Audit and accountability

Estimated reading time: 44 minutes

AU-1 Audit And Accountability Policy And Procedures

Description

The organization:

  1. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
    1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
  2. Reviews and updates the current:
    1. Audit and accountability policy [Assignment: organization-defined frequency]; and
    2. Audit and accountability procedures [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

AU-2 Audit Events

Description

The organization:

  1. Determines that the information system is capable of auditing the following events: [Assignment: organization-defined auditable events];
  2. Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
  3. Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and
  4. Determines that the following events are to be audited within the information system: [Assignment: organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) complete
Docker EE system
service provider corporate
service provider hybrid
shared
Docker Enterprise Edition Engine complete
service provider hybrid
shared
Universal Control Plane (UCP) complete
service provider hybrid
shared

Implementation Details

All of the event types indicated by this control are logged by a combination of the backend ucp-controller service within Universal Control Plane and the backend services that make up Docker Trusted Registry. Additional documentation can be found at the following resource:
Both Universal Control Plane and Docker Trusted Registry backend service containers, all of which reside on Docker Enterprise Edition, log all of the event types indicated by this control (as explained by their component narratives). These and other application containers that reside on Docker Enterprise Edition can be configured to log data via an appropriate Docker logging driver. Instructions for configuring logging drivers can be found at the following resource:
All of the event types indicated by this control are logged by the backend ucp-controller service within Universal Control Plane. In addition, each container created on a Universal Control Plane cluster logs event data. Supporting documentation for configuring UCP logging can be referenced at the following resources:

AU-2 (3) Reviews And Updates

Description

The organization reviews and updates the audited events [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

AU-3 Content Of Audit Records

Description

The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) complete
Docker EE system
shared
Docker Enterprise Edition Engine complete
Docker EE system
shared
Universal Control Plane (UCP) complete
Docker EE system
shared
Authentication and Authorization Service (eNZi) complete
Docker EE system
shared

Implementation Details

Docker Trusted Registry generates all of the audit record information indicated by this control. A sample audit event has been provided below: {"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password based auth suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth ok","username":"dockeruser"}
Both Universal Control Plane and Docker Trusted Registry are pre-configured to take advantage of Docker Enterprise Edition's built-in logging mechanisms. A sample audit event recorded by Docker Enterprise Edition has been provided below: {"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password based auth suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth ok","username":"dockeruser"} Additional documentation can be referenced at the following resource:
Universal Control Plane generates all of the audit record information indicated by this control. A sample audit event has been provided below: {"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password based auth suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth ok","username":"dockeruser"}
Docker Enterprise Edition generates all of the audit record information indicated by this control. A sample audit event has been provided below: {"level":"info","license_key":"123456789123456789123456789","msg":"eNZi:Password based auth suceeded","remote_addr":"192.168.33.1:55905","time":"2016-11-09T22:41:01Z","type":"auth ok","username":"dockeruser"}

AU-3 (1) Additional Audit Information

Description

The information system generates audit records containing the following additional information: [Assignment: organization-defined additional, more detailed information].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) complete
Docker EE system
shared
Docker Enterprise Edition Engine complete
Docker EE system
shared
Universal Control Plane (UCP) complete
Docker EE system
shared

Implementation Details

Universal Control Plane can be configured to log data to a remote logging stack, which in turn, sends the Docker Trusted Registry backend container audit records to the remote logging stack. The logging stack can subsequently be used to interpolate the information defined by this control from the logged audit records. Additional information can be found at the following resource:
Docker Enterprise Edition can be configured with various logging drivers to send audit events to an external logging stack. The logging stack can subsequently be used to interpolate the information defined by this control from the logged audit records. Additional documentation can be found at the following resource:
Universal Control Plane can be configured to log data to a remote logging stack. The logging stack can subsequently be used to interpolate the information defined by this control from the logged audit records. Additional documentation can be found at the following resource:

