucp/2.1/guides/admin/configure/store-logs-in-an-external-system/
-
+
Docker Enterprise Edition can be configured with various logging drivers to send audit events to an external logging stack. The organization can subsequently centrally review and analyze all of the @@ -716,7 +716,7 @@ following resources: - https://docs.docker.com/engine/admin/logging/overview/
-
+
Universal Control Plane can be configured to log data to a remote logging stack. The organization can subsequently centrally review and analyze all of the Docker EE audit records. Additional information can @@ -826,13 +826,13 @@ The information system provides an audit reduction and report generation capabil **Implemenation Details:**
-
+
Universal Control Plane can be configured to log data to a remote logging stack, which in turn, sends the Docker Trusted Registry backend container audit records to the remote logging stack. The @@ -844,7 +844,7 @@ Additional information can be found at the following resources: Registry should be certified to ensure that logs are not altered during generation and transmission to a remote logging stack.
-
+
Docker Enterprise Edition can be configured with various logging drivers to send audit events to an external logging stack. The logging stack can subsequently be used to facilitate the audit reduction and @@ -857,7 +857,7 @@ Edition should be certified to ensure that logs are not altered during generation and transmission to a remote logging stack.
-
+
Universal Control Plane can be configured to log data to a remote logging stack. The logging stack can subsequently be used to facilitate the audit reduction and report generation requirements of @@ -906,13 +906,13 @@ The information system provides the capability to process audit records for even **Implemenation Details:**
-
+
Universal Control Plane can be configured to log data to a remote logging stack, which in turn, sends the Docker Trusted Registry backend container audit records to the remote logging stack. The @@ -922,7 +922,7 @@ at the following resources: - https://docs.docker.com/datacenter/ucp/2.1/guides/admin/configure/store-logs-in-an-external-system/
-
+
Docker Enterprise Edition can be configured with various logging drivers to send audit events to an external logging stack. The logging stack can subsequently be configured to parse information by @@ -932,7 +932,7 @@ at the following resources: - https://docs.docker.com/engine/admin/logging/overview/
-
+
Universal Control Plane can be configured to log data to a remote logging stack. The logging stack can subsequently be configured to parse information by organization-defined audit fields. Additional @@ -992,20 +992,20 @@ The information system: **Implemenation Details:**
-
+
Docker Trusted Registry uses the system clock of the underlying operating system on which it runs. This behavior cannot be modified.The underlying operating system on which Docker Trusted Registry runs should be configured such that its system clock uses Coordinated Universal Time (UTC) as indicated by this control. Refer to the operating system's instructions for doing so.
-
+
Docker Enterprise Edition uses the system clock of the underlying operating system on which it runs. This behavior cannot be modified. The underlying operating system on which Docker Enterprise Edition @@ -1014,7 +1014,7 @@ Universal Time (UTC) as indicated by this control. Refer to the operating system's instructions for doing so.
-
+
Universal Control Plane uses the system clock of the underlying operating system on which it runs. This behavior cannot be modified.The underlying operating system on which Universal Control Plane runs should be configured such that its system clock uses Coordinated @@ -1063,13 +1063,13 @@ The information system: **Implemenation Details:**
-
+
The underlying operating system on which Docker Trusted Registry runs should be configured such that its system clock compares itself with an authoritative time source as indicated by this control. This can be @@ -1082,7 +1082,7 @@ time period. This can be accomplished by utilizing the Network Time Protocol (NTP). Refer to the operating system's instructions for doing so.
-
+
The underlying operating system on which Docker Enterprise Edition runs should be configured such that its system clock compares itself with an authoritative time source as indicated by this control. This can be @@ -1097,7 +1097,7 @@ utilizing the Network Time Protocol (NTP). Refer to the operating system's instructions for doing so.
-
+
The underlying operating system on which Universal Control Plane runs should be configured such that its system clock compares itself with an authoritative time source as indicated by this control. This can be @@ -1158,13 +1158,13 @@ The information system protects audit information and audit tools from unauthori **Implemenation Details:**
-
+
By default, Docker Trusted Registry is configured to use the underlying logging capabilities of Docker Enterprise Edition. As such, on the underlying Linux operating system, only root and sudo users and @@ -1176,7 +1176,7 @@ logging stack. In this case, the organization is responsible for configuring the remote logging stack per the provisions of this control.
