Configuration management

Estimated reading time: 29 minutes

CM-1 Configuration Management Policy And Procedures

Description

The organization:

  1. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
    1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
  2. Reviews and updates the current:
    1. Configuration management policy [Assignment: organization-defined frequency]; and
    2. Configuration management procedures [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Enterprise Edition Engine none
service provider hybrid
shared

Implementation Details

The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the configuration management requirements of this control. Additional information can be found at the following resources:

CM-2 Baseline Configuration

Description

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Enterprise Edition Engine none
service provider hybrid
shared

Implementation Details

The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the configuration management requirements of this control. Additional information can be found at the following resources:

CM-2 (1) Reviews And Updates

Description

The organization reviews and updates the baseline configuration of the information system:

  1. [Assignment: organization-defined frequency];
  2. When required due to [Assignment organization-defined circumstances]; and
  3. As an integral part of information system component installations and upgrades.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Enterprise Edition Engine none
service provider hybrid
shared

Implementation Details

The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the configurmation management requirements of this control. Additional information can be found at the following resources:

CM-2 (2) Automation Support For Accuracy / Currency

Description

The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Enterprise Edition Engine none
service provider hybrid

Implementation Details

The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the configurmation management requirements of this control. CIS regularly updates their benchmark to reflect the latest updates in the stable release of Docker Engine. Various configuration management tools such as Inspec (http://inspec.io/) can be used to audit Docker Enterprise Edition system configuration to ensure that the secure baseline configurations have been applied in an automated fashion. Additional information can be found at the following resources:

CM-2 (3) Retention Of Previous Configurations

Description

The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Enterprise Edition Engine none
service provider hybrid

Implementation Details

The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the configurmation management requirements of this control. CIS regularly updates their benchmark to reflect the latest updates in the stable release of Docker Engine. Various configuration management tools such as Inspec (http://inspec.io/) can be used to audit Docker Enterprise Edition system configuration to ensure that the secure baseline configurations have been applied in an automated fashion and can be rolled back as required by this control. Additional information can be found at the following resources:

CM-2 (6) Development And Test Environments

Description

The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration.

Control Information

Responsible role(s) - Organization

CM-2 (7) Configure Systems, Components, Or Devices For High-Risk Areas

Description

The organization:

  1. Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
  2. Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return.

Control Information

Responsible role(s) - Organization

CM-3 Configuration Change Control

Description

The organization:

  1. Determines the types of changes to the information system that are configuration-controlled;
  2. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
  3. Documents configuration change decisions associated with the information system;
  4. Implements approved configuration-controlled changes to the information system;
  5. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
  6. Audits and reviews activities associated with configuration-controlled changes to the information system; and
  7. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Enterprise Edition Engine none
service provider hybrid

Implementation Details

The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the configurmation management change control requirements of this control. Additional information can be found at the following resources:

CM-3 (1) Automated Document / Notification / Prohibition Of Changes

Description

The organization employs automated mechanisms to:

  1. Document proposed changes to the information system;
  2. Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
  3. Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
  4. Prohibit changes to the information system until designated approvals are received;
  5. Document all changes to the information system; and
  6. Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Enterprise Edition Engine none
service provider hybrid

Implementation Details

The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the configurmation management change control requirements of this control. Various configuration management tools such as Inspec (http://inspec.io/) can be used to audit Docker Enterprise Edition system configuration to ensure that the secure baseline configurations have been applied in an automated fashion. Additional information can be found at the following resources:

CM-3 (2) Test / Validate / Document Changes

Description

The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Enterprise Edition Engine none
service provider hybrid

Implementation Details

The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the configurmation management change control requirements of this control. Various configuration management tools such as Inspec (http://inspec.io/) can be used to audit Docker Enterprise Edition system configuration to ensure that the secure baseline configurations have been applied in an automated fashion. Additional information can be found at the following resources:

CM-3 (3) Automated Change Implementation

Description

The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base.

Control Information

Responsible role(s) - Organization

CM-3 (4) Security Representative

Description

The organization requires an information security representative to be a member of the [Assignment: organization-defined configuration change control element].