AU-3 (2) Centralized Management Of Planned Audit Record Content

Description

The information system provides centralized management and configuration of the content to be captured in audit records generated by [Assignment: organization-defined information system components].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) complete
Docker EE system
shared
Docker Enterprise Edition Engine complete
Docker EE system
shared
Universal Control Plane (UCP) complete
Docker EE system
shared

Implementation Details

Universal Control Plane can be configured to log data to a remote logging stack, which in turn, sends the Docker Trusted Registry backend container audit records to the remote logging stack. The logging stack can subsequently be used to interpolate the information defined by this control from the logged audit records. Additional information can be found at the following resource:
Docker Enterprise Edition can be configured with various logging drivers to send audit events to an external logging stack. The logging stack can subsequently be used to interpolate the information defined by this control from the logged audit records. Additional documentation can be found at the following resource:
Universal Control Plane can be configured to log data to a remote logging stack. The logging stack can subsequently be used to interpolate the information defined by this control from the logged audit records. Additional documentation can be found at the following resource:

AU-4 Audit Storage Capacity

Description

The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements].

Control Information

Responsible role(s) - Organization

AU-4 (1) Transfer To Alternate Storage

Description

The information system off-loads audit records [Assignment: organization-defined frequency] onto a different system or media than the system being audited.

Control Information

Responsible role(s) - Organization

AU-5 Response To Audit Processing Failures

Description

The information system:

  1. Alerts [Assignment: organization-defined personnel or roles] in the event of an audit processing failure; and
  2. Takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) complete
Docker EE system
shared
Docker Enterprise Edition Engine complete
Docker EE system
shared
Universal Control Plane (UCP) complete
service provider system specific

Implementation Details

Universal Control Plane can be configured to log data to a remote logging stack, which in turn, sends the Docker Trusted Registry backend container audit records to the remote logging stack. The logging stack can subsequently be configured to alert individuals in the event of log processing failures. Additional information can be found at the following resources:
Docker Enterprise Edition can be configured with various logging drivers to send audit events to an external logging stack. The logging stack can be used to interpolate the information defined by this control and also be configured to alert on any audit processing failures. Additional information can be found at the following resources:
Universal Control Plane can be configured to log data to a remote logging stack. The logging stack can subsequently be configured to alert individuals in the event of log processing failures. Additional information can be found at the following resources:

AU-5 (1) Audit Storage Capacity

Description

The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit record storage capacity.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) complete
Docker EE system
shared
Docker Enterprise Edition Engine complete
Docker EE system
shared
Universal Control Plane (UCP) complete
Docker EE system
shared

Implementation Details

Universal Control Plane can be configured to log data to a remote logging stack, which in turn, sends the Docker Trusted Registry backend container audit records to the remote logging stack. The logging stack can subsequently be configured to warn the organization when the allocated log storage is full. Additional information can be found at the following resources:
Docker Enterprise Edition can be configured with various logging drivers to send audit events to an external logging stack. The logging stack can subsequently be configured to warn the organization when the allocated log storage is full. Additional information can be found at the following resources:
Universal Control Plane can be configured to log data to a remote logging stack. The logging stack can subsequently be configured to warn the organization when the allocated log storage is full. Additional information can be found at the following resources:

AU-5 (2) Real-Time Alerts

Description

The information system provides an alert in [Assignment: organization-defined real-time period] to [Assignment: organization-defined personnel, roles, and/or locations] when the following audit failure events occur: [Assignment: organization-defined audit failure events requiring real-time alerts].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) complete
Docker EE system
shared
Docker Enterprise Edition Engine complete
Docker EE system
shared
Universal Control Plane (UCP) complete
Docker EE system
shared

Implementation Details

Universal Control Plane can be configured to log data to a remote logging stack, which in turn, sends the Docker Trusted Registry backend container audit records to the remote logging stack. The logging stack can subsequently be configured to warn the organization when audit log failures occur. Additional information can be found at the following resources:
Docker Enterprise Edition can be configured with various logging drivers to send audit events to an external logging stack. The logging stack can subsequently be configured to warn the organization when audit log failures occur. Additional information can be found at the following resources:
Universal Control Plane can be configured to log data to a remote logging stack. The logging stack can subsequently be configured to warn the organization when audit log failures occur. Additional information can be found at the following resources:

AU-5 (3) Configurable Traffic Volume Thresholds

Description

The information system enforces configurable network communications traffic volume thresholds reflecting limits on auditing capacity and [Selection: rejects; delays] network traffic above those thresholds.