-
+
On the underlying Linux operating system supporting Docker Enterprise Edition, only root and sudo users and users that have been added to the "docker" group have the ability to access the logs generated by @@ -1196,7 +1196,7 @@ Linux operating systems supporting Docker Enterprise Edition that instead use upstart.
-
+
By default, Universal Control Plane is configured to use the underlying logging capabilities of Docker Enterprise Edition. As such, on the underlying Linux operating system, only root and sudo users and @@ -1256,13 +1256,13 @@ The information system backs up audit records [Assignment: organization-defined **Implemenation Details:**
-
+
Docker Trusted Registry resides as an Application on a Universal Control Plane cluster, acan be configured to send logs to a remote logging stack. Additional information can be found at the following @@ -1273,7 +1273,7 @@ resources: The logging stack can subsequently be configured to back up audit records per the schedule defined by this control.
-
+
Docker Enterprise Edition can be configured to use a logging driver that can subsequently meet the backup requirements of this control. Additional information can be found at the following resources: @@ -1281,7 +1281,7 @@ Additional information can be found at the following resources: - https://docs.docker.com/engine/admin/logging/overview/
-
+
Universal Control Plane can be configured to send logs to a remote logging stack. Additional information can be found at the following resources: @@ -1324,12 +1324,12 @@ The information system implements cryptographic mechanisms to protect the integr **Implemenation Details:**
-
+
Docker Trusted Registry resides as an Application on a Universal Control Plane cluster, acan be configured to send logs to a remote logging stack. Additional information can be found at the following @@ -1340,7 +1340,7 @@ resources: The logging stack can subsequently be configured to meet the encryption mechanisms required by this control.
-
+
Docker Enterprise Edition can be configured to use a logging driver that can subsequently meet the encryption mechanisms required by this control. Additional information can be found at the following @@ -1407,11 +1407,11 @@ The information system protects against an individual (or process acting on beha **Implemenation Details:**
-
+
Docker Enterprise Edition includes functionality known as Docker Content Trust which allows one to cryptographically sign Docker images. It enforces client-side signing and verification of image tags @@ -1518,13 +1518,13 @@ The organization retains audit records for [Assignment: organization-defined tim **Implemenation Details:**
-
+
The organization will be responsible for meeting the requirements of this control. To assist with these requirements, Docker Trusted Registry resides as an Application on a Universal Control Plane @@ -1537,7 +1537,7 @@ resources: This logging stack can subsequently be configured to retain logs for the duration required by this control.
-
+
The organization will be responsible for meeting the requirements of this control. To assist with these requirements, Docker Enterprise Edition can be configured to use a logging driver that stores data in @@ -1547,7 +1547,7 @@ information can be found at the following resources: - https://docs.docker.com/engine/admin/logging/overview/
-
+
The organization will be responsible for meeting the requirements of this control. To assist with these requirements, Universal Control Plane can be configured to send logs to a remote logging stack. @@ -1611,13 +1611,13 @@ The information system: **Implemenation Details:**
-
+
All of the event types indicated by AU-2 a. are logged by a combination of the backend services within Universal Control Plane and Docker Trusted Registry. Additional information can be found at the @@ -1633,7 +1633,7 @@ organization can configure audit rules to select which Docker-specific events are to be audited. Refer to the specific Linux distribution in use for instructions on configuring this service.
-
+
Both Universal Control Plane and Docker Trusted Registry backend service containers, all of which reside on Docker Enterprise Edition, log all of the event types indicated by this AU-2 a. These and other @@ -1653,7 +1653,7 @@ Docker-specific events are to be audited. Refer to the specific Linux distribution in use for instructions on configuring this service.
-
+
All of the event types indicated by AU-2 a. are logged by the backend ucp-controller service within Universal Control Plane. In addition, each container created on a Universal Control Plane cluster logs event @@ -1707,13 +1707,13 @@ The information system compiles audit records from [Assignment: organization-def **Implemenation Details:**
-
+
Docker Trusted Registry resides as an Application on a Universal Control Plane cluster, and as such, can be configured to send logs to a remote logging stack. Additional information can be found at the @@ -1725,7 +1725,7 @@ This logging stack can subsequently be used to compile audit records in to a system-wide audit trail that is time-correlated per the requirements of this control.
