From cc8171fbfe982288a26e19da8f90fdc0436ec271 Mon Sep 17 00:00:00 2001 From: Razvan Stoica Date: Thu, 18 Mar 2021 10:32:02 +0200 Subject: [PATCH] Add remediation stuff on enterprise configuration --- tests/8_docker_enterprise_configuration.sh | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/tests/8_docker_enterprise_configuration.sh b/tests/8_docker_enterprise_configuration.sh index 7111c21..e151a1f 100644 --- a/tests/8_docker_enterprise_configuration.sh +++ b/tests/8_docker_enterprise_configuration.sh @@ -36,6 +36,8 @@ check_8_1_1() { local id="8.1.1" local desc="Configure the LDAP authentication service (Scored)" + local remediation="You can configure LDAP integration via the UCP Admin Settings UI. LDAP integration can also be enabled via a configuration file" + local remediationImpact="None." local check="$id - $desc" starttestjson "$id" "$desc" @@ -50,6 +52,8 @@ check_8_1_2() { local id="8.1.2" local desc="Use external certificates (Scored)" + local remediation="You can configure your own certificates for UCP either during installation or after installation via the UCP Admin Settings user interface." + local remediationImpact="None." local check="$id - $desc" starttestjson "$id" "$desc" @@ -64,6 +68,8 @@ check_8_1_3() { local id="8.1.3" local desc="Enforce the use of client certificate bundles for unprivileged users (Not Scored)" + local remediation="Client certificate bundles can be created in one of two ways. User Management UI: UCP Administrators can provision client certificate bundles on behalf of users. Self-Provision: Users with access to the UCP console can create client certificate bundles themselves." + local remediationImpact="None." local check="$id - $desc" starttestjson "$id" "$desc" @@ -78,6 +84,8 @@ check_8_1_4() { local id="8.1.4" local desc="Configure applicable cluster role-based access control policies (Not Scored)" + local remediation="UCP RBAC components can be configured as required via the UCP User Management UI." + local remediationImpact="None." local check="$id - $desc" starttestjson "$id" "$desc" @@ -106,6 +114,8 @@ check_8_1_6() { local id="8.1.6" local desc="Set the Per-User Session Limit to a value of '3' or lower (Scored)" + local remediation="Retrieve a UCP API token. Retrieve and save UCP config. Open the ucp-config.toml file, set the per_user_limit entry under the [auth.sessions] section to a value of 3 or lower, but greater than 0. Update UCP with the new configuration." + local remediationImpact="None." local check="$id - $desc" starttestjson "$id" "$desc" @@ -120,6 +130,8 @@ check_8_1_7() { local id="8.1.7" local desc="Set the 'Lifetime Minutes' and 'Renewal Threshold Minutes' values to '15' or lower and '0' respectively (Scored)" + local remediation="Retrieve a UCP API token. Retrieve and save UCP config. Open the ucp-config.toml file, set the lifetime_minutes and renewal_threshold_minutes entries under the [auth.sessions] section to values of 15 or lower and 0 respectively. Update UCP with the new configuration." + local remediationImpact="Setting the Lifetime Minutes setting to a value that is too lower would result in users having to constantly re-authenticate to their Docker Enterprise cluster." local check="$id - $desc" starttestjson "$id" "$desc" @@ -145,6 +157,8 @@ check_8_2_1() { local id="8.2.1" local desc="Enable image vulnerability scanning (Scored)" + local remediation="You can navigate to DTR Settings UI and select the Security tab to access the image scanning configuration. Select the Enable Scanning slider to enable this functionality." + local remediationImpact="None." local check="$id - $desc" starttestjson "$id" "$desc"