Control Information

Responsible role(s) - Organization

AU-5 (4) Shutdown On Failure

Description

The information system invokes a [Selection: full system shutdown; partial system shutdown; degraded operational mode with limited mission/business functionality available] in the event of [Assignment: organization-defined audit failures], unless an alternate audit capability exists.

Control Information

Responsible role(s) - Organization

AU-6 Audit Review, Analysis, And Reporting

Description

The organization:

  1. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
  2. Reports findings to [Assignment: organization-defined personnel or roles].

Control Information

Responsible role(s) - Organization

AU-6 (1) Process Integration

Description

The organization employs automated mechanisms to integrate audit review, analysis, and reporting processes to support organizational processes for investigation and response to suspicious activities.

Control Information

Responsible role(s) - Organization

AU-6 (3) Correlate Audit Repositories

Description

The organization analyzes and correlates audit records across different repositories to gain organization-wide situational awareness.

Control Information

Responsible role(s) - Organization

AU-6 (4) Central Review And Analysis

Description

The information system provides the capability to centrally review and analyze audit records from multiple components within the system.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) complete
Docker EE system
shared
Docker Enterprise Edition Engine complete
Docker EE system
shared
Universal Control Plane (UCP) complete
Docker EE system
shared

Implementation Details

Universal Control Plane can be configured to log data to a remote logging stack, which in turn, sends the Docker Trusted Registry backend container audit records to the remote logging stack. The organization can subsequently centrally review and analyze all of the Docker EE audit records. Additional information can be found at the following resources:
Docker Enterprise Edition can be configured with various logging drivers to send audit events to an external logging stack. The organization can subsequently centrally review and analyze all of the Docker EE audit records. Additional information can be found at the following resources:
Universal Control Plane can be configured to log data to a remote logging stack. The organization can subsequently centrally review and analyze all of the Docker EE audit records. Additional information can be found at the following resources:

AU-6 (5) Integration / Scanning And Monitoring Capabilities

Description

The organization integrates analysis of audit records with analysis of [Selection (one or more): vulnerability scanning information; performance data; information system monitoring information; [Assignment: organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity.

Control Information

Responsible role(s) - Organization

AU-6 (6) Correlation With Physical Monitoring

Description

The organization correlates information from audit records with information obtained from monitoring physical access to further enhance the ability to identify suspicious, inappropriate, unusual, or malevolent activity.

Control Information

Responsible role(s) - Organization

AU-6 (7) Permitted Actions

Description

The organization specifies the permitted actions for each [Selection (one or more): information system process; role; user] associated with the review, analysis, and reporting of audit information.

Control Information

Responsible role(s) - Organization

AU-6 (8) Full Text Analysis Of Privileged Commands

Description

The organization performs a full text analysis of audited privileged commands in a physically distinct component or subsystem of the information system, or other information system that is dedicated to that analysis.

Control Information

Responsible role(s) - Organization

AU-6 (9) Correlation With Information From Nontechnical Sources

Description

The organization correlates information from nontechnical sources with audit information to enhance organization-wide situational awareness.

Control Information

Responsible role(s) - Organization

AU-6 (10) Audit Level Adjustment

Description

The organization adjusts the level of audit review, analysis, and reporting within the information system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.