-
+
Docker Enterprise Edition can be configured with various logging drivers to send audit events to an external logging stack. This logging stack can subsequently be used to compile audit records in to @@ -1736,7 +1736,7 @@ resources: - https://docs.docker.com/engine/admin/logging/overview/
-
+
Universal Control Plane can be configured to send logs to a remote logging stack. Additional information can be found at the following resources: @@ -1795,13 +1795,13 @@ The information system provides the capability for [Assignment: organization-def **Implemenation Details:**
-
+
Docker Trusted Registry resides as an Application on a Universal Control Plane cluster, and as such, can be configured to send logs to a remote logging stack. Additional information can be found at the @@ -1812,7 +1812,7 @@ following resources: This logging stack can subsequently be used to meet the requirements of this control.
-
+
Docker Enterprise Edition can be configured with various logging drivers to send audit events to an external logging stack. This logging stack can subsequently be used to meet the requirements of @@ -1822,7 +1822,7 @@ resources: - https://docs.docker.com/engine/admin/logging/overview/
-
+
Universal Control Plane can be configured to send logs to a remote logging stack. Additional information can be found at the following resources: diff --git a/docs/compliance/reference/800-53/CA.md b/docs/compliance/reference/800-53/CA.md index 20f5b26..8d52a15 100644 --- a/docs/compliance/reference/800-53/CA.md +++ b/docs/compliance/reference/800-53/CA.md @@ -219,11 +219,11 @@ The organization develops a continuous monitoring strategy and implements a cont **Implemenation Details:**
-
+
The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the continuous monitoring requirements of this control. Additional diff --git a/docs/compliance/reference/800-53/CM.md b/docs/compliance/reference/800-53/CM.md index 0cf9804..8b913fb 100644 --- a/docs/compliance/reference/800-53/CM.md +++ b/docs/compliance/reference/800-53/CM.md @@ -44,11 +44,11 @@ The organization: **Implemenation Details:**
-
+
The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the configurmation management requirements of this control. Additional @@ -87,11 +87,11 @@ The organization develops, documents, and maintains under configuration control, **Implemenation Details:**
-
+
The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the configurmation management requirements of this control. Additional @@ -135,11 +135,11 @@ The organization reviews and updates the baseline configuration of the informati **Implemenation Details:**
-
+
The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the configurmation management requirements of this control. Additional @@ -178,11 +178,11 @@ The organization employs automated mechanisms to maintain an up-to-date, complet **Implemenation Details:**
-
+
The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the configurmation management requirements of this control. CIS regularly @@ -226,11 +226,11 @@ The organization retains [Assignment: organization-defined previous versions of **Implemenation Details:**
-
+
The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the configurmation management requirements of this control. CIS regularly @@ -308,11 +308,11 @@ The organization: **Implemenation Details:**
-
+
The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the configurmation management change control requirements of this control. @@ -359,11 +359,11 @@ The organization employs automated mechanisms to: **Implemenation Details:**
-
+
The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the configurmation management change control requirements of this control. @@ -406,11 +406,11 @@ The organization tests, validates, and documents changes to the information syst **Implemenation Details:**
-
+
The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the configurmation management change control requirements of this control. @@ -483,11 +483,11 @@ The organization ensures that cryptographic mechanisms used to provide [Assignme **Implemenation Details:**
-
+
The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the cryptography management requirements of this control. Additional @@ -571,12 +571,12 @@ The information system enforces access restrictions and supports auditing of the **Implemenation Details:**
-
+
Role-based access control can be configured within Docker Trusted Registry to meet the requirements of this control. Additional information can be found at the following resources: @@ -585,7 +585,7 @@ information can be found at the following resources: - https://docs.docker.com/datacenter/dtr/2.2/guides/admin/manage-users/permission-levels/ - https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC
-
+
Role-based access control can be configured within Universal Control Plane to meet the requirements of this control. Additional information can be found at the following resources: @@ -623,11 +623,11 @@ The organization reviews information system changes [Assignment: organization-de **Implemenation Details:**
-
+
The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the system change requirements of this control. Additional information can @@ -676,13 +676,13 @@ The information system prevents the installation of [Assignment: organization-de **Implemenation Details:**
-
+
Docker Content Trust is a capability provided by Docker Enterprise Edition that enforces client-side signing and verification of Docker image tags. It provides the ability to use digital signatures for data @@ -699,7 +699,7 @@ Additional information can be found at teh following resources: - https://docs.docker.com/engine/security/trust/content_trust/ - https://docs.docker.com/datacenter/ucp/2.1/guides/user/content-trust/manage-trusted-repositories/
-
+
Before installing Docker Enterprise Edition, ensure that your supporting Linux operating system's packager manager supports package signature verification and that it is enabled. It is also required @@ -721,7 +721,7 @@ the following resources: - https://docs.docker.com/engine/security/trust/content_trust/
-
+
Docker Content Trust is a capability provided by Docker Enterprise Edition that enforces client-side signing and verification of Docker image tags. It provides the ability to use digital signatures for data sent @@ -826,26 +826,26 @@ The organization employs automated mechanisms to centrally manage, apply, and ve **Implemenation Details:**
-
+
The organization is responsible for meeting the requirements of this control. To assist with these requirements, the organization can incorporate the use of an external configuration management system to meet the requirements of this control.
