Set the per-user session limit to a value of '3' or lower

Docs > Datadog Security > OOTB Rules > Set the per-user session limit to a value of '3' or lower

Classification:

compliance

Framework:

cis-docker

Control:

8.1.6

Set up the docker integration.

Description

The “Per User Limit” Login Session Control which is configured in the UCP “Admin Settings” | “Authentication & Authorization” section specifies the maximum number of sessions that any user can have active at any given time. If creating a new session would put a user over this limit then the least recently used session will be deleted. Set this limit to a lower value but greater than ‘0’ to prevent users from initiating an unnecessarily high number of concurrent sessions. This limit applies to users that are authenticated to UCP and/or DTR as the built-in authentication and authorization backplane in UCP serves both UCP and DTR.

Rationale

By default, UCP sets the “Per User Limit” value to ‘10’ which may be too high for the number of concurrent sessions that users are allotted. Users who are able to maintain a large number of concurrent sessions could be subject to phishing attacks or similar that result in unauthorized sessions with a UCP and/or DTR cluster. Furthermore, setting a value of ‘0’ disables limiting the number of sessions that users may have, and this is not in line with good security practice.

Audit

As a Docker Enterprise Administrator, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with your UCP URL, [ucp_username] with the username of a Docker Enterprise Administrator, and [ucp_password] with the password of a Docker Enterprise Administrator.

Retrieve a UCP API token Linux (requires curl and jq):

$ AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)

Retrieve UCP config Linux (requires curl):

$ curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml

Look for the per_user_limit entry under the [auth.sessions] section in the output, and verify it is set to a value of ‘3’ or lower, but greater than ‘0’

Remediation

As a Docker Enterprise Administrator, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with your UCP URL, [ucp_username] with the username of a Docker Enterprise Administrator and [ucp_password] with the password of a Docker Enterprise Administrator.

Retrieve a UCP API token Linux (requires curl and jq): $ AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
Retrieve and save UCP config Linux (requires curl): $ curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml > ucp-config.toml
Open the ucp-config.toml file, set the per_user_limit entry under the [auth.sessions] section to a value of ‘3’ or lower, but greater than ‘0’. Save the file.
Execute the following command to update UCP with the new configuration: Linux (requires curl): $ curl -sk -H "Authorization: Bearer $AUTHTOKEN" --upload-file ucp-config.toml https://[ucp_url]/api/ucp/config-toml

Impact

None

Default value

The “Per User Limit” Login Session Control is set to a value of ‘10’ by default.

References

https://docs.docker.com/ee/ucp/admin/configure/set-session-timeout/

CIS controls

Version 7

16 Account Monitoring and Control Account Monitoring and Control