Control Information

Responsible role(s) - Organization

CM-3 (5) Automated Security Response

Description

The information system implements [Assignment: organization-defined security responses] automatically if baseline configurations are changed in an unauthorized manner.

Control Information

Responsible role(s) - Organization

CM-3 (6) Cryptography Management

Description

The organization ensures that cryptographic mechanisms used to provide [Assignment: organization-defined security safeguards] are under configuration management.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Enterprise Edition Engine none
service provider hybrid

Implementation Details

The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the cryptography management requirements of this control. Additional information can be found at the following resources:

CM-4 Security Impact Analysis

Description

The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

Control Information

Responsible role(s) - Organization

CM-4 (1) Separate Test Environments

Description

The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.

Control Information

Responsible role(s) - Organization

CM-4 (2) Verification Of Security Functions

Description

The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system.

Control Information

Responsible role(s) - Organization

CM-5 Access Restrictions For Change

Description

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

Control Information

Responsible role(s) - Organization

CM-5 (1) Automated Access Enforcement / Auditing

Description

The information system enforces access restrictions and supports auditing of the enforcement actions.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) none
Docker EE system
Universal Control Plane (UCP) none
Docker EE system

Implementation Details

CM-5 (2) Review System Changes

Description

The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Enterprise Edition Engine none
Docker EE system

Implementation Details

The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the system change requirements of this control. Additional information can be found at the following resources:

CM-5 (3) Signed Components

Description

The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) none
service provide hybrid
shared
Docker Enterprise Edition Engine none
service provide hybrid
shared
Universal Control Plane (UCP) none
service provide hybrid
shared

Implementation Details

Docker Content Trust is a capability provided by Docker Enterprise Edition that enforces client-side signing and verification of Docker image tags. It provides the ability to use digital signatures for data sent to and received from Docker Trusted Registry and the public Docker Store. These signatures allow client-side verification of the integrity and publisher of specific image tags. All Docker Trusted Registry Docker images are officially signed and verified by Docker, Inc. When installing Docker Trusted Registry, you should enable Docker Content Trust and subsequently pull the the signed DTR image tag. Additional information can be found at teh following resources:
Before installing Docker Enterprise Edition, ensure that your supporting Linux operating system's packager manager supports package signature verification and that it is enabled. It is also required that you import the Docker public key for EE packages so as to retrieve the validated and signed package from Docker, Inc. Refer to your Linux OS documentation for instructions on completing the above steps. In addition, Docker Content Trust is a capability provided by Docker Engine that enforces client-side signing and verification of Docker image tags. It provides the ability to use digital signatures for data sent to and received from Docker Trusted Registry and the public Docker Store. These signatures allow client-side verification of the integrity and publisher of specific image tags. When enabling Docker Content Trust in Docker Enterprise Edition you can enforce the use of signed Docker images. Additional information can be found at the following resources:
Docker Content Trust is a capability provided by Docker Enterprise Edition that enforces client-side signing and verification of Docker image tags. It provides the ability to use digital signatures for data sent to and received from Docker Trusted Registry and the public Docker Store. These signatures allow client-side verification of the integrity and publisher of specific image tags. All Universal Control Plane Docker images are officially signed and verified by Docker, Inc. When configuring Universal Control Plane, you should enforce applications to only use Docker images signed by trusted UCP users within your organization. Additional information can be found at the following resources:

CM-5 (4) Dual Authorization

Description

The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information].

Control Information

Responsible role(s) - Organization

CM-5 (5) Limit Production / Operational Privileges

Description

The organization:

  1. Limits privileges to change information system components and system-related information within a production or operational environment; and
  2. Reviews and reevaluates privileges [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

CM-5 (6) Limit Library Privileges

Description

The organization limits privileges to change software resident within software libraries.