-
+
The organization is responsible for meeting the requirements of this control. The organization can incorporate the use of an external configuration management system to meet the requirements of this control.
-
+
The organization is responsible for meeting the requirements of this control. To assist with these requirements, the organization can incorporate the use of an external configuration management system to @@ -927,19 +927,19 @@ The information system prevents program execution in accordance with [Selection **Implemenation Details:**
-
+
The organization can define a list of allowed base Docker images and make them available via Docker Trusted Registry. The organization can also prevent users from being able to pull Docker images from untrusted sources.
-
+
In order to restrict which Docker images can be used to deploy applications to Docker Enterprise Edition, the organization must define a list of allowed base Docker images and make them available via Docker @@ -947,7 +947,7 @@ Trusted Registry. The organization must also prevent users from being able to pull Docker images from untrusted sources.
-
+
In order to restrict which Docker images can be used to deploy applications to Universal Control Plane, the organization must define a list of allowed base Docker images and make them available via Docker @@ -1022,13 +1022,13 @@ The organization: **Implemenation Details:**
-
+
The organization is responsible for meeting the requirements of this control. To assist with these requirements, the organization can define a list of allowed base Docker images and make them available @@ -1040,7 +1040,7 @@ stored in Docker Trusted Registry. This can be accomplished by using Docker Content Trust to sign Docker images which can subsequently be stored in Docker Trusted Registry.
-
+
The organization is responsible for meeting the requirements of this control. To assist with these requirements and in order to restrict which Docker images can be used to deploy applications to CS Docker @@ -1050,7 +1050,7 @@ organization must also prevent users from being able to pull Docker images from untrusted sources.
-
+
The organization is responsible for meeting the requirements of this control. To assist with these requirements and in order to restrict which Docker images can be used to deploy applications to Universal @@ -1221,11 +1221,11 @@ The organization develops, documents, and implements a configuration management **Implemenation Details:**
-
+
The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the configuration management plan requirements of this control. Additional @@ -1304,11 +1304,11 @@ The organization: **Implemenation Details:**
-
+
The organization is responsible for meeting the requirements of this control. To assist with these requirements, the organization can define a list of allowed base Docker images and make them available @@ -1343,11 +1343,11 @@ The information system alerts [Assignment: organization-defined personnel or rol **Implemenation Details:**
-
+
The organization is responsible for meeting the requirements of this control. To assist with these requirements, the organization can define a list of allowed base Docker images and make them available diff --git a/docs/compliance/reference/800-53/CP.md b/docs/compliance/reference/800-53/CP.md index 7807d88..32d71c7 100644 --- a/docs/compliance/reference/800-53/CP.md +++ b/docs/compliance/reference/800-53/CP.md @@ -525,12 +525,12 @@ The information system implements transaction recovery for systems that are tran **Implemenation Details:**
-
+
Docker Trusted Registry maintains its cluster state via an internal key-value store. This, and other DTR transactions can be backed up and recovered. Additional information can be found at the following @@ -539,7 +539,7 @@ resources: - https://docs.docker.com/datacenter/dtr/2.2/guides/admin/backups-and-disaster-recovery/ - https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#DTR_Backup
-
+
Universal Control Plane maintains its cluster state via an internal key-value store. This, and other UCP transactions can be backed up and recovered. Additional information can be found at the following diff --git a/docs/compliance/reference/800-53/IA.md b/docs/compliance/reference/800-53/IA.md index 23a2511..cec0a4b 100644 --- a/docs/compliance/reference/800-53/IA.md +++ b/docs/compliance/reference/800-53/IA.md @@ -54,11 +54,11 @@ The information system uniquely identifies and authenticates organizational user **Implemenation Details:**
-
+
Docker Enterprise Edition can be configured to identify and authenticate users via it's integrated support for LDAP. Users and groups managed within the organization's LDAP directory service (e.g. Active @@ -148,27 +148,27 @@ The organization requires individuals to be authenticated with an individual aut **Implemenation Details:**
-
+
The organization is responsible for meeting the requirements of this control. To assist with meeting these requirements, Docker Trusted Registry requires individual users to be authenticated in order to gain access to the system. Any permissions granted to the team(s) that which the user is a member are subsequently applied.
