ENGDOCS-1802b (#18621)

* ENGDOCS-1802b

* Apply suggestions from code review

Co-authored-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>

---------

Co-authored-by: David Karlsson <35727626+dvdksn@users.noreply.github.com>

content/desktop/faqs/linuxfaqs.md

@@ -6,11 +6,11 @@ aliases:
 - /desktop/linux/space/
 ---
 
-## What is the difference between Docker Desktop for Linux and Docker Engine?
+### What is the difference between Docker Desktop for Linux and Docker Engine?
 
 Docker Desktop for Linux provides a user-friendly graphical interface that simplifies the management of containers and services. It includes Docker Engine as this is the core technology that powers Docker containers. Docker Desktop for Linux also comes with additional features like Docker Scout and Docker Extensions.
 
-## Can I have both Docker Desktop for Linux and Docker Engine installed on my machine?
+### Can I have both Docker Desktop for Linux and Docker Engine installed on my machine?
 
 Docker Desktop for Linux and Docker Engine can be installed side-by-side on the
 same machine. Docker Desktop for Linux stores containers and images in an isolated
@@ -43,7 +43,7 @@ disable the Docker Engine service, and to prevent it from starting automatically
 $ sudo systemctl disable docker docker.socket containerd
 ```
 
-### How do I switch between Docker Desktop and Docker Engine?
+#### How do I switch between Docker Desktop and Docker Engine?
 
 
 The Docker CLI can be used to interact with multiple Docker Engines. For example,
@@ -88,7 +88,7 @@ Current context is now "desktop-linux"
 
 Refer to the [Docker Context documentation](../../engine/context/working-with-contexts.md) for more details.
 
-## Why does Docker Desktop for Linux run a VM?
+### Why does Docker Desktop for Linux run a VM?
 
 Docker Desktop for Linux runs a Virtual Machine (VM) for the following reasons:
 
@@ -115,7 +115,7 @@ Docker Desktop for Linux runs a Virtual Machine (VM) for the following reasons:
 
     As such, we have adjusted the default memory available to the VM in DD4L. You can tweak this setting to your specific needs by using the **Memory** slider within the **Settings** > **Resources** tab of Docker Desktop.
 
-## How do I enable file sharing?
+### How do I enable file sharing?
 
 Docker Desktop for Linux uses [virtiofs](https://virtio-fs.gitlab.io/) as the
 default (and currently only) mechanism to enable file sharing between the host
@@ -167,16 +167,16 @@ easy access to such a file on the host. The problem is resolved by creating
 a group with the new GID and adding our user to it, or by setting a recursive
 ACL (see `setfacl(1)`) for folders shared with the Docker Desktop VM.
 
-## Where does Docker Desktop store Linux containers?
+### Where does Docker Desktop store Linux containers?
 Docker Desktop stores Linux containers and images in a single, large "disk image" file in the Linux filesystem. This is different from Docker on Linux, which usually stores containers and images in the `/var/lib/docker` directory on the host's filesystem.
 
-### Where is the disk image file?
+#### Where is the disk image file?
 
 To locate the disk image file, select **Settings** from the Docker Dashboard then **Advanced** from the **Resources** tab.
 
 The **Advanced** tab displays the location of the disk image. It also displays the maximum size of the disk image and the actual space the disk image is consuming. Note that other tools might display space usage of the file in terms of the maximum file size, and not the actual file size.
 
-#### What if the file is too large?
+##### What if the file is too large?
 
 If the disk image file is too large, you can:
 
@@ -184,7 +184,7 @@ If the disk image file is too large, you can:
 - Delete unnecessary containers and images
 - Reduce the maximum allowable size of the file
 
-#### How do I move the file to a bigger drive?
+##### How do I move the file to a bigger drive?
 
 To move the disk image file to a different location:
 
@@ -196,7 +196,7 @@ To move the disk image file to a different location:
 
 Do not move the file directly in Finder as this can cause Docker Desktop to lose track of the file.
 
-#### How do I delete unnecessary containers and images?
+##### How do I delete unnecessary containers and images?
 
 Check whether you have any unnecessary containers and images. If your client and daemon API are running version 1.25 or later (use the `docker version` command on the client to check your client and daemon API versions), you can see the detailed space usage information by running:
 
@@ -246,7 +246,7 @@ $ ls -klsh Docker.raw
 
 In this example, the actual size of the disk is `2333548` KB, whereas the maximum size of the disk is `64` GB.
 
-#### How do I reduce the maximum size of the file?
+##### How do I reduce the maximum size of the file?
 
 To reduce the maximum size of the disk image file:
 

content/faq/security/general.md

@@ -1,9 +1,88 @@
 ---
 description: Find the answers to common security related FAQs
-keywords: Docker, Docker Hub, Docker Desktop secuirty FAQs, secuirty, platform
-title: Security FAQs
+keywords: Docker, Docker Hub, Docker Desktop secuirty FAQs, secuirty, platform, Docker Scout, admin, security
+title: General security FAQs
 ---
 
-## How does Docker Desktop handle and store authentication information?
+### How do I report a vulnerability?
+
+If you’ve discovered a security vulnerability in Docker, we encourage you to report it responsibly. Report security issues to security@docker.com so that they can be quickly addressed by our team.
