From ba216cd2ae428b9bce483cc619f75cbb2cfafa86 Mon Sep 17 00:00:00 2001 From: Allie Sadler <102604716+aevesdocker@users.noreply.github.com> Date: Wed, 18 Oct 2023 16:01:14 +0100 Subject: [PATCH] ENGDOCS-1558 (#18419) * initial structure * move security announcements page * PAT and 2FA content move * fix broken links and adjust landing page cards with moved topics * fix links * move enforce sign in content and update landing page * move enforce sign in content and update landing page * fix build * fix image * move domain audit content * add domain audit to grid * move RAM and IAM * landing page * more landing page development * fix links * fix links * fix toc * move scout * move scout --- content/admin/company/settings/domains.md | 13 --- content/admin/organization/image-access.md | 9 --- content/admin/organization/registry-access.md | 9 --- .../organization/security-settings/domains.md | 17 ---- content/build/hydrobuild.md | 2 +- content/cloud/ecs-integration.md | 2 +- content/desktop/faqs/general.md | 2 +- content/desktop/get-started.md | 2 +- content/desktop/hardened-desktop/_index.md | 4 +- .../enhanced-container-isolation/_index.md | 4 +- .../image-access-management.md | 7 -- .../registry-access-management.md | 10 --- .../settings-management/_index.md | 2 +- .../settings-management/configure.md | 2 +- content/docker-hub/_index.md | 6 +- content/docker-hub/admin-overview.md | 14 +--- content/docker-hub/api/latest.yaml | 2 +- content/docker-hub/domain-audit.md | 7 -- content/docker-hub/general-faqs.md | 2 +- content/docker-hub/image-access-management.md | 7 -- content/docker-hub/organization-faqs.md | 4 +- .../docker-hub/registry-access-management.md | 7 -- content/docker-hub/release-notes.md | 6 +- content/docker-id/_index.md | 2 +- content/includes/admin-early-access.md | 2 +- content/includes/gha-tutorial.md | 2 +- content/language/dotnet/configure-ci-cd.md | 2 +- content/language/nodejs/configure-ci-cd.md | 2 +- content/security/_index.md | 74 ++++++++++++++++++ .../for-admins}/configure-sign-in.md | 12 +-- content/security/for-admins/domain-audit.md | 45 +++++++++++ .../for-admins/image-access-management.md | 38 +++++++++ .../for-admins/registry-access-management.md | 60 ++++++++++++++ .../for-developers}/2fa/_index.md | 2 + .../for-developers}/2fa/disable-2fa.md | 2 + .../for-developers}/2fa/new-recovery-code.md | 2 + .../2fa/recover-hub-account.md | 2 + .../for-developers}/access-tokens.md | 2 + .../images/enforce-sign-in.png | Bin .../security-announcements.md} | 2 +- content/single-sign-on/enforcement-faqs.md | 4 +- content/single-sign-on/users-faqs.md | 2 +- content/subscription/details.md | 6 +- data/redirects.yml | 2 +- data/toc.yaml | 69 ++++++++-------- layouts/shortcodes/admin-domain-audit.md | 18 ----- layouts/shortcodes/admin-image-access.html | 14 ---- layouts/shortcodes/admin-registry-access.html | 41 +--------- 48 files changed, 300 insertions(+), 247 deletions(-) delete mode 100644 content/admin/company/settings/domains.md delete mode 100644 content/admin/organization/image-access.md delete mode 100644 content/admin/organization/registry-access.md delete mode 100644 content/admin/organization/security-settings/domains.md delete mode 100644 content/desktop/hardened-desktop/image-access-management.md delete mode 100644 content/desktop/hardened-desktop/registry-access-management.md delete mode 100644 content/docker-hub/domain-audit.md delete mode 100644 content/docker-hub/image-access-management.md delete mode 100644 content/docker-hub/registry-access-management.md create mode 100644 content/security/_index.md rename content/{docker-hub => security/for-admins}/configure-sign-in.md (95%) create mode 100644 content/security/for-admins/domain-audit.md create mode 100644 content/security/for-admins/image-access-management.md create mode 100644 content/security/for-admins/registry-access-management.md rename content/{docker-hub => security/for-developers}/2fa/_index.md (98%) rename content/{docker-hub => security/for-developers}/2fa/disable-2fa.md (86%) rename content/{docker-hub => security/for-developers}/2fa/new-recovery-code.md (90%) rename content/{docker-hub => security/for-developers}/2fa/recover-hub-account.md (93%) rename content/{docker-hub => security/for-developers}/access-tokens.md (98%) rename content/{docker-hub => security}/images/enforce-sign-in.png (100%) rename content/{security.md => security/security-announcements.md} (99%) diff --git a/content/admin/company/settings/domains.md b/content/admin/company/settings/domains.md deleted file mode 100644 index f193965818..0000000000 --- a/content/admin/company/settings/domains.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -description: Domain management in Docker Admin -keywords: domains, SCIM, SSO, Docker Admin -title: Domain management ---- - -{{< include "admin-early-access.md" >}} - -Use domain management to manage your domains for Single Sign-On and SCIM. - -## Add and verify a domain - -{{% admin-domains product="admin" layer="company" %}} diff --git a/content/admin/organization/image-access.md b/content/admin/organization/image-access.md deleted file mode 100644 index 13f9290d11..0000000000 --- a/content/admin/organization/image-access.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -description: Image Access Management -keywords: image, access, management -title: Image Access Management ---- - -{{< include "admin-early-access.md" >}} - -{{% admin-image-access product="admin" %}} \ No newline at end of file diff --git a/content/admin/organization/registry-access.md b/content/admin/organization/registry-access.md deleted file mode 100644 index ec80dc99fe..0000000000 --- a/content/admin/organization/registry-access.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -description: Registry Access Management -keywords: registry, access, management -title: Registry Access Management ---- - -{{< include "admin-early-access.md" >}} - -{{% admin-registry-access product="admin" %}} \ No newline at end of file diff --git a/content/admin/organization/security-settings/domains.md b/content/admin/organization/security-settings/domains.md deleted file mode 100644 index abaffc730e..0000000000 --- a/content/admin/organization/security-settings/domains.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -description: Domain management in Docker Admin -keywords: domains, SCIM, SSO, Docker Admin, domain audit -title: Domain management ---- - -{{< include "admin-early-access.md" >}} - -Use domain management to manage your domains for Single Sign-On and SCIM, as well as audit your domains for uncaptured users. - -## Add and verify a domain - -{{% admin-domains product="admin" layer="organization" %}} - -## Domain audit - -{{% admin-domain-audit product="admin" %}} diff --git a/content/build/hydrobuild.md b/content/build/hydrobuild.md index 9955fcf1ac..a9a1df08a0 100644 --- a/content/build/hydrobuild.md +++ b/content/build/hydrobuild.md @@ -323,7 +323,7 @@ mkdir -vp ~/.docker/cli-plugins/ curl --silent -L --output ~/.docker/cli-plugins/docker-buildx $BUILDX_URL chmod a+x ~/.docker/cli-plugins/docker-buildx -# Login to Docker Hub. For security reasons $DOCKER_PASS should be a Personal Access Token. See https://docs.docker.com/docker-hub/access-tokens/ +# Login to Docker Hub. For security reasons $DOCKER_PASS should be a Personal Access Token. See https://docs.docker.com/security/for-developers/access-tokens/ echo "$DOCKER_PASS" | docker login --username $DOCKER_USER --password-stdin # Connect to your builder and set it as the default builder diff --git a/content/cloud/ecs-integration.md b/content/cloud/ecs-integration.md index d5e2c5f1b2..f412760721 100644 --- a/content/cloud/ecs-integration.md +++ b/content/cloud/ecs-integration.md @@ -216,7 +216,7 @@ For your convenience, the Docker Compose CLI offers the `docker secret` command, First, create a `token.json` file to define your DockerHub username and access token. -For instructions on how to generate access tokens, see [Managing access tokens](../docker-hub/access-tokens.md). +For instructions on how to generate access tokens, see [Managing access tokens](../security/for-developers/access-tokens.md) ```json { diff --git a/content/desktop/faqs/general.md b/content/desktop/faqs/general.md index 48cd86b7bd..36b0ed73d5 100644 --- a/content/desktop/faqs/general.md +++ b/content/desktop/faqs/general.md @@ -48,7 +48,7 @@ This includes: - The resources in the [Learning Center](../use-desktop/index.md) - Pulling or pushing an image to Docker Hub -- [Image Access Management](../../docker-hub/image-access-management.md) +- [Image Access Management](../../security/for-developers/access-tokens.md) - [Vulnerability scanning](../../docker-hub/vulnerability-scanning.md) - Viewing remote images in the Docker Dashboard - Setting up [Dev Environments](../dev-environments/index.md) diff --git a/content/desktop/get-started.md b/content/desktop/get-started.md index 79741f0830..c243b53179 100644 --- a/content/desktop/get-started.md +++ b/content/desktop/get-started.md @@ -35,7 +35,7 @@ Once signed in, you can access your Docker Hub repositories directly from Docker Authenticated users also get a higher pull rate limit compared to anonymous users. For example, if you are authenticated, you get 200 pulls per 6 hour period, compared to 100 pulls per 6 hour period per IP address for anonymous users. For more information, see [Download rate limit](../docker-hub/download-rate-limit.md). -In large enterprises where admin access is restricted, administrators can [Configure registry.json to enforce sign-in](../docker-hub/configure-sign-in.md). Enforcing developers to authenticate through Docker Desktop also allows administrators to improve their organization’s security posture for containerized development by taking advantage of [Hardened Desktop](hardened-desktop/index.md). +In large enterprises where admin access is restricted, administrators can [Configure registry.json to enforce sign-in](../security/for-admins/configure-sign-in.md). Enforcing developers to authenticate through Docker Desktop also allows administrators to improve their organization’s security posture for containerized development by taking advantage of [Hardened Desktop](hardened-desktop/index.md). > **Note** > diff --git a/content/desktop/hardened-desktop/_index.md b/content/desktop/hardened-desktop/_index.md index 840c79509f..dca81bcfb9 100644 --- a/content/desktop/hardened-desktop/_index.md +++ b/content/desktop/hardened-desktop/_index.md @@ -16,11 +16,11 @@ grid: - title: "Registry Access Management" description: Control the registries developers can access while using Docker Desktop. icon: "home_storage" - link: "/desktop/hardened-desktop/registry-access-management/" + link: "/security/for-admins/registry-access-management/" - title: "Image Access Management" description: Control the images developers can pull from Docker Hub. icon: "photo_library" - link: "/docker-hub/image-access-management/" + link: "/security/for-admins/image-access-management/" --- >Note diff --git a/content/desktop/hardened-desktop/enhanced-container-isolation/_index.md b/content/desktop/hardened-desktop/enhanced-container-isolation/_index.md index f97a889329..e2b92b3e03 100644 --- a/content/desktop/hardened-desktop/enhanced-container-isolation/_index.md +++ b/content/desktop/hardened-desktop/enhanced-container-isolation/_index.md @@ -21,7 +21,7 @@ These techniques include: When Enhanced Container Isolation is enabled, these mechanisms are applied automatically and with minimal functional or performance impact to developers. Developers continue to use Docker Desktop as usual, but the containers they launch are more strongly isolated. -Enhanced Container Isolation ensures stronger container isolation and also locks in any security configurations that have been created by IT admins, for instance through [Registry Access Management policies](../registry-access-management.md) or with [Settings Management](../settings-management/index.md). +Enhanced Container Isolation ensures stronger container isolation and also locks in any security configurations that have been created by IT admins, for instance through [Registry Access Management policies](../../../security/for-admins/registry-access-management.md) or with [Settings Management](../settings-management/index.md). >**Note** > @@ -90,7 +90,7 @@ To enable Enhanced Container Isolation as a developer: #### As an admin -To enable Enhanced Container Isolation as an admin, you first need to [configure a `registry.json` file to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because the Enhanced Container Isolation feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect. +To enable Enhanced Container Isolation as an admin, you first need to [configure a `registry.json` file to enforce sign-in](../../../security/for-admins/configure-sign-in.md). This is because the Enhanced Container Isolation feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect. Next, you must [create and configure the `admin-settings.json` file](../settings-management/configure.md) and specify: diff --git a/content/desktop/hardened-desktop/image-access-management.md b/content/desktop/hardened-desktop/image-access-management.md deleted file mode 100644 index 478f5e5bb6..0000000000 --- a/content/desktop/hardened-desktop/image-access-management.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -description: Image Access Management -keywords: image, access, management -title: Image Access Management ---- - -{{% admin-image-access product="hub" %}} \ No newline at end of file diff --git a/content/desktop/hardened-desktop/registry-access-management.md b/content/desktop/hardened-desktop/registry-access-management.md deleted file mode 100644 index 5b1440c325..0000000000 --- a/content/desktop/hardened-desktop/registry-access-management.