-
+
The organization is responsible for meeting the requirements of this control. To assist with meeting these requirements, Universal Control Plane requires individual users to be authenticated in order to gain access to the system. Any permissions granted to the team(s) that which the user is a member are subsequently applied.
-
+
The organization is responsible for meeting the requirements of this control. To assist with meeting these requirements, Docker Enterprise Edition requires individual users to be authenticated in order to gain access @@ -223,11 +223,11 @@ The information system implements replay-resistant authentication mechanisms for **Implemenation Details:**
-
+
Docker Enterprise Edition integrates with LDAP for authenticating users to an external directory service. You should configure your external directory service for ensuring that you are protected against replay @@ -261,11 +261,11 @@ The information system implements replay-resistant authentication mechanisms for **Implemenation Details:**
-
+
Docker Enterprise Edition integrates with LDAP for authenticating users to an external directory service. You should configure your external directory service for ensuring that you are protected against replay @@ -349,13 +349,13 @@ The information system uniquely identifies and authenticates [Assignment: organi **Implemenation Details:**
-
+
Docker Trusted Registry replicas reside on Universal Control Plane worker nodes. In order for UCP worker nodes to join a Universal Control Plane cluster, they must be identified and authenticated via a @@ -366,14 +366,14 @@ manager nodes has been established. Reference documentation can be found at https://docs.docker.com/datacenter/dtr/2.1/guides/install/#/step-7-join-replicas-to-the-cluster.
-
+
In order for other CS Engine nodes to be able to join a cluster managed by Universal Control Plane, they must be identified and authenticated via either a manager or worker token. Use of the token includes trust on first use mutual TLS.
-
+
In order for nodes to join a Universal Control Plane cluster, they must be identified and authenticated via either a manager or worker token. Additional information can be found at the following resources: @@ -449,11 +449,11 @@ The organization manages information system identifiers by: **Implemenation Details:**
-
+
The organization is responsible for meeting the requirements of this control. To assist with meeting these requirements, an external directory service integrated with Docker Enterprise Edition via LDAP can be @@ -529,11 +529,11 @@ The organization manages individual identifiers by uniquely identifying each ind **Implemenation Details:**
-
+
The organization is responsible for meeting the requirements of this control. To assist with meeting these requirements, an external directory service integrated with Docker Enterprise Edition via LDAP can be @@ -611,11 +611,11 @@ The organization manages information system authenticators by: **Implemenation Details:**
-
+
The organization is responsible for meeting the requirements of this control. To assist with meeting these requirements, an external directory service integrated with Docker Enterprise Edition via LDAP can be @@ -702,11 +702,11 @@ The information system, for password-based authentication: **Implemenation Details:**
-
+
An external directory service integrated with Docker Enterprise Edition via LDAP can be configured to enforce minimum password complexity requirements. Refer to your directory service's @@ -776,13 +776,13 @@ The information system, for PKI-based authentication: **Implemenation Details:**
-
+
Docker Trusted Registry includes a Docker volume which holds the root key material for the DTR root CA that issues certificats. In addition Universal Control Plane contains two, built-in root certificate @@ -814,7 +814,7 @@ In addition, Docker Trusted Registry's server certificates can be replaced by following the instructions at https://docs.docker.com/datacenter/dtr/2.1/guides/configure/.
