DKER-EE-001070 - FIPS mode must be enabled on all Docker Engine - Enterprise nodes - docker info .SecurityOptions

Details

When FIPS mode is enabled on a Docker Engine - Enterprise node, it uses FIPS-validated cryptography to protect the confidentiality of remote access sessions to any bound TCP sockets with TLS enabled and configured. FIPS mode in Docker Engine - Enterprise is automatically enabled when FIPS mode is also enabled on the underlying host operating system.



This control is only configurable for the Docker Engine - Enterprise component of Docker Enterprise as only the Engine includes FIPS-validated cryptography. Neither Universal Control Plane (UCP) nor Docker Trusted Registry (DTR) include FIPS-validated cryptography at this time. However, both UCP and DTR will include FIPS-validated cryptography in a future release. Therefore, for UCP/DTR this control is applicable but not yet met.



Satisfies: SRG-APP-000015, SRG-APP-000231, SRG-APP-000014, SRG-APP-000570, SRG-APP-000395, SRG-APP-000514, SRG-APP-000416, SRG-APP-000156, SRG-APP-000172, SRG-APP-000179, SRG-APP-000224, SRG-APP-000411, SRG-APP-000412, SRG-APP-000555, SRG-APP-000635


Solution

Enable FIPS mode on the host operating system. Start the Engine after FIPS mode is enabled on the host to automatically enable FIPS mode on the Engine.

FIPS mode can also be enabled by explicitly setting the DOCKER_FIPS=1 environment variable in an active terminal session prior to the execution of any Docker commands.


Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: Access Control, Identification and Authentication, Maintenance, System and Communications Protection.This control applies to the following type of system Unix.


References


Source