Control Information

Responsible role(s) - Organization

AU-7 Audit Reduction And Report Generation

Description

The information system provides an audit reduction and report generation capability that:

  1. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
  2. Does not alter the original content or time ordering of audit records.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) Docker EE system
shared
Docker Enterprise Edition Engine complete
Docker EE system
shared
Universal Control Plane (UCP) complete
Docker EE system
shared

Implementation Details

Universal Control Plane can be configured to log data to a remote logging stack, which in turn, sends the Docker Trusted Registry backend container audit records to the remote logging stack. The logging stack can subsequently be used to facilitate the audit reduction and report generation requirements of this control. Additional information can be found at the following resources: The underlying operating system chosen to support Docker Trusted Registry should be certified to ensure that logs are not altered during generation and transmission to a remote logging stack.
Docker Enterprise Edition can be configured with various logging drivers to send audit events to an external logging stack. The logging stack can subsequently be used to facilitate the audit reduction and report generation requirements of this control. Additional information can be found at the following resources: The underlying operating system chosen to support Docker Enterprise Edition should be certified to ensure that logs are not altered during generation and transmission to a remote logging stack.
Universal Control Plane can be configured to log data to a remote logging stack. The logging stack can subsequently be used to facilitate the audit reduction and report generation requirements of this control. Additional information can be found at the following resources: The underlying operating system chosen to support Universal Control Plane should be certified to ensure that logs are not altered during generation and transmission to a remote logging stack.

AU-7 (1) Automatic Processing

Description

The information system provides the capability to process audit records for events of interest based on [Assignment: organization-defined audit fields within audit records].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) complete
Docker EE system
shared
Docker Enterprise Edition Engine complete
Docker EE system
shared
Universal Control Plane (UCP) complete
Docker EE system
shared

Implementation Details

Universal Control Plane can be configured to log data to a remote logging stack, which in turn, sends the Docker Trusted Registry backend container audit records to the remote logging stack. The logging stack can subsequently be configured to parse information by organization-defined audit fields. Additional information can be found at the following resources:
Docker Enterprise Edition can be configured with various logging drivers to send audit events to an external logging stack. The logging stack can subsequently be configured to parse information by organization-defined audit fields. Additional information can be found at the following resources:
Universal Control Plane can be configured to log data to a remote logging stack. The logging stack can subsequently be configured to parse information by organization-defined audit fields. Additional information can be found at the following resources:

Description

The information system provides the capability to sort and search audit records for events of interest based on the content of [Assignment: organization-defined audit fields within audit records].

Control Information

Responsible role(s) - Organization

AU-8 Time Stamps

Description

The information system:

  1. Uses internal system clocks to generate time stamps for audit records; and
  2. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) complete
service provider hybrid
Docker Enterprise Edition Engine complete
service provider hybrid
Universal Control Plane (UCP) complete
service provider hybrid

Implementation Details

Docker Trusted Registry uses the system clock of the underlying operating system on which it runs. This behavior cannot be modified.The underlying operating system on which Docker Trusted Registry runs should be configured such that its system clock uses Coordinated Universal Time (UTC) as indicated by this control. Refer to the operating system's instructions for doing so.
Docker Enterprise Edition uses the system clock of the underlying operating system on which it runs. This behavior cannot be modified.The underlying operating system on which Docker Enterprise Edition runs should be configured such that its system clock uses Coordinated Universal Time (UTC) as indicated by this control. Refer to the operating system's instructions for doing so.
Universal Control Plane uses the system clock of the underlying operating system on which it runs. This behavior cannot be modified.The underlying operating system on which Universal Control Plane runs should be configured such that its system clock uses Coordinated Universal Time (UTC) as indicated by this control. Refer to the operating system's instructions for doing so.

AU-8 (1) Synchronization With Authoritative Time Source

Description

The information system:

  1. Compares the internal information system clocks [Assignment: organization-defined frequency] with [Assignment: organization-defined authoritative time source]; and
  2. Synchronizes the internal system clocks to the authoritative time source when the time difference is greater than [Assignment: organization-defined time period].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) complete
service provider hybrid
Docker Enterprise Edition Engine complete
service provider hybrid
Universal Control Plane (UCP) complete
service provider hybrid