-
+
Universal Control Plane contains two, built-in root certificate authorities. One CA is used for signing client bundles generated by users. The other CA is used for TLS communication between UCP cluster @@ -837,7 +837,7 @@ can be found at the following resources: - https://docs.docker.com/datacenter/ucp/2.0/guides/configuration/#/replace-the-server-certificates
-
+
All users within a Docker Enterprise Edition cluster can create a client certificate bundle for authenticating in to the cluster from the Docker client tooling. When a user attempts to authenticate in to @@ -896,11 +896,11 @@ The organization employs automated tools to determine if password authenticators **Implemenation Details:**
-
+
The organization is responsible for meeting the requirements of this control. To assist with meeting these requirements, an external directory service integrated with Docker Enterprise Edition via LDAP can be @@ -946,11 +946,11 @@ The organization protects authenticators commensurate with the security category **Implemenation Details:**
-
+
The organization is responsible for meeting the requirements of this control. To assist with meeting these requirements, an external directory service integrated with Docker Enterprise Edition via LDAP can be @@ -1080,17 +1080,17 @@ The information system obscures feedback of authentication information during th **Implemenation Details:**
-
+
Docker Trusted Registry obscures all feedback of authentication information during the authentication process. This includes both authentication via the web UI and the CLI.
-
+
Universal Control Plane obscures all feedback of authentication information during the authentication process. This includes both authentication via the web UI and the CLI. @@ -1128,18 +1128,18 @@ The information system implements mechanisms for authentication to a cryptograph **Implemenation Details:**
-
+
All access to Docker Trusted Registry is protected with Transport Layer Security (TLS) 1.2 with the AES-GCM cipher. This includes both SSH access to the individual UCP nodes and CLI-/web-based access to the UCP management functions with mutual TLS and HTTPS respectively.
-
+
All access to Universal Control Plane is protected with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This includes both SSH access to the individual UCP nodes and CLI-/web-based access to @@ -1178,17 +1178,17 @@ The information system uniquely identifies and authenticates non-organizational **Implemenation Details:**
-
+
Users managed by Docker Trusted Registry can be grouped per the requirements of the organization and as defined by this control. This can include groupings for non-organizational users.
-
+
Users managed by Universal Control Plane can be grouped per the requirements of the organization and as defined by this control. This can include groupings for non-organizational users. @@ -1231,11 +1231,11 @@ The information system accepts only FICAM-approved third-party credentials. **Implemenation Details:**
-
+
An external directory service integrated with Docker Enterprise Edition via LDAP can be configured to meet the FICAM requirements as indicated by this control. Refer to your directory service's documentation for @@ -1269,11 +1269,11 @@ The organization employs only FICAM-approved information system components in [A **Implemenation Details:**
-
+
The organization is responsible for meeting the requirements of this control. To assist with meeting these requirements, an external directory service integrated with Docker Enterprise Edition via LDAP can be @@ -1309,11 +1309,11 @@ The information system conforms to FICAM-issued profiles. **Implemenation Details:**
-
+
The organization is responsible for meeting the requirements of this control. To assist with meeting these requirements, an external directory service integrated with Docker Enterprise Edition via LDAP can be diff --git a/docs/compliance/reference/800-53/RA.md b/docs/compliance/reference/800-53/RA.md index 77d4c73..cbe660f 100644 --- a/docs/compliance/reference/800-53/RA.md +++ b/docs/compliance/reference/800-53/RA.md @@ -114,19 +114,19 @@ The organization employs vulnerability scanning tools that include the capabilit **Implemenation Details:**
-
+
To assist the orgnization in meeting the requirements of this control, the Docker Security Scanning (DSS) component of Docker Trusted Registry (DTR) that is included with the Docker Enterprise Edition Advanced tier can be used to scan Docker images for vulnerabilities against known vulnerability databases. Scans can be triggered either manually or when Docker images are pushed to DTR.
-
+
The Docker Security Scanning tool allows for the scanning of Docker images in Docker Trusted Registry against the Common Vulnerabilities and Exposures (CVE) dictionary. @@ -159,11 +159,11 @@ The organization updates the information system vulnerabilities scanned [Selecti **Implemenation Details:**
-
+
To assist the orgnization in meeting the requirements of this control, the Docker Security Scanning component of Docker Trusted Registry (DTR) that is included with the Docker Enterprise Edition @@ -208,19 +208,19 @@ The organization employs vulnerability scanning procedures that can identify the **Implemenation Details:**
-
+
To assist the orgnization in meeting the requirements of this control, the Docker Security Scanning component of Docker Trusted Registry (DTR) that is included with the Docker Enterprise Edition Advanced tier identifies vulnerabilities in a Docker image and marks them against predefined criticality levels; critical major and minor.