+
+### How are passwords managed when SSO isn't used? 
+
+Passwords are encrypted and salt-hashed. If you use application-level passwords instead of SSO, you are responsible for ensuring that your employees know how to pick strong passwords, don't share passwords, and don't reuse passwords across multiple systems. 
+
+### Does Docker require password resets when SSO isn't used? 
+
+Passwords aren't required to be periodically reset. NIST no longer recommends password resets as part of best practice.
+
+### Does Docker lockout users after failed sign-ins? 
+
+Docker Hub’s global setting for system lockout is after 10 failed sign in attempts in a period of 5 minutes, and the lockout duration is 5 minutes. The same global policy applies to authenticated Docker Desktop users and Docker Scout, both of which use Docker Hub for authentication.
+
+### Do you support physical MFA with YubiKeys? 
+
+This would be configured through SSO using your IDP. Check with your IDP.
+
+### How are sessions managed and do they expire?
+
+Sessions are managed through the IdP if configured.  
+
+Docker Desktop sessions expire after 30 days, or after 7 days of inactivity. For Docker Hub, sessions are managed through the IdP if configured. If you use application-level sign-in, users are signed out due to inactivity after 14 days and must sign in again after 30 days.
+
+### How does Docker attribute downloads to us and what data is used to classify/verify the user is part of our organization? 
+
+Docker Desktop downloads are linked to a specific organization by the user's email containing the customer's domain. Additionally, we use IP addresses to correlate users with organizations.
+
+### How do you attribute that number of downloads to us from IP data if most of our engineers work from home and aren’t allowed to use VPNs? 
+
+We attribute users and their IP addresses to domains using 3rd party data enrichment software, where our provider analyzes activity from public and private data sources related to that specific IP address, then uses that activity to identify the domain and map it to the IP address.
+
+Some users (very few in comparison) actually authenticate by signing in to Docker Desktop and joining their domain's Docker org, which allows us to map them with a much higher degree of accuracy and report on direct feature usage for you. We highly encourage you to get your users authenticated so we can provide you with the most accurate data.
+
+### How does Docker distinguish between employee users and contractor users? 
+
+Organizations set up in Docker use verified domains and any team member with an email domain other than what's verified is noted as a "Guest" in that organization.
+
+### How long are Docker Hub logs available? 
+
+Docker provides various types of audit logs and log retention varies. For example, Docker Hub Activity logs are available for 90 days. You are responsible for exporting logs or setting up drivers to their own internal systems.  
+
+### Can I export a list of all users with their assigned roles and privileges and if so, in what format?
+
+Using the [Export Members](../../docker-hub/members.md) feature, customers can export to CSV a list of their users with role and team information. 
+
+### How does Docker Desktop handle and store authentication information?
+
+Docker Desktop utilizes the host operating system's secure key management for handling and storing authentication tokens necessary for authenticating with image registries. On macOS, this is [Keychain](https://support.apple.com/guide/security/keychain-data-protection-secb0694df1a/web); on Windows, this is [Security and Identity API via Wincred](https://learn.microsoft.com/en-us/windows/win32/api/wincred/); and on Linux, this is [Pass](https://www.passwordstore.org/). 
+
+### How does Docker Hub secure passwords in storage and in transit? 
+
+This is applicable only when Docker Hub's application-level password is used vs SSO/SAML. When SSO is used, Docker Hub does not store passwords. Application-level passwords are hashed in storage (SHA-256) and encrypted in transit (TLS).
+
+### How do we de-provision access to CLI users who use personal access tokens instead of our IdP? We use SSO but not SCIM. 
+
+If SCIM is not enabled, you have to manually remove PAT users from the organization in our system. When SCIM is used this is automated.
+
+### What metadata is collected from container images that Scout analyzes?
+
+For information about the metadata stored by Docker Scout, [Data handling](../../scout/data-handling.md).
+
+### To which portions of the host filesystem do containers have read and write access? Can containers running as root gain access to admin owned files or directories on the host? 
+
+File sharing (bind mount from the host filesystem) uses a user-space crafted file server (running in `com.docker.backend` as the user running Docker Desktop), so containers can’t gain any access that the user on the host doesn’t already have.
+
+### How are Extensions within the Marketplace vetting for security prior to placement? 
+
+Security vetting for extensions is on our roadmap however this vetting is not currently done. 
+
+At present in the marketplace, there are two types of extensions - reviewed and self-published. Reviewed extensions are used and reviewed against a set of criteria, and if they pass they are included in the marketplace with a **Reviewed** label. Self-published extensions are automatically placed in the marketplace with a **Not reviewed** label. 
+