Implementation Details

The underlying operating system on which Docker Trusted Registry runs should be configured such that its system clock compares itself with an authoritative time source as indicated by this control. This can be accomplished by utilizing the Network Time Protocol (NTP). Refer to the operating system's instructions for doing so.The underlying operating system on which Docker Trusted Registry runs should be configured such that its system clock synchronizes itself to an authoritative time source as defined by part (a) of this control any time the time difference exceeds that of the organization-defined time period. This can be accomplished by utilizing the Network Time Protocol (NTP). Refer to the operating system's instructions for doing so.
The underlying operating system on which Docker Enterprise Edition runs should be configured such that its system clock compares itself with an authoritative time source as indicated by this control. This can be accomplished by utilizing the Network Time Protocol (NTP). Refer to the operating system's instructions for doing so.The underlying operating system on which Docker Enterprise Edition runs should be configured such that its system clock synchronizes itself to an authoritative time source as defined by part (a) of this control any time the time difference exceeds that of the organization-defined time period. This can be accomplished by utilizing the Network Time Protocol (NTP). Refer to the operating system's instructions for doing so.
The underlying operating system on which Universal Control Plane runs should be configured such that its system clock compares itself with an authoritative time source as indicated by this control. This can be accomplished by utilizing the Network Time Protocol (NTP). Refer to the operating system's instructions for doing so.The underlying operating system on which Universal Control Plane runs should be configured such that its system clock synchronizes itself to an authoritative time source as defined by part (a) of this control any time the time difference exceeds that of the organization-defined time period. This can be accomplished by utilizing the Network Time Protocol (NTP). Refer to the operating system's instructions for doing so.

AU-8 (2) Secondary Authoritative Time Source

Description

The information system identifies a secondary authoritative time source that is located in a different geographic region than the primary authoritative time source.

Control Information

Responsible role(s) - Organization

AU-9 Protection Of Audit Information

Description

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) complete
service provider hybrid
Docker Enterprise Edition Engine complete
service provider hybrid
Universal Control Plane (UCP) complete
service provider hybrid

Implementation Details

By default, Docker Trusted Registry is configured to use the underlying logging capabilities of Docker Enterprise Edition. As such, on the underlying Linux operating system, only root and sudo users and users that have been added to the 'docker' group have the ability to access the logs generated by UCP backend service containers. In addition, only UCP Administrator users can change the logging endpoint of the system should it be decided that logs be sent to a remote logging stack. In this case, the organization is responsible for configuring the remote logging stack per the provisions of this control.
On the underlying Linux operating system supporting Docker Enterprise Edition, only root and sudo users and users that have been added to the "docker" group have the ability to access the logs generated by UCP backend service containers. Should the organization decide to configure Docker Enterprise Edition to use a logging driver other than the default json-file driver, the organization is subsequently responsible for configuring the chosen logging stack per the provisions of this control. In addition, for Linux operating systems supporting Docker Enterprise Edition that use the systemd daemon, it is imperative that the Journal is secured per the requirements of this control. The same applies for Linux operating systems supporting Docker Enterprise Edition that instead use upstart. Additional information can be found at the following resources:
By default, Universal Control Plane is configured to use the underlying logging capabilities of Docker Enterprise Edition. As such, on the underlying Linux operating system, only root and sudo users and users that have been added to the 'docker' group have the ability to access the logs generated by UCP backend service containers. In addition, only UCP Administrator users can change the logging endpoint of the system should it be decided that logs be sent to a remote logging stack. In this case, the organization is responsible for configuring the remote logging stack per the provisions of this control.

AU-9 (1) Hardware Write-Once Media

Description

The information system writes audit trails to hardware-enforced, write-once media.