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -description: What Registry Access Management is and how to use it -keywords: registry access management, Hardened Docker Desktop, Docker Desktop, images, - Docker Hub -title: Registry Access Management -aliases: -- /docker-hub/registry-access-management/ ---- - -{{% admin-registry-access product="hub" %}} \ No newline at end of file diff --git a/content/desktop/hardened-desktop/settings-management/_index.md b/content/desktop/hardened-desktop/settings-management/_index.md index b5335f4459..cf6f0d9755 100644 --- a/content/desktop/hardened-desktop/settings-management/_index.md +++ b/content/desktop/hardened-desktop/settings-management/_index.md @@ -44,7 +44,7 @@ For more details on the syntax and options admins can set, see [Configure Settin ### How do I set up and enforce Settings Management? -As an administrator, you first need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because the Settings Management feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect. +As an administrator, you first need to [configure a registry.json to enforce sign-in](../../../security/for-admins/configure-sign-in.md). This is because the Settings Management feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect. Next, you must either manually [create and configure the admin-settings.json file](configure.md), or use the `--admin-settings` installer flag on [macOS](../../install/mac-install.md#install-from-the-command-line) or [Windows](../../install/windows-install.md#install-from-the-command-line) to automatically create the `admin-settings.json` and save it in the correct location. diff --git a/content/desktop/hardened-desktop/settings-management/configure.md b/content/desktop/hardened-desktop/settings-management/configure.md index 95430dc794..45068e7a57 100644 --- a/content/desktop/hardened-desktop/settings-management/configure.md +++ b/content/desktop/hardened-desktop/settings-management/configure.md @@ -15,7 +15,7 @@ Settings Management is designed specifically for organizations who don’t give ### Prerequisites - [Download and install Docker Desktop 4.13.0 or later](../../release-notes.md). -- As an admin, you need to [configure a registry.json to enforce sign-in](../../../docker-hub/configure-sign-in.md). This is because this feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect. +- As an admin, you need to [configure a registry.json to enforce sign-in](../../../security/for-admins/configure-sign-in.md). This is because this feature requires a Docker Business subscription and therefore your Docker Desktop users must authenticate to your organization for this configuration to take effect. ### Step one: Create the `admin-settings.json` file and save it in the correct location diff --git a/content/docker-hub/_index.md b/content/docker-hub/_index.md index 58370cd1e5..67cf838558 100644 --- a/content/docker-hub/_index.md +++ b/content/docker-hub/_index.md @@ -17,10 +17,6 @@ grid: description: Step-by-step instructions on getting started on Docker Hub. icon: explore link: /docker-hub/quickstart -- title: Manage access tokens - description: Create personal access tokens as an alternative to your password. - icon: password - link: /docker-hub/access-tokens - title: Release notes description: Find out about new features, improvements, and bug fixes. icon: note_add @@ -51,7 +47,7 @@ GitHub and Bitbucket and push them to Docker Hub. * Use [Group mapping](group-mapping.md) * [Carry out domain audits](domain-audit.md) * [Use Image Access Management](image-access-management.md) to control developers' access to certain types of images -* [Turn on Registry Access Management](../desktop/hardened-desktop/registry-access-management.md) +* [Turn on Registry Access Management](../security/for-admins/registry-access-management.md) {{< /tab >}} {{< /tabs >}} diff --git a/content/docker-hub/admin-overview.md b/content/docker-hub/admin-overview.md index cf87836da9..f5de4717fb 100644 --- a/content/docker-hub/admin-overview.md +++ b/content/docker-hub/admin-overview.md @@ -11,24 +11,12 @@ grid: icon: explore link: /docker-hub/onboard/ description: Learn how to onboard users to your organization. -- title: Use Hardened Docker Desktop - icon: lock - link: /desktop/hardened-desktop/ - description: Explore the security model for Docker Desktop. -- title: Enforce sign-in - description: Configure sign-in for members of your teams and organizations. - link: /docker-hub/configure-sign-in/ - icon: passkey - title: Enable Single Sign-On description: Understand and use Single Sign-On. link: /single-sign-on/ icon: key -- title: Set up two-factor authentication - description: Add an extra layer of authentication to your Docker account. - link: /docker-hub/2fa/ - icon: phonelink_lock --- -Sign in to Docker Hub to change account settings and carry out administrative or security-related tasks. +Sign in to Docker Hub to change account settings and carry out administrative related tasks. {{< grid >}} \ No newline at end of file diff --git a/content/docker-hub/api/latest.yaml b/content/docker-hub/api/latest.yaml index c1e830300b..ff667d848f 100644 --- a/content/docker-hub/api/latest.yaml +++ b/content/docker-hub/api/latest.yaml @@ -62,7 +62,7 @@ tags: x-displayName: Personal Access Tokens description: | The Personal Access Token endpoints lets you manage personal access tokens. For more - information, see [Access Tokens](https://docs.docker.com/docker-hub/access-tokens/). + information, see [Access Tokens](https://docs.docker.com/security/for-developers/access-tokens/). You can use a personal access token instead of a password in the [Docker CLI](https://docs.docker.com/engine/reference/commandline/cli/) or in the [Create an authentication token](#operation/PostUsersLogin) route to obtain a bearer diff --git a/content/docker-hub/domain-audit.md b/content/docker-hub/domain-audit.md deleted file mode 100644 index d7143c30db..0000000000 --- a/content/docker-hub/domain-audit.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -description: Audit your domains for uncaptured users. -keywords: domain audit, security -title: Domain audit ---- - -{{% admin-domain-audit product="hub" %}} \ No newline at end of file diff --git a/content/docker-hub/general-faqs.md b/content/docker-hub/general-faqs.md index 6bd6c9bafd..1d79c1e758 100644 --- a/content/docker-hub/general-faqs.md +++ b/content/docker-hub/general-faqs.md @@ -1,6 +1,6 @@ --- title: General FAQs for Docker Hub -description: Frequently asked administration and security questions +description: Frequently asked administration questions keywords: onboarding, docker, teams, orgs redirect: - /docker-hub/onboarding-faqs/ diff --git a/content/docker-hub/image-access-management.md b/content/docker-hub/image-access-management.md deleted file mode 100644 index 478f5e5bb6..0000000000 --- a/content/docker-hub/image-access-management.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -description: Image Access Management -keywords: image, access, management -title: Image Access Management ---- - -{{% admin-image-access product="hub" %}} \ No newline at end of file diff --git a/content/docker-hub/organization-faqs.md b/content/docker-hub/organization-faqs.md index d62151d77f..127e694b37 100644 --- a/content/docker-hub/organization-faqs.md +++ b/content/docker-hub/organization-faqs.md @@ -29,9 +29,9 @@ No. Organization owners can invite users through email and also choose a team fo ### Can I force my organization's members to authenticate before using Docker Desktop and are there any benefits? -Yes. You can [enforce sign-in](../docker-hub/configure-sign-in.md) and some benefits are: +Yes. You can [enforce sign-in](../security/for-admins/configure-sign-in.md) and some benefits are: -- Administrators can enforce features like [Image Access Management](../docker-hub/image-access-management.md) and [Registry Access Management](../docker-hub/registry-access-management.md). +- Administrators can enforce features like [Image Access Management](../security/for-admins/image-access-management.md) and [Registry Access Management](../security/for-admins/registry-access-management.md). - Administrators can ensure compliance by blocking Docker Desktop usage for users who do not sign in as members of the organization. ### If a user has their personal email associated with a user account in Docker Hub, do they have to convert to using the org’s domain before they can be invited to join an organization? diff --git a/content/docker-hub/registry-access-management.md b/content/docker-hub/registry-access-management.md deleted file mode 100644 index 6e719b3c40..0000000000 --- a/content/docker-hub/registry-access-management.