Control Information

Responsible role(s) - Organization

CM-6 Configuration Settings

Description

The organization:

  1. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
  2. Implements the configuration settings;
  3. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and
  4. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

Control Information

Responsible role(s) - Organization

CM-6 (1) Automated Central Management / Application / Verification

Description

The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) none
service provider hybrid
Docker Enterprise Edition Engine none
service provider hybrid
Universal Control Plane (UCP) none
service provider hybrid

Implementation Details

The organization is responsible for meeting the requirements of this control. To assist with these requirements, the organization can incorporate the use of an external configuration management system to meet the requirements of this control. Docker Trusted Registry's configuration can also be backed up and stored an appropriate location per the requirements of this control. Additional documenation can be found at the following resources:
The organization can incorporate the use of an external configuration management system to meet the requirements of this control.
The organization is responsible for meeting the requirements of this control. To assist with these requirements, the organization can incorporate the use of an external configuration management system to meet the requirements of this control. Universal Control Plane's configuration can also be managed, backed up and stored in another location per the requirements of this control. Additional documentation can be found at the following resources:

CM-6 (2) Respond To Unauthorized Changes

Description

The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings].

Control Information

Responsible role(s) - Organization

CM-7 Least Functionality

Description

The organization:

  1. Configures the information system to provide only essential capabilities; and
  2. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Enterprise Edition Engine none
service provider hybrid

Implementation Details

To help the organization meet the requirements of this control, the latest CIS Docker Benchmark can be used as a secure configuration baseline. Additional information can be found at the following resources:

CM-7 (1) Periodic Review

Description

The organization:

  1. Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
  2. Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Universal Control Plane (UCP) none
Docker EE system
service provider corporate
service provider hybrid

Implementation Details

To help the organization meet the requirements of this control, Universal Control Plane includes a robust access control model to disable any functionality as mandated by this control.

CM-7 (2) Prevent Program Execution

Description

The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) none
Docker EE system
Docker Enterprise Edition Engine none
Docker EE system
Universal Control Plane (UCP) none
Docker EE system

Implementation Details

The organization can define a list of allowed base Docker images and make them available via Docker Trusted Registry. The organization can also prevent users from being able to pull Docker images from untrusted sources.
In order to restrict which Docker images can be used to deploy applications to Docker Enterprise Edition, the organization can define a list of allowed base Docker images and make them available via Docker Trusted Registry. The organization can also prevent users from being able to pull Docker images from untrusted sources.
In order to restrict which Docker images can be used to deploy applications to Universal Control Plane, the organization can define a list of allowed base Docker images and make them available via Docker Trusted Registry. The organization can also prevent users from being able to pull Docker images from untrusted sources.

CM-7 (3) Registration Compliance

Description

The organization ensures compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services].

Control Information

Responsible role(s) - Organization

CM-7 (4) Unauthorized Software / Blacklisting

Description

The organization:

  1. Identifies [Assignment: organization-defined software programs not authorized to execute on the information system];
  2. Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and
  3. Reviews and updates the list of unauthorized software programs [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

CM-7 (5) Authorized Software / Whitelisting

Description

The organization:

  1. Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
  2. Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
  3. Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) none
service provider hybrid
shared
Docker Enterprise Edition Engine none
service provider hybrid
shared
Universal Control Plane (UCP) none
service provider hybrid
shared

Implementation Details

The organization is responsible for meeting the requirements of this control. To assist with these requirements, the organization can define a list of allowed base Docker images and make them available via Docker Trusted Registry. The organization can also prevent users from being able to pull Docker images from untrusted sources.The organization is responsible for meeting the requirements of this control. To assist with these requirements, the organization can configure its systems to ensure that only approved Docker images are stored in Docker Trusted Registry. This can be accomplished by using Docker Content Trust to sign Docker images which can subsequently be stored in Docker Trusted Registry.
The organization is responsible for meeting the requirements of this control. To assist with these requirements and in order to restrict which Docker images can be used to deploy applications to Docker EE Engine, the organization must define a list of allowed base Docker images and make them available via Docker Trusted Registry. The organization must also prevent users from being able to pull Docker images from untrusted sources.
The organization is responsible for meeting the requirements of this control. To assist with these requirements and in order to restrict which Docker images can be used to deploy applications to Universal Control Plane, the organization must define a list of allowed base Docker images and make them available via Docker Trusted Registry. The organization must also prevent users from being able to pull Docker images from untrusted sources.The organization is responsible for meeting the requirements of this control. To assist with these requirements, the organization can configure its systems to ensure that only approved Docker images stored in Docker Trusted Registry can be run on Universal Control Plane. This can be accomplished by using Docker Content Trust to sign Docker images, and configure UCP to enforce only signed images from specific Teams at runtime. Additional information can be found at the following resources:

