Set the "Lifetime Minutes" and "Renewal Threshold Minutes" values to '15' or lower and '0' respectively
Set up the docker integration.
Description
The “Lifetime Minutes” Login Session Control which is configured in the UCP “Admin Settings” | “Authentication & Authorization” section specifies the initial lifetime (in minutes) of a session from the moment it is generated. This should be set to a value of ‘15’ or lower so as to restrict a Docker Enterprise user’s session length to 15 minutes or less. The “Renewal Threshold Minutes” Login Session Control which is also configured in the UCP “Admin Settings” | “Authentication & Authorization” section indicates the period of time (in minutes) before the expiration of a session where, if set, a session will be extended by the current configured lifetime from then. This value cannot be greater than the configured lifetime. A value equal to the lifetime means that sessions will be extended with every use. A value of zero indicates that sessions should never be extended, but this may result in unexpectedly being logged out if the session expires while performing a series of actions in the UI. This value should be set to ‘0’ to prevent a user’s session from being extended for any period of time.
Audit
As a Docker Enterprise Administrator, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with your UCP URL, [ucp_username] with the username of a Docker Enterprise Administrator, and [ucp_password] with the password of a Docker Enterprise Administrator.
Retrieve a UCP API token Linux (requires curl and jq):
$ AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
Retrieve UCP config Linux (requires curl):
$ curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml
Look for the lifetime_minutes and renewal_threshold_minutes entries under the [auth.sessions] section in the output, and verify they are set to values of 15 or lower and 0 respectively.
Rationale
By default, the values of “Lifetime Minutes” and “Renewal Threshold Minutes” are set to ‘60’ and ‘20’ respectively. These values are too high for some organizations and could result in users maintaining active sessions to a Docker Enterprise cluster for a longer period of time than is desired. This makes users prone to session compromise if they are away from their workstations for an extended period of time.
As a Docker Enterprise Administrator, execute the following commands from a machine with connectivity to the UCP management console. Replace [ucp_url] with your UCP URL, [ucp_username] with the username of a Docker Enterprise Administrator and [ucp_password] with the password of a Docker Enterprise Administrator.
Retrieve a UCP API token Linux (requires curl and jq): $ AUTHTOKEN=$(curl -sk -d '{"username":"[ucp_username]","password":"[ucp_password]"}' https://[ucp_url]/auth/login | jq -r .auth_token)
Retrieve and save UCP config Linux (requires curl): $ curl -sk -H "Authorization: Bearer $AUTHTOKEN" https://[ucp_url]/api/ucp/config-toml > ucp-config.toml
Open the ucp-config.toml file, set the lifetime_minutes and renewal_threshold_minutes entries under the [auth.sessions] section to values of ‘15’ or lower and ‘0’ respectively. Save the file.
Execute the following command to update UCP with the new configuration: Linux (requires curl): $ curl -sk -H "Authorization: Bearer $AUTHTOKEN" --upload-file ucp-config.toml https://[ucp_url]/api/ucp/config-toml
Impact
Setting the “Lifetime Minutes” setting to a value that is too lower would result in users having to constantly re-authenticate to their Docker Enterprise cluster.
Default value
By default, the values of “Lifetime Minutes” and “Renewal Threshold Minutes” are set to ‘60’ and ‘20’ respectively.
References
- https://docs.docker.com/ee/ucp/admin/configure/set-session-timeout/
CIS controls
Version 7
16 Account Monitoring and Control Account Monitoring and Control