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -description: Registry Access Management -keywords: registry, access, management -title: Registry Access Management ---- - -{{% admin-registry-access product="hub" %}} \ No newline at end of file diff --git a/content/docker-hub/release-notes.md b/content/docker-hub/release-notes.md index c986ca6fc6..fbe38b7c79 100644 --- a/content/docker-hub/release-notes.md +++ b/content/docker-hub/release-notes.md @@ -38,7 +38,7 @@ Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/pro ### New -- The new [domain audit](../docker-hub/domain-audit.md) feature lets you audit your domains for users who aren't a member of your organization. +- The new domain audit feature lets you audit your domains for users who aren't a member of your organization. ## 2022-09-26 @@ -51,7 +51,7 @@ Take a look at the [Docker Public Roadmap](https://github.com/docker/roadmap/pro ### Bug fixes and enhancements -- In Docker Hub, you can now download a [registry.json](../docker-hub/configure-sign-in.md) file or copy the commands to create a registry.json file to enforce sign-in for your organization. +- In Docker Hub, you can now download a [registry.json](../security/for-admins/configure-sign-in.md) file or copy the commands to create a registry.json file to enforce sign-in for your organization. ## 2022-09-19 @@ -188,7 +188,7 @@ to `hub.docker.com`. You can access the page at its new URL: [https://hub.docker ## 2019-10-21 ### New features -* **Beta:** Docker Hub now supports [two-factor authentication (2FA)](2fa/index.md). Enable it in your account settings, under the **[Security](https://hub.docker.com/settings/security)** section. +* **Beta:** Docker Hub now supports two-factor authentication (2FA). Enable it in your account settings, under the **[Security](https://hub.docker.com/settings/security)** section. > If you lose both your 2FA authentication device and recovery code, you may > not be able to recover your account. diff --git a/content/docker-id/_index.md b/content/docker-id/_index.md index b7cabf83c8..b2d643e4dc 100644 --- a/content/docker-id/_index.md +++ b/content/docker-id/_index.md @@ -45,7 +45,7 @@ You can also sign in through the CLI using the `docker login` command. For more > When you use the `docker login` command, your credentials are stored in your home directory in `.docker/config.json`. The password is base64-encoded in this file. > -> We recommend using one of the [Docker credential helpers](https://github.com/docker/docker-credential-helpers) for secure storage of passwords. For extra security, you can also use a [personal access token](../docker-hub/access-tokens.md) to log in instead, which is still encoded in this file (without a Docker credential helper) but doesn't allow admin actions (such as changing the password). +> We recommend using one of the [Docker credential helpers](https://github.com/docker/docker-credential-helpers) for secure storage of passwords. For extra security, you can also use a [personal access token](../security/for-developers/access-tokens.md) to log in instead, which is still encoded in this file (without a Docker credential helper) but doesn't allow admin actions (such as changing the password). { .warning } ## Troubleshooting diff --git a/content/includes/admin-early-access.md b/content/includes/admin-early-access.md index b9028ff93f..9666eab1b7 100644 --- a/content/includes/admin-early-access.md +++ b/content/includes/admin-early-access.md @@ -2,5 +2,5 @@ > > Docker Admin is an [early access](/release-lifecycle#early-access-ea) product. > -> It's currently available to all company owners and organization owners that have a Docker Business or Docker Team subscription. You can still manage companies and organizations in Docker Hub. For details about managing companies or organizations in Docker Hub, see [Administration and security](/docker-hub/admin-overview/). +> It's currently available to all company owners and organization owners that have a Docker Business or Docker Team subscription. You can still manage companies and organizations in Docker Hub. For details about managing companies or organizations in Docker Hub, see [Administration](/docker-hub/admin-overview/). { .restricted } \ No newline at end of file diff --git a/content/includes/gha-tutorial.md b/content/includes/gha-tutorial.md index 983b817b02..0e36761e84 100644 --- a/content/includes/gha-tutorial.md +++ b/content/includes/gha-tutorial.md @@ -23,7 +23,7 @@ Create a GitHub repository and configure the Docker Hub secrets. 3. Create a new secret named `DOCKERHUB_USERNAME` and your Docker ID as value. 4. Create a new - [Personal Access Token (PAT)](/docker-hub/access-tokens/#create-an-access-token) + [Personal Access Token (PAT)](/security/for-developers/access-tokens/#create-an-access-token) for Docker Hub. You can name this token `clockboxci`. 5. Add the PAT as a second secret in your GitHub repository, with the name diff --git a/content/language/dotnet/configure-ci-cd.md b/content/language/dotnet/configure-ci-cd.md index 563869330d..324a4e93d0 100644 --- a/content/language/dotnet/configure-ci-cd.md +++ b/content/language/dotnet/configure-ci-cd.md @@ -28,7 +28,7 @@ Create a GitHub repository, configure the Docker Hub secrets, and push your sour 3. Create a new secret named `DOCKER_USERNAME` and your Docker ID as value. 4. Create a new [Personal Access Token - (PAT)](/docker-hub/access-tokens/#create-an-access-token) for Docker Hub. You + (PAT)](/security/for-developers/access-tokens/#create-an-access-token) for Docker Hub. You can name this token `tutorial-docker`. 5. Add the PAT as a second secret in your GitHub repository, with the name diff --git a/content/language/nodejs/configure-ci-cd.md b/content/language/nodejs/configure-ci-cd.md index 49344258e8..126ad8aa20 100644 --- a/content/language/nodejs/configure-ci-cd.md +++ b/content/language/nodejs/configure-ci-cd.md @@ -28,7 +28,7 @@ Create a GitHub repository, configure the Docker Hub secrets, and push your sour 3. Create a new secret named `DOCKER_USERNAME` and your Docker ID as value. 4. Create a new [Personal Access Token - (PAT)](/docker-hub/access-tokens/#create-an-access-token) for Docker Hub. You + (PAT)](/security/for-developers/access-tokens/#create-an-access-token) for Docker Hub. You can name this token `node-docker`. 