+Note that even if an extension is reviewed, it is only reviewed on the first publish. Any updates afterwards are not reviewed. Extensions are not covered as part of Docker’s Third-Party Risk Management Program.
+
+### Can I disable private repos in my organization via a setting to make sure nobody is pushing images into Docker Hub? 
+
+Currently this is not possible. 
+
+With [Registry Access Management](../../security/for-admins/registry-access-management.md) (RAM), administrators can ensure that their developers using Docker Desktop only access registries that are allowed. This is done through the Registry Access Management dashboard on Docker Hub. 
 
-Docker Desktop utilizes the host operating system's secure key management for handling and storing authentication tokens necessary for authenticating with image registries. On macOS, this is [Keychain](https://support.apple.com/guide/security/keychain-data-protection-secb0694df1a/web); on Windows, this is [Security and Identity API via Wincred](https://learn.microsoft.com/en-us/windows/win32/api/wincred/); and on Linux, this is [Pass](https://www.passwordstore.org/). 

content/faq/security/networking-and-vms.md

@@ -0,0 +1,33 @@
+---
+description: Find the answers to FAQs related to networking and virtualization
+keywords: Docker, Docker Hub, Docker Desktop secuirty FAQs, secuirty, platform, networks, vms
+title: Network and VM FAQs
+---
+
+### How can I limit the type of internet access allowed by the container when it runs, to prevent it from being able to exfiltrate data or download malicious code? 
+
+There is no built-in mechanism for that but it can be addressed by process-level firewall on the host. Hook into the `com.docker.vpnkit`` user-space process and apply rules where it can connect to (DNS URL white list; packet/payload filter) and which ports/protocols it is allowed to use.
+
+### Can I prevent users binding ports on 0.0.0.0? 
+
+There is no direct way to enforce that through Docker Desktop but it would inherit any firewall rules enforced on the host.
+
+### What options exist to lock containerized network settings to a system? If not supported, are there any consequences to manipulating the settings? 
+
+The Docker network settings are entirely local within the VM and have no effect on the system.
+
+### Can I apply rules on container network traffic via a local firewall or VPN client?
+
+For network connectivity, Docker Desktop uses a user-space process (`com.docker.vpnkit`), which inherits constraints like firewall rules, VPN, http proxy properties etc, from the user that launched it.
+
+### Does running Docker Desktop for Windows with Hyper-V backend allow users to create arbitrary VMs? 
+
+No. The `DockerDesktopVM` name is hard coded in the service code, so you cannot use Docker Desktop to create or manipulate any other VM.
+
+### Can I prevent our users creating other VMs when using Docker Desktop on Mac? 
+
+On Mac it is an unprivileged operation to start a VM, so that is not enforced by Docker Desktop.
+
+### How does Docker Desktop achieve network level isolation when Hyper-V and/or WSL2 is used? 
+
+The VM processes are the same for both WSL 2 (running inside the `docker-desktop` distro) and Hyper-V (running inside the `DockerDesktopVM`). Host/VM communication uses `AF_VSOCK` hypervisor sockets (shared memory). It does not use Hyper-V network switches or network interfaces. All host networking is performed using normal TCP/IP sockets from the `com.docker.vpnkit.exe` and `com.docker.backend.exe` processes. For more information see [How Docker Desktop networking works under the hood](https://www.docker.com/blog/how-docker-desktop-networking-works-under-the-hood/). 

content/faq/security/settings-management.md

@@ -0,0 +1,21 @@
+---
+description: Find the answers to common Docker Desktop settings FAQs
+keywords: Docker, Docker Hub, Docker Desktop secuirty FAQs, secuirty, platform
+title: Settings Management FAQs
+---
+
+### Can I prevent our developers from running privileged containers?
+
+Yes, by enabling [Enhanced Container Isolation](../../desktop/hardened-desktop/enhanced-container-isolation/_index.md) and locking that setting with [Settings Management](../../desktop/hardened-desktop/settings-management/_index.md). This is only available for Docker Business customers.
+
+### How can I restrict access to certain settings so users cannot change things (e.g. enabling Kubernetes service, turning on send usage statistics, turning on experimental features etc.)? 
+
+Yes, you can do that with [Settings Management](../../desktop/hardened-desktop/settings-management/_index.md).
+
+### Can I prevent a developer from enabling the unsafe “Expose daemon on tcp://localhost:2375 without TLS” option on Windows?
+
+Yes, you can do that with [Settings Management](../../desktop/hardened-desktop/settings-management/_index.md).
+
+### Can I restrict the write access to `settings.json` to prevent modification by our developers?  
+
+This would crash the application. For Docker Business customers however administrators can lock the Docker Desktop settings through the Settings Management feature by deploying an `admin-settings.json` file.

data/toc.yaml

@@ -2184,6 +2184,10 @@ FAQ:
     section:
     - path: /faq/security/general/
       title: General
+    - path: /faq/security/networking-and-vms/
+      title: Networking and VMs
+    - path: /faq/security/settings-management/
+      title: Settings Management
     - path: /faq/security/eci-faq/
       title: Enhanced Container Isolation
     - sectiontitle: Single Sign-On