Control Information

Responsible role(s) - Organization

AU-9 (2) Audit Backup On Separate Physical Systems / Components

Description

The information system backs up audit records [Assignment: organization-defined frequency] onto a physically different system or system component than the system or component being audited.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) complete
service provider hybrid
Docker Enterprise Edition Engine complete
service provider hybrid
Universal Control Plane (UCP) complete
service provider hybrid

Implementation Details

Docker Trusted Registry resides as an Application on a Universal Control Plane cluster, and can be configured to send logs to a remote logging stack. The logging stack can subsequently be configured to back up audit records per the schedule defined by this control. Additional information can be found at the following resources:
Docker Enterprise Edition can be configured to use a logging driver that can subsequently meet the backup requirements of this control. Additional information can be found at the following resources:
Universal Control Plane can be configured to send logs to a remote logging stack. The logging stack can subsequently be configured to back up audit records per the schedule defined by this control. Additional information can be found at the following resources:

AU-9 (3) Cryptographic Protection

Description

The information system implements cryptographic mechanisms to protect the integrity of audit information and audit tools.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) complete
service provider hybrid
Docker Enterprise Edition Engine complete
service provider hybrid
Universal Control Plane (UCP) complete
service provider hybrid

Implementation Details

Docker Trusted Registry resides as an Application on a Universal Control Plane cluster, and can be configured to send logs to a remote logging stack. The logging stack can subsequently be configured to meet the encryption mechanisms required by this control. Additional information can be found at the following resources:
Docker Enterprise Edition can be configured to use a logging driver that can subsequently meet the encryption mechanisms required by this control. Additional information can be found at the following resources:
Universal Control Plane can be configured to send logs to a remote logging stack. The logging stack can subsequently be configured to meet the encryption mechanisms required by this control. Additional information can be found at the following resources:

AU-9 (4) Access By Subset Of Privileged Users

Description

The organization authorizes access to management of audit functionality to only [Assignment: organization-defined subset of privileged users].

Control Information

Responsible role(s) - Organization

AU-9 (5) Dual Authorization

Description

The organization enforces dual authorization for [Selection (one or more): movement; deletion] of [Assignment: organization-defined audit information].

Control Information

Responsible role(s) - Organization

AU-9 (6) Read Only Access

Description

The organization authorizes read-only access to audit information to [Assignment: organization-defined subset of privileged users].

Control Information

Responsible role(s) - Organization

AU-10 Non-Repudiation

Description

The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed [Assignment: organization-defined actions to be covered by non-repudiation].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Enterprise Edition Engine complete
Docker EE system

Implementation Details

Docker Enterprise Edition includes functionality known as Docker Content Trust which allows one to cryptographically sign Docker images. It enforces client-side signing and verification of image tags and provides the ability to use digital signatures for data sent to and received from Docker Trusted Registry. This ultimately provides one with the ability to verify both the integrity and the publisher of all data received from DTR over any channel. With Docker Content Trust, an organization can enforce signature verification of all content and prohibit unsigned and unapproved content from being manipulated; thus supproting the non-repudiation requirements of this control. Additional information can be found at the following resources:

AU-10 (1) Association Of Identities

Description

The information system:

  1. Binds the identity of the information producer with the information to [Assignment: organization-defined strength of binding]; and
  2. Provides the means for authorized individuals to determine the identity of the producer of the information.

Control Information

Responsible role(s) - Organization

AU-10 (2) Validate Binding Of Information Producer Identity

Description

The information system:

  1. Validates the binding of the information producer identity to the information at [Assignment: organization-defined frequency]; and
  2. Performs [Assignment: organization-defined actions] in the event of a validation error.

Control Information

Responsible role(s) - Organization

AU-10 (3) Chain Of Custody

Description

The information system maintains reviewer/releaser identity and credentials within the established chain of custody for all information reviewed or released.

Control Information

Responsible role(s) - Organization

AU-10 (4) Validate Binding Of Information Reviewer Identity

Description

The information system:

  1. Validates the binding of the information reviewer identity to the information at the transfer or release points prior to release/transfer between [Assignment: organization-defined security domains]; and
  2. Performs [Assignment: organization-defined actions] in the event of a validation error.