-
+
The Docker Security Scanning tool allows for the scanning of Docker images in Docker Trusted Registry against the Common Vulnerabilities and Exposures (CVE).' dictionary @@ -263,11 +263,11 @@ The information system implements privileged access authorization to [Assignment **Implemenation Details:**
-
+
Only the appropriate users that the organization has provided Docker Trusted Registry access to are able to view and interpret vulnerability scan results. @@ -300,11 +300,11 @@ The organization employs automated mechanisms to compare the results of vulnerab **Implemenation Details:**
-
+
For each Docker image pushed to Docker Trusted Registry at a given time, Docker Security Scaninng retains a list of vulnerabilities detected. The DTR API can be queried to retrieve the vulnerability diff --git a/docs/compliance/reference/800-53/SA.md b/docs/compliance/reference/800-53/SA.md index f1eecaa..dea60f4 100644 --- a/docs/compliance/reference/800-53/SA.md +++ b/docs/compliance/reference/800-53/SA.md @@ -341,13 +341,13 @@ The organization requires the developer of the information system, system compon **Implemenation Details:**
-
+
Docker Content Trust gives you the ability to verify both the integrity and the publisher of all the data received from a Docker Trusted Registry over any channel. It allows operations with a remote @@ -358,7 +358,7 @@ client-side verification of the integrity and publisher of specific image tags. Docker Trusted Registry includes an integrated imaging signing service.
-
+
Docker Content Trust gives you the ability to verify both the integrity and the publisher of all the data received from a Docker Trusted Registry over any channel. It allows operations with a remote @@ -369,7 +369,7 @@ client-side verification of the integrity and publisher of specific image tags.
-
+
The organization is responsible for meeting the requirements of this control. To assist with these requirements, Docker Content Trust gives you the ability to verify both the integrity and the publisher of all diff --git a/docs/compliance/reference/800-53/SC.md b/docs/compliance/reference/800-53/SC.md index e27f39e..20b82c8 100644 --- a/docs/compliance/reference/800-53/SC.md +++ b/docs/compliance/reference/800-53/SC.md @@ -59,12 +59,12 @@ The information system separates user functionality (including user interface se **Implemenation Details:**
-
+
Docker Trusted Registry is made up of a number of backend services that provide for both user functionality (including user interface services) and system management functionality. Each of these services @@ -74,7 +74,7 @@ found at the following resources: - https://docs.docker.com/datacenter/dtr/2.2/guides/architecture/ - https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#Docker_Trusted_Registry
-
+
Universal Control Plane is made up of a number of backend services that provide for both user functionality (including user interface services) and system management functionality. Each of these services @@ -442,11 +442,11 @@ The information system provides the capability to dynamically isolate/segregate **Implemenation Details:**
-
+
Docker Enterprise Edition is designed to run application containers whose content can be completely isolated/segregated from other application containers within the same node/cluster. This is @@ -617,11 +617,11 @@ The organization produces, controls, and distributes symmetric cryptographic key **Implemenation Details:**
-
+
Docker Enterprise Edition can be installed on the following operating systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 LTS+, and SUSE Linux Enterprise 12+. In order to meet the requirements of this @@ -667,11 +667,11 @@ The information system implements [Assignment: organization-defined cryptographi **Implemenation Details:**
-
+
Docker Enterprise Edition can be installed on the following operating systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 LTS+, and SUSE Linux Enterprise 12+. In order to meet the requirements of this @@ -914,13 +914,13 @@ The information system protects the authenticity of communications sessions. **Implemenation Details:**
-
+
All remote access sessions to Docker Trusted Registry are protected with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This is included at both the HTTPS application layer for access to the DTR @@ -928,14 +928,14 @@ user interface and for command-line based connections to the registry. In addition to this, all communication to DTR is enforced by way of two-way mutual TLS authentication.
-
+
All remote access sessions to Docker Enterprise Edition are protected with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In addition to this, all communication to and between Docker Enterprise Editions is enforced by way of two-way mutual TLS authentication.
-
+
All remote access sessions to Universal Control Plane are protected with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This is included at both the HTTPS application layer for access to the UCP @@ -971,11 +971,11 @@ The information system invalidates session identifiers upon user logout or other **Implemenation Details:**
-
+
Docker Enterprise Edition invalidates session identifiers upon user logout per the requirements of this control.