CM-8 Information System Component Inventory

Description

The organization:

  1. Develops and documents an inventory of information system components that:
    1. Accurately reflects the current information system;
    2. Includes all components within the authorization boundary of the information system;
    3. Is at the level of granularity deemed necessary for tracking and reporting; and
    4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
  2. Reviews and updates the information system component inventory [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

CM-8 (1) Updates During Installations / Removals

Description

The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.

Control Information

Responsible role(s) - Organization

CM-8 (2) Automated Maintenance

Description

The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components.

Control Information

Responsible role(s) - Organization

CM-8 (3) Automated Unauthorized Component Detection

Description

The organization:

  1. Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and
  2. Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]].

Control Information

Responsible role(s) - Organization

CM-8 (4) Accountability Information

Description

The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components.

Control Information

Responsible role(s) - Organization

CM-8 (5) No Duplicate Accounting Of Components

Description

The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.

Control Information

Responsible role(s) - Organization

CM-8 (6) Assessed Configurations / Approved Deviations

Description

The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory.

Control Information

Responsible role(s) - Organization

CM-8 (7) Centralized Repository

Description

The organization provides a centralized repository for the inventory of information system components.

Control Information

Responsible role(s) - Organization

CM-8 (8) Automated Location Tracking

Description

The organization employs automated mechanisms to support tracking of information system components by geographic location.

Control Information

Responsible role(s) - Organization

CM-8 (9) Assignment Of Components To Systems

Description

The organization:

  1. Assigns [Assignment: organization-defined acquired information system components] to an information system; and
  2. Receives an acknowledgement from the information system owner of this assignment.

Control Information

Responsible role(s) - Organization

CM-9 Configuration Management Plan

Description

The organization develops, documents, and implements a configuration management plan for the information system that:

  1. Addresses roles, responsibilities, and configuration management processes and procedures;
  2. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
  3. Defines the configuration items for the information system and places the configuration items under configuration management; and
  4. Protects the configuration management plan from unauthorized disclosure and modification.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Enterprise Edition Engine none
service provider hybrid

Implementation Details

The CIS Docker Benchmark can be used as a baseline for securing Docker Enterprise Edition and for helping the organization meet the configuration management plan requirements of this control. Additional information can be found at the following resources:

CM-9 (1) Assignment Of Responsibility

Description

The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development.

Control Information

Responsible role(s) - Organization

CM-10 Software Usage Restrictions

Description

The organization:

  1. Uses software and associated documentation in accordance with contract agreements and copyright laws;
  2. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
  3. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

Control Information

Responsible role(s) - Organization

CM-10 (1) Open Source Software

Description

The organization establishes the following restrictions on the use of open source software: [Assignment: organization-defined restrictions].

Control Information

Responsible role(s) - Organization

CM-11 User-Installed Software

Description

The organization:

  1. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
  2. Enforces software installation policies through [Assignment: organization-defined methods]; and
  3. Monitors policy compliance at [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) none
service provider hybrid
shared

Implementation Details

The organization is responsible for meeting the requirements of this control. To assist with these requirements, the organization can define a list of allowed base Docker images and make them available via Docker Trusted Registry. The organization can also prevent users from being able to pull Docker images from untrusted sources.

CM-11 (1) Alerts For Unauthorized Installations

Description

The information system alerts [Assignment: organization-defined personnel or roles] when the unauthorized installation of software is detected.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) none
service provider hybrid
shared

Implementation Details

The organization can define a list of allowed base Docker images and make them available via Docker Trusted Registry to meet the requirements of this contorl. The organization can also prevent users from being able to pull Docker images from untrusted sources.

CM-11 (2) Prohibit Installation Without Privileged Status

Description

The information system prohibits user installation of software without explicit privileged status.

Control Information

Responsible role(s) - Organization

standards, compliance, security, 800-53, Configuration management