Control Information

Responsible role(s) - Organization

AU-11 Audit Record Retention

Description

The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) complete
Docker EE system
service provider corporate
service provider hybrid
shared
Docker Enterprise Edition Engine complete
service provider hybrid
shared
Universal Control Plane (UCP) complete
service provider hybrid
shared

Implementation Details

The organization will be responsible for meeting the requirements of this control. To assist with these requirements, Docker Trusted Registry resides as an Application on a Universal Control Plane cluster, and as such, can be configured to send logs to a remote logging stack. This logging stack can subsequently be configured to retain logs for the duration required by this control. Additional information can be found at the following resources:
The organization will be responsible for meeting the requirements of this control. To assist with these requirements, Docker Enterprise Edition can be configured to use a logging driver that stores data in a location for the duration specified by this control. Additional information can be found at the following resources:
The organization will be responsible for meeting the requirements of this control. To assist with these requirements, Universal Control Plane can be configured to send logs to a remote logging stack. This logging stack can subsequently be configured retain logs for the duration required by this control. Additional information can be found at the following resources:

AU-11 (1) Long-Term Retrieval Capability

Description

The organization employs [Assignment: organization-defined measures] to ensure that long-term audit records generated by the information system can be retrieved.

Control Information

Responsible role(s) - Organization

AU-12 Audit Generation

Description

The information system:

  1. Provides audit record generation capability for the auditable events defined in AU-2 a. at [Assignment: organization-defined information system components];
  2. Allows [Assignment: organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and
  3. Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) complete
Docker EE system
shared
Docker Enterprise Edition Engine complete
Docker EE system
shared
Universal Control Plane (UCP) complete
Docker EE system
shared

Implementation Details

All of the event types indicated by AU-2 a. are logged by a combination of the backend services within Universal Control Plane and Docker Trusted Registry. The underlying Linux operating system supporting DTR can be configured to audit Docker-specific events with the auditd daemon. Refer to the specific Linux distribution in use for instructions on configuring this service. Additional information can be found at the following resources: Using auditd on the Linux operating system supporting DTR, the organization can configure audit rules to select which Docker-specific events are to be audited. Refer to the specific Linux distribution in use for instructions on configuring this service.
Both Universal Control Plane and Docker Trusted Registry backend service containers, all of which reside on Docker Enterprise Edition, log all of the event types indicated by this AU-2 a. These and other application containers that reside on Docker Enterprise Edition can be configured to log data via an appropriate Docker logging driver. The underlying Linux operating system supporting Docker Enterprise Edition can be configured to audit Docker-specific events with the auditd daemon. Refer to the specific Linux distribution in use for instructions on configuring this service. Additional information can be found at the following resources: Using auditd on the Linux operating system supporting CS Docker Engine, the organization can configure audit rules to select which Docker-specific events are to be audited. Refer to the specific Linux distribution in use for instructions on configuring this service.
All of the event types indicated by AU-2 a. are logged by the backend ucp-controller service within Universal Control Plane. In addition, each container created on a Universal Control Plane cluster logs event data. The underlying Linux operating system supporting UCP can be configured to audit Docker-specific events with the auditd daemon. Refer to the specific Linux distribution in use for instructions on configuring this service. Additional information can be found at the following resources: Using auditd on the Linux operating system supporting UCP, the organization can configure audit rules to select which Docker-specific events are to be audited. Refer to the specific Linux distribution in use for instructions on configuring this service.

AU-12 (1) System-Wide / Time-Correlated Audit Trail

Description

The information system compiles audit records from [Assignment: organization-defined information system components] into a system-wide (logical or physical) audit trail that is time-correlated to within [Assignment: organization-defined level of tolerance for the relationship between time stamps of individual records in the audit trail].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) complete
Docker EE system
shared
Docker Enterprise Edition Engine complete
Docker EE system
shared
Universal Control Plane (UCP) complete
Docker EE system
shared

Implementation Details

Docker Trusted Registry resides as an Application on a Universal Control Plane cluster, and as such, can be configured to send logs to a remote logging stack. This logging stack can subsequently be used to compile audit records in to a system-wide audit trail that is time-correlated per the requirements of this control. Additional information can be found at the following resources:
Docker Enterprise Edition can be configured with various logging drivers to send audit events to an external logging stack. This logging stack can subsequently be used to compile audit records in to a system-wide audit trail that is time-correlated per the requirements of this control. Additional information can be found at the following resources:
Universal Control Plane can be configured to send logs to a remote logging stack. This logging stack can subsequently be used to compile audit records in to a system-wide audit trail that is time-correlated per the requirements of this control. Additional information can be found at the following resources:

AU-12 (2) Standardized Formats

Description

The information system produces a system-wide (logical or physical) audit trail composed of audit records in a standardized format.