@@ -1067,11 +1067,11 @@ The information system protects the [Selection (one or more): confidentiality; i **Implemenation Details:**
-
+
All remote access sessions to Docker Enterprise Edition are protected with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In addition to this, all communication to/from and between Docker @@ -1119,13 +1119,13 @@ The information system implements cryptographic mechanisms to prevent unauthoriz **Implemenation Details:**
-
+
All remote access sessions to Docker Trusted Registry are protected with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This is included at both the HTTPS application layer for access to the DTR @@ -1133,14 +1133,14 @@ user interface and for command-line based connections to the registry. In addition to this, all communication to DTR is enforced by way of two-way mutual TLS authentication.
-
+
All remote access sessions to Docker Enterprise Edition are protected with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. In addition to this, all communication to and between Docker Enterprise Editions is enforced by way of two-way mutual TLS authentication.
-
+
All remote access sessions to Universal Control Plane are protected with Transport Layer Security (TLS) 1.2 with the AES GCM cipher. This is included at both the HTTPS application layer for access to the UCP diff --git a/docs/compliance/reference/800-53/SI.md b/docs/compliance/reference/800-53/SI.md index 8a2363f..784d6f5 100644 --- a/docs/compliance/reference/800-53/SI.md +++ b/docs/compliance/reference/800-53/SI.md @@ -155,11 +155,11 @@ The information system automatically updates malicious code protection mechanism **Implemenation Details:**
-
+
Docker Enterprise Edition packages for supported underlying operating systems can only be obtained from Docker, Inc. The Docker EE repositories from which Docker EE packages are obtained are protected @@ -866,26 +866,26 @@ The information system: **Implemenation Details:**
-
+
All error messages generated via the configured logging mechanism of Docker Trusted Registry are displayed such that they meet the requirements of this control. Only users that are authorized the appropriate level of access can view these error messages.
-
+
All error messages generated via the logging mechanisms of the Docker Enterprise Edition engine are displayed such that they meet the requirements of this control. Only users that are authorized the appropriate level of access can view these error messages.
-
+
All error messages generated via the configured logging mechanism of Universal Control Plane are displayed such that they meet the requirements of this control. Only users that are authorized the @@ -1017,11 +1017,11 @@ The information system implements [Assignment: organization-defined security saf **Implemenation Details:**
-
+
Docker Enterprise Edition can be installed on the following operating systems: CentOS 7.1+, Red Hat Enterprise Linux 7.0+, Ubuntu 14.04 LTS+, and SUSE Linux Enterprise 12+. In order to meet the requirements of this diff --git a/docs/generator/generator.go b/docs/generator/generator.go index fca4051..ecb677b 100644 --- a/docs/generator/generator.go +++ b/docs/generator/generator.go @@ -111,22 +111,38 @@ func iterateControls(family string, familyTitle string, controls []XMLControl, i if satisfy.GetControlKey() == control.Number { id := xid.New() + // Format narratives + // **Need to clean up narrative links narratives := make([]string, len(satisfy.GetNarratives())) + narrativeLinks := []string{} for _, narrative := range satisfy.GetNarratives() { narrativeText := narrative.GetText() + if strings.Index(narrativeText, "'") == 0 { narrativeText = narrativeText[1 : len(narrativeText)-2] narrativeText = strings.Replace(narrativeText, "''", "'", -1) } + narrativeLinksIndex := strings.Index(narrativeText, "- http") + if narrativeLinksIndex >= 0 { + narrativeLinks = strings.Split(narrativeText[narrativeLinksIndex:], "\n") + for i, link := range narrativeLinks { + if strings.Index(link, "- ") >= 0 { + narrativeLinks[i] = link[strings.Index(link, "- ")+2:] + } + } + } narratives = append(narratives, narrativeText) } + fmt.Println(narrativeLinks) + markdownTemplateControl.Components = append(markdownTemplateControl.Components, MarkdownTemplateComponent{ ID: id.String(), Name: component.GetName(), ImplementationStatuses: satisfy.GetImplementationStatuses(), ControlOrigins: satisfy.GetControlOrigins(), Narratives: narratives, + NarrativeLinks: narrativeLinks, }) break diff --git a/docs/generator/types.go b/docs/generator/types.go index 66c5cd3..de48752 100644 --- a/docs/generator/types.go +++ b/docs/generator/types.go @@ -72,4 +72,5 @@ type MarkdownTemplateComponent struct { ImplementationStatuses []string ControlOrigins []string Narratives []string + NarrativeLinks []string }