Control Information

Responsible role(s) - Organization

AU-12 (3) Changes By Authorized Individuals

Description

The information system provides the capability for [Assignment: organization-defined individuals or roles] to change the auditing to be performed on [Assignment: organization-defined information system components] based on [Assignment: organization-defined selectable event criteria] within [Assignment: organization-defined time thresholds].

Control Information

Responsible role(s) - Docker system

Component Implementation Status(es) Control Origin(s)
Docker Trusted Registry (DTR) complete
service provider hybrid
shared
Docker Enterprise Edition Engine complete
service provider hybrid
shared
Universal Control Plane (UCP) complete
service provider hybrid
shared

Implementation Details

Docker Trusted Registry resides as an Application on a Universal Control Plane cluster, and as such, can be configured to send logs to a remote logging stack. This logging stack can subsequently be used to meet the requirements of this control. Additional information can be found at the following resources:
Docker Enterprise Edition can be configured with various logging drivers to send audit events to an external logging stack. This logging stack can subsequently be used to meet the requirements of this control. Additional information can be found at the following resources:
Universal Control Plane can be configured to send logs to a remote logging stack. This logging stack can subsequently be used to meet the requirements of this control. Additional information can be found at the following resources:

AU-13 Monitoring For Information Disclosure

Description

The organization monitors [Assignment: organization-defined open source information and/or information sites] [Assignment: organization-defined frequency] for evidence of unauthorized disclosure of organizational information.

Control Information

Responsible role(s) - Organization

AU-13 (1) Use Of Automated Tools

Description

The organization employs automated mechanisms to determine if organizational information has been disclosed in an unauthorized manner.

Control Information

Responsible role(s) - Organization

AU-13 (2) Review Of Monitored Sites

Description

The organization reviews the open source information sites being monitored [Assignment: organization-defined frequency].

Control Information

Responsible role(s) - Organization

AU-14 Session Audit

Description

The information system provides the capability for authorized users to select a user session to capture/record or view/hear.

Control Information

Responsible role(s) - Organization

AU-14 (1) System Start-Up

Description

The information system initiates session audits at system start-up.

Control Information

Responsible role(s) - Organization

AU-14 (2) Capture/Record And Log Content

Description

The information system provides the capability for authorized users to capture/record and log content related to a user session.

Control Information

Responsible role(s) - Organization

AU-14 (3) Remote Viewing / Listening

Description

The information system provides the capability for authorized users to remotely view/hear all content related to an established user session in real time.

Control Information

Responsible role(s) - Organization

AU-15 Alternate Audit Capability

Description

The organization provides an alternate audit capability in the event of a failure in primary audit capability that provides [Assignment: organization-defined alternate audit functionality].

Control Information

Responsible role(s) - Organization

AU-16 Cross-Organizational Auditing

Description

The organization employs [Assignment: organization-defined methods] for coordinating [Assignment: organization-defined audit information] among external organizations when audit information is transmitted across organizational boundaries.

Control Information

Responsible role(s) - Organization

AU-16 (1) Identity Preservation

Description

The organization requires that the identity of individuals be preserved in cross-organizational audit trails.

Control Information

Responsible role(s) - Organization

AU-16 (2) Sharing Of Audit Information

Description

The organization provides cross-organizational audit information to [Assignment: organization-defined organizations] based on [Assignment: organization-defined cross-organizational sharing agreements].

Control Information

Responsible role(s) - Organization

standards, compliance, security, 800-53, Audit and accountability