5. Add the PAT as a second secret in your GitHub repository, with the name diff --git a/content/security/_index.md b/content/security/_index.md new file mode 100644 index 0000000000..fa27372329 --- /dev/null +++ b/content/security/_index.md @@ -0,0 +1,74 @@ +--- +description: Learn about security features Docker has to offer and explore best practices +keywords: docker, docker hub, docker desktop, security +title: Security +grid_admins: +- title: Settings Management + description: Learn how Settings Management can secure your developers' workflows. + icon: shield_locked + link: /desktop/hardened-desktop/settings-management/ +- title: Enhanced Container Isolation + description: Understand how Enhanced Container Isolation can prevent container attacks. + icon: security + link: /desktop/hardened-desktop/enhanced-container-isolation/ +- title: Registry Access Management + description: Control the registries developers can access while using Docker Desktop. + icon: home_storage + link: /security/for-admins/registry-access-management/ +- title: Image Access Management + description: Control the images developers can pull from Docker Hub. + icon: photo_library + link: /security/for-admins/image-access-management/ +- title: Enforce sign-in + description: Configure sign-in for members of your teams and organizations. + link: /security/for-admins/configure-sign-in/ + icon: passkey +- title: Domain audit + description: Identify uncaptured users in your organization. + link: /security/for-admins/domain-audit/ + icon: person_search +- title: Docker Scout + description: Explore how Docker Scout can help you create a more secure software supply chain. + icon: query_stats + link: /scout/ +grid_developers: +- title: Set up two-factor authentication + description: Add an extra layer of authentication to your Docker account. + link: /security/for-developers/2fa/ + icon: phonelink_lock +- title: Manage access tokens + description: Create personal access tokens as an alternative to your password. + icon: password + link: /security/for-developers/access-tokens/ +- title: Static vulnerability scanning + description: Automatically run a point-in-time scan on your Docker images for vulnerabilities. + icon: image_search + link: /docker-hub/vulnerability-scanning/ +- title: Docker Engine security + description: Understand how to keep Docker Engine secure. + icon: security + link: /engine/security/ +- title: Secrets in Docker Compose + description: Learn how to use secrets in Docker Compose. + icon: privacy_tip + link: /compose/use-secrets/ +--- + +Docker provides security guardrails for both administrators and developers. + +If you are an administrator, you can enforce sign in across Docker products for your developers, and +scale, manage, and secure your instances of Docker Desktop with DevOps security controls like Enhanced Container Isolation and Registry Access Management. + +For both administrators and developers, Docker provides security-specific products such as Docker Scout, for securing your software supply chain with proactive image vulnerability monitoring and remediation strategies. + +## For administrators + +Explore the security features Docker offers to satisfy your company's security policies. + +{{< grid grid_admins >}} + +## For developers + +See how you can protect your local environments, infrastructure, and networks without impeding productivity. + +{{< grid grid_developers >}} \ No newline at end of file diff --git a/content/docker-hub/configure-sign-in.md b/content/security/for-admins/configure-sign-in.md similarity index 95% rename from content/docker-hub/configure-sign-in.md rename to content/security/for-admins/configure-sign-in.md index 78744d75d7..193e578b70 100644 --- a/content/docker-hub/configure-sign-in.md +++ b/content/security/for-admins/configure-sign-in.md @@ -3,13 +3,15 @@ description: Configure registry.json to enforce users to sign into Docker Deskto toc_max: 2 keywords: authentication, registry.json, configure, title: Enforce sign-in for Desktop +aliases: +- /docker-hub/configure-sign-in/ --- By default, members of your organization can use Docker Desktop without signing in. When users don’t sign in as a member of your organization, they don’t receive the [benefits of your organization’s -subscription](../subscription/details.md) and they can circumvent [Docker’s -security features](../desktop/hardened-desktop/_index.md) for your organization. +subscription](../../subscription/details.md) and they can circumvent [Docker’s +security features](../../desktop/hardened-desktop/_index.md) for your organization. To ensure members of your organization always sign in, you can deploy a `registry.json` configuration file to the machines of your users. @@ -21,7 +23,7 @@ following occurs: - The following **Sign in required!** prompt appears requiring the user to sign in as a member of your organization to use Docker Desktop. ![Enforce Sign-in - Prompt](./images/enforce-sign-in.png?w=400) + Prompt](../images/enforce-sign-in.png?w=400) - When a user signs in to an account that isn’t a member of your organization, they will be automatically signed out and can’t use Docker Desktop. The user can select **Sign in** and try again. @@ -35,13 +37,13 @@ following occurs: > Enforcing sign-in to Docker Desktop isn't the same as enforcing SSO. To ensure > that your users always sign in using their SSO credentials, you must also > enforce SSO. For more details, see [Single Sign-On -> overview](../single-sign-on/_index.md). +> overview](../../single-sign-on/_index.md). ## Create a registry.json file to enforce sign-in 1. Ensure that the user is a member of your organization in Docker. For more -details, see [Manage members](https://docs.docker.com/docker-hub/members/). +details, see [Manage members](../../docker-hub/members.md). 2. Create the `registry.json` file. diff --git a/content/security/for-admins/domain-audit.md b/content/security/for-admins/domain-audit.md new file mode 100644 index 0000000000..adf4bbb6a0 --- /dev/null +++ b/content/security/for-admins/domain-audit.md @@ -0,0 +1,45 @@ +--- +description: Audit your domains for uncaptured users. +keywords: domain audit, security +title: Domain audit +aliases: +- /docker-hub/domain-audit/ +- /admin/company/settings/domains/ +- /admin/organization/security-settings/domains/ +--- + +Domain audit identifies uncaptured users in an organization. Uncaptured users are Docker users who have authenticated to Docker using an email address associated with one of your verified domains, but they're not a member of your organization in Docker. You can audit domains on organizations that are part of the Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](/subscription/upgrade/). + +Uncaptured users who access Docker Desktop in your environment may pose a security risk because your organization's security settings, like Image Access Management and Registry Access Management, aren't applied to a user's session. In addition, you won't have visibility into the activity of uncaptured users. You can add uncaptured users to your organization to gain visibility into their activity and apply your organization's security settings. + +Domain audit can't identify the following Docker users in your environment: + +- Users who access Docker Desktop without authenticating +- Users who authenticate using an account that doesn't have an email address associated with one of your verified domains + +Although domain audit can't identify all Docker users in your environment, you can enforce sign-in to prevent unidentifiable users from accessing Docker Desktop in your environment. For more details about enforcing sign-in, see [Configure registry.json to enforce sign-in](configure-sign-in.md). + +## Prerequisites + +Before you audit your domains, the following prerequisites are required: + +- Your organization must be part of a Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](../../subscription/upgrade.md). +- You must add and verify your domains. + +## Audit your domains for uncaptured users + +{{< tabs >}} +{{< tab name="Docker Hub" >}} + +{{% admin-domain-audit product="hub" %}} + +{{< /tab >}} +{{< tab name="Docker Admin" >}} + +{{< include "admin-early-access.md" >}} + +{{% admin-domain-audit product="admin" %}} + +{{< /tab >}} +{{< /tabs >}} + diff --git a/content/security/for-admins/image-access-management.md b/content/security/for-admins/image-access-management.md new file mode 100644 index 0000000000..35f7269534 --- /dev/null +++ b/content/security/for-admins/image-access-management.md @@ -0,0 +1,38 @@ +--- +description: Image Access Management +keywords: image, access, management +title: Image Access Management +aliases: +- /docker-hub/image-access-management/ +- /desktop/hardened-desktop/image-access-management/ +- /admin/organization/image-access/ +--- + +> Note +> +> Image Access Management is available to [Docker Business](../../subscription/details.md) customers only. + +Image Access Management gives administrators control over which types of images, such as Docker Official Images, Docker Verified Publisher Images, or community images, their developers can pull from Docker Hub. + +For example, a developer, who is part of an organization, building a new containerized application could accidentally use an untrusted, community image as a component of their application. This image could be malicious and pose a security risk to the company. Using Image Access Management, the organization owner can ensure that the developer can only access trusted content like Docker Official Images, Docker Verified Publisher Images, or the organization’s own images, preventing such a risk. + +## Prerequisites + +You need to [configure a registry.json to enforce sign-in](configure-sign-in.md). For Image Access Management to take effect, Docker Desktop users must authenticate to your organization. + +## Configure Image Access Management permissions + +{{< tabs >}} +{{< tab name="Docker Hub" >}} + +{{% admin-image-access product="hub" %}} + +{{< /tab >}} +{{< tab name="Docker Admin" >}} + +{{< include "admin-early-access.md" >}} + +{{% admin-image-access product="admin" %}} + +{{< /tab >}} +{{< /tabs >}} diff --git a/content/security/for-admins/registry-access-management.md b/content/security/for-admins/registry-access-management.md new file mode 100644 index 0000000000..3887b50a88 --- /dev/null +++ b/content/security/for-admins/registry-access-management.md @@ -0,0 +1,60 @@ +--- +description: Registry Access Management +keywords: registry, access, management +title: Registry Access Management +aliases: +- /desktop/hardened-desktop/registry-access-management/ +- /admin/organization/registry-access/ +--- + +> Note +> +> Registry Access Management is available to [Docker Business](../../subscription/details.md) customers only. + +With Registry Access Management (RAM), administrators can ensure that their developers using Docker Desktop only access registries that are allowed. This is done through the Registry Access Management dashboard on Docker Hub. + +Registry Access Management supports both cloud and on-prem registries. Example registries administrators can allow include: + - Docker Hub. This is enabled by default. + - Amazon ECR + - GitHub Container Registry + - Google Container Registry + - Nexus + - Artifactory + +## Prerequisites + +You need to [configure a registry.json to enforce sign-in](/docker-hub/configure-sign-in/). For Registry Access Management to take effect, Docker Desktop users must authenticate to your organization. + +## Configure Registry Access Management permissions + +{{< tabs >}} +{{< tab name="Docker Hub" >}} + +{{% admin-registry-access product="hub" %}} + +{{< /tab >}} +{{< tab name="Docker Admin" >}} + +{{< include "admin-early-access.md" >}} + +{{% admin-registry-access product="admin" %}} + +{{< /tab >}} +{{< /tabs >}} + +## Verify the restrictions + +The new Registry Access Management policy takes effect after the developer successfully authenticates to Docker Desktop using their organization credentials. If a developer attempts to pull an image from a disallowed registry via the Docker CLI, they receive an error message that the organization has disallowed this registry. + +## Caveats + +There are certain limitations when using Registry Access Management; they are as follows: + +- Windows image pulls, and image builds are not restricted +- Builds such as `docker buildx` using a Kubernetes driver are not restricted +- Builds such as `docker buildx` using a custom docker-container driver are not restricted +- Blocking is DNS-based; you must use a registry's access control mechanisms to distinguish between “push” and “pull” +- WSL 2 requires at least a 5.4 series Linux kernel (this does not apply to earlier Linux kernel series) +- Under the WSL 2 network, traffic from all Linux distributions is restricted (this will be resolved in the updated 5.15 series Linux kernel) + +Also, Registry Access Management operates on the level of hosts, not IP addresses. Developers can bypass this restriction within their domain resolution, for example by running Docker against a local proxy or modifying their operating system's `sts` file. Blocking these forms of manipulation is outside the remit of Docker Desktop. diff --git a/content/docker-hub/2fa/_index.md b/content/security/for-developers/2fa/_index.md similarity index 98% rename from content/docker-hub/2fa/_index.md rename to content/security/for-developers/2fa/_index.md index ef3a88f6ff..e546f72539 100644 --- a/content/docker-hub/2fa/_index.md +++ b/content/security/for-developers/2fa/_index.md @@ -3,6 +3,8 @@ description: Enabling two-factor authentication on Docker Hub keywords: Docker, docker, registry, security, Docker Hub, authentication, two-factor authentication title: Enable two-factor authentication for Docker Hub +aliases: +- /docker-hub/2fa/ --- Two-factor authentication adds an extra layer of security to your Docker Hub diff --git a/content/docker-hub/2fa/disable-2fa.md b/content/security/for-developers/2fa/disable-2fa.md similarity index 86% rename from content/docker-hub/2fa/disable-2fa.md rename to content/security/for-developers/2fa/disable-2fa.md index 0d292cdb3f..2c71b8445c 100644 --- a/content/docker-hub/2fa/disable-2fa.md +++ b/content/security/for-developers/2fa/disable-2fa.md @@ -3,6 +3,8 @@ description: Disable two-factor authentication on Docker Hub keywords: Docker, docker, registry, security, Docker Hub, authentication, two-factor authentication title: Disable two-factor authentication on Docker Hub +aliases: +- /docker-hub/2fa/disable-2fa/ --- > **Warning** diff --git a/content/docker-hub/2fa/new-recovery-code.md b/content/security/for-developers/2fa/new-recovery-code.md similarity index 90% rename from content/docker-hub/2fa/new-recovery-code.md rename to content/security/for-developers/2fa/new-recovery-code.md index 803c6ecfca..1b819cc270 100644 --- a/content/docker-hub/2fa/new-recovery-code.md +++ b/content/security/for-developers/2fa/new-recovery-code.md @@ -3,6 +3,8 @@ description: Generate a new 2fa recovery code keywords: Docker, docker, registry, security, Docker Hub, authentication, two-factor authentication title: Generate a new recovery code +aliases: +- /docker-hub/2fa/new-recovery-code/ --- If you have lost your two-factor authentication recovery code and still have diff --git a/content/docker-hub/2fa/recover-hub-account.md b/content/security/for-developers/2fa/recover-hub-account.md similarity index 93% rename from content/docker-hub/2fa/recover-hub-account.md rename to content/security/for-developers/2fa/recover-hub-account.md index eb0343f897..6e2d935543 100644 --- a/content/docker-hub/2fa/recover-hub-account.md +++ b/content/security/for-developers/2fa/recover-hub-account.md @@ -3,6 +3,8 @@ description: Recover your Docker account keywords: Docker, docker, registry, security, Docker Hub, authentication, two-factor authentication title: Recover your Docker account +aliases: +- /docker-hub/2fa/recover-hub-account/ --- If you have lost access to both your two-factor authentication application and your recovery code: diff --git a/content/docker-hub/access-tokens.md b/content/security/for-developers/access-tokens.md similarity index 98% rename from content/docker-hub/access-tokens.md rename to content/security/for-developers/access-tokens.md index fb44890b4d..957cd8bc94 100644 --- a/content/docker-hub/access-tokens.md +++ b/content/security/for-developers/access-tokens.md @@ -3,6 +3,8 @@ title: Create and manage access tokens description: Learn how to create and manage your personal Docker Hub access tokens to securely push and pull images programmatically. keywords: docker hub, hub, security, PAT, personal access token +aliases: +- /docker-hub/access-tokens/ --- If you are using the [Docker Hub CLI](https://github.com/docker/hub-tool#readme) diff --git a/content/docker-hub/images/enforce-sign-in.png b/content/security/images/enforce-sign-in.png similarity index 100% rename from content/docker-hub/images/enforce-sign-in.png rename to content/security/images/enforce-sign-in.png diff --git a/content/security.md b/content/security/security-announcements.md similarity index 99% rename from content/security.md rename to content/security/security-announcements.md index 5859105b52..09bc6d2e46 100644 --- a/content/security.md +++ b/content/security/security-announcements.md @@ -10,7 +10,7 @@ toc_max: 2 [CVE-2022-42889](https://nvd.nist.gov/vuln/detail/CVE-2022-42889) has been discovered in the popular Apache Commons Text library. Versions of this library up to but not including 1.10.0 are affected by this vulnerability. -We strongly encourage you to update to the latest version of [Apache Commons Text](https://commons.apache.org/proper/commons-text/download_text.cgi). +We strongly encourage you to update to the latest version of [Apache Commons Text](https://commons.apache.org/proper/commons-text/download_text.cgi). ### Scan images on Docker Hub diff --git a/content/single-sign-on/enforcement-faqs.md b/content/single-sign-on/enforcement-faqs.md index 3276e068b2..7a8c3ce6eb 100644 --- a/content/single-sign-on/enforcement-faqs.md +++ b/content/single-sign-on/enforcement-faqs.md @@ -18,7 +18,7 @@ Yes. You must verify a domain before using it with an SSO connection. ### Does Docker SSO support authenticating through the command line? -Yes. When SSO is enforced, you can access the Docker CLI through Personal Access Tokens (PATs). Each user must create a PAT to access the CLI. To learn how to create a PAT, see [Manage access tokens](../docker-hub/access-tokens.md). +Yes. When SSO is enforced, you can access the Docker CLI through Personal Access Tokens (PATs). Each user must create a PAT to access the CLI. To learn how to create a PAT, see [Manage access tokens](../security/for-developers/access-tokens.md). ### How does SSO affect our automation systems and CI/CD pipelines? @@ -60,5 +60,5 @@ No. They are different features that you can use separately or together. Enforcing SSO ensures that users sign in using their SSO credentials instead of their Docker ID. One of the benefits is that SSO enables you to better manage user credentials. Enforcing sign-in to Docker Desktop ensures that users always sign in to an -account that's a member of your organization. The benefits are that your organization's security settings are always applied to the user's session and your users always receive the benefits of your subscription. For more details, see [Enforce sign-in for Desktop](../docker-hub/configure-sign-in.md). +account that's a member of your organization. The benefits are that your organization's security settings are always applied to the user's session and your users always receive the benefits of your subscription. For more details, see [Enforce sign-in for Desktop](../security/for-admins/configure-sign-in.md). diff --git a/content/single-sign-on/users-faqs.md b/content/single-sign-on/users-faqs.md index 5b377bdccc..6dded76dd9 100644 --- a/content/single-sign-on/users-faqs.md +++ b/content/single-sign-on/users-faqs.md @@ -32,7 +32,7 @@ If users attempt to sign in through the CLI, they must authenticate using a pers ### Is it possible to force users of Docker Desktop to authenticate, and/or authenticate using their company’s domain? -Yes. Admins can force users to authenticate with Docker Desktop by provisioning a [`registry.json`](../docker-hub/configure-sign-in.md) configuration file. The `registry.json` file will force users to authenticate as a user that's configured in the `allowedOrgs` list in the `registry.json` file. +Yes. Admins can force users to authenticate with Docker Desktop by provisioning a [`registry.json`](../security/for-admins/configure-sign-in.md) configuration file. The `registry.json` file will force users to authenticate as a user that's configured in the `allowedOrgs` list in the `registry.json` file. Once SSO enforcement is set up on their Docker Business organization or company on Hub, when the user is forced to authenticate with Docker Desktop, the SSO enforcement will also force users to authenticate through SSO with their IdP (instead of authenticating using their username and password). diff --git a/content/subscription/details.md b/content/subscription/details.md index d13f11906c..e9d430c806 100644 --- a/content/subscription/details.md +++ b/content/subscription/details.md @@ -13,7 +13,7 @@ Docker Personal (formerly Docker Free) is ideal for open-source communities, ind Docker Personal includes: - Unlimited public repositories -- Unlimited [Scoped Access Tokens](../docker-hub/access-tokens.md) +- Unlimited [Scoped Access Tokens](../security/for-developers/access-tokens.md) - Unlimited [collaborators](../docker-hub/repos/access/index.md#collaborators-and-their-role) for public repositories at no cost per month. Additionally, anonymous users get 100 pulls every 6 hours and users that sign in to Docker get 200 pulls every 6 hours. @@ -55,8 +55,8 @@ For a list of features available in each tier, see [Docker Pricing](https://www. Docker Business includes: - Everything included in Docker Team - [Hardened Docker Desktop](../desktop/hardened-desktop/index.md) -- [Image Access Management](../docker-hub/image-access-management.md) which lets admins control what content developers can access -- [Registry Access Management](../desktop/hardened-desktop/registry-access-management.md) which lets admins control what registries developers can access +- [Image Access Management](../security/for-admins/image-access-management.md) which lets admins control what content developers can access +- [Registry Access Management](../security/for-admins/registry-access-management.md) which lets admins control what registries developers can access - [Company layer](../docker-hub/creating-companies.md) to manage multiple organizations and settings - [Single Sign-On](../single-sign-on/index.md) - [System for Cross-domain Identity Management](../docker-hub/scim.md) and more. diff --git a/data/redirects.yml b/data/redirects.yml index 2ddc9a63b5..784a2213f8 100644 --- a/data/redirects.yml +++ b/data/redirects.yml @@ -81,7 +81,7 @@ # provide a short, permanent link to refer to a topic in the documentation. # For example, the docker CLI can output https://docs.docker.com/go/some-topic # in its help output, which can be redirected to elsewhere in the documentation. -"/docker-hub/access-tokens/": +"/security/for-developers/access-tokens/": - /go/access-tokens/ "/desktop/mac/apple-silicon/": - /go/apple-silicon/ diff --git a/data/toc.yaml b/data/toc.yaml index 7de18334d4..d618760cca 100644 --- a/data/toc.yaml +++ b/data/toc.yaml @@ -1200,10 +1200,6 @@ Manuals: title: Key features and benefits - path: /desktop/hardened-desktop/enhanced-container-isolation/faq/ title: FAQs and known issues - - path: /desktop/hardened-desktop/registry-access-management/ - title: Registry Access Management - - path: /desktop/hardened-desktop/image-access-management/ - title: Image Access Management - sectiontitle: Dev Environments (Beta) section: - path: /desktop/dev-environments/ @@ -2058,8 +2054,6 @@ Manuals: title: Manage users - path: /admin/company/owners/ title: Manage company owners - - path: /admin/company/settings/domains/ - title: Domain management - sectiontitle: SSO & SCIM section: - path: /admin/company/settings/sso/ @@ -2083,14 +2077,8 @@ Manuals: title: Manage members - path: /admin/organization/activity-logs/ title: Activity logs - - path: /admin/organization/image-access/ - title: Image Access Management - - path: /admin/organization/registry-access/ - title: Registry Access Management - path: /admin/organization/general-settings/ title: General settings - - path: /admin/organization/security-settings/domains/ - title: Domain management - sectiontitle: SSO & SCIM section: - path: /admin/organization/security-settings/sso/ @@ -2104,7 +2092,7 @@ Manuals: - path: /admin/organization/security-settings/group-mapping/ title: Group mapping -- sectiontitle: Administration and security +- sectiontitle: Administration section: - path: /docker-hub/admin-overview/ title: Overview @@ -2140,30 +2128,42 @@ Manuals: title: SCIM - path: /docker-hub/group-mapping/ title: Group mapping - - sectiontitle: Security and authentication - section: - - path: /docker-hub/access-tokens/ - title: Create and manage access tokens - - sectiontitle: Two-factor authentication - section: - - path: /docker-hub/2fa/ - title: Enable two-factor authentication - - path: /docker-hub/2fa/disable-2fa/ - title: Disable two-factor authentication - - path: /docker-hub/2fa/recover-hub-account/ - title: Recover your Docker Hub account - - path: /docker-hub/2fa/new-recovery-code/ - title: Generate a new recovery code - - path: /docker-hub/configure-sign-in/ - title: Enforce sign-in for Desktop - path: /docker-hub/audit-log/ title: Audit logs - - path: /docker-hub/domain-audit/ - title: Domain audit - - path: /docker-hub/image-access-management/ - title: Image Access Management - path: /docker-hub/deactivate-account/ title: Deactivate an account or organization + +- sectiontitle: Security + section: + - path: /security/ + title: Overview + - sectiontitle: For admins + section: + - path: /security/for-admins/configure-sign-in/ + title: Enforce sign in + - path: /security/for-admins/domain-audit/ + title: Domain audit + - path: /security/for-admins/image-access-management/ + title: Image Access Management + - path: /security/for-admins/registry-access-management/ + title: Registry Access Management + - sectiontitle: For developers + section: + - path: /security/for-developers/access-tokens/ + title: Create and manage access tokens + - sectiontitle: Two-factor authentication + section: + - path: /security/for-developers/2fa/ + title: Enable two-factor authentication + - path: /security/for-developers/2fa/disable-2fa/ + title: Disable two-factor authentication + - path: /security/for-developers/2fa/recover-hub-account/ + title: Recover your Docker Hub account + - path: /security/for-developers/2fa/new-recovery-code/ + title: Generate a new recovery code + - path: /security/security-announcements/ + title: Security announcements + - sectiontitle: Billing section: - path: /billing/ @@ -2212,9 +2212,6 @@ Manuals: - path: /trusted-content/insights-analytics/ title: Insights and analytics -- title: Security announcements - path: /security/ - - sectiontitle: Open-source projects section: - sectiontitle: Docker Registry diff --git a/layouts/shortcodes/admin-domain-audit.md b/layouts/shortcodes/admin-domain-audit.md index 42e0e3e1c8..3d35728962 100644 --- a/layouts/shortcodes/admin-domain-audit.md +++ b/layouts/shortcodes/admin-domain-audit.md @@ -12,24 +12,6 @@ {{ $invite_link = "[Invite members](/admin/organization/members/)" }} {{ end }} -Domain audit identifies uncaptured users in an organization. Uncaptured users are Docker users who have authenticated to Docker using an email address associated with one of your verified domains, but they're not a member of your organization in Docker. You can audit domains on organizations that are part of the Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](/subscription/upgrade/). - -Uncaptured users who access Docker Desktop in your environment may pose a security risk because your organization's security settings, like Image Access Management and Registry Access Management, aren't applied to a user's session. In addition, you won't have visibility into the activity of uncaptured users. You can add uncaptured users to your organization to gain visibility into their activity and apply your organization's security settings. - -Domain audit can't identify the following Docker users in your environment: - -- Users who access Docker Desktop without authenticating -- Users who authenticate using an account that doesn't have an email address associated with one of your verified domains - -Although domain audit can't identify all Docker users in your environment, you can enforce sign-in to prevent unidentifiable users from accessing Docker Desktop in your environment. For more details about enforcing sign-in, see [Configure registry.json to enforce sign-in](/docker-hub/configure-sign-in/). - -### Audit your domains for uncaptured users - -Before you audit your domains, the following prerequisites are required: - -- Your organization must be part of a Docker Business subscription. To upgrade your existing account to a Docker Business subscription, see [Upgrade your subscription](/subscription/upgrade/). -- You must add and verify your domains. - To audit your domains: 1. Sign in to {{ $product_link }}. diff --git a/layouts/shortcodes/admin-image-access.html b/layouts/shortcodes/admin-image-access.html index bc129e711b..1a13ad5e86 100644 --- a/layouts/shortcodes/admin-image-access.html +++ b/layouts/shortcodes/admin-image-access.html @@ -6,20 +6,6 @@ {{ $iam_navigation = "Select your organization in the left navigation drop-down menu, and then select **Image Access**." }} {{ end }} -> Note -> -> Image Access Management is available to [Docker Business](/subscription/details/) customers only. - -Image Access Management gives administrators control over which types of images, such as Docker Official Images, Docker Verified Publisher Images, or community images, their developers can pull from Docker Hub. - -For example, a developer, who is part of an organization, building a new containerized application could accidentally use an untrusted, community image as a component of their application. This image could be malicious and pose a security risk to the company. Using Image Access Management, the organization owner can ensure that the developer can only access trusted content like Docker Official Images, Docker Verified Publisher Images, or the organization’s own images, preventing such a risk. - -## Prerequisites - -You need to [configure a registry.json to enforce sign-in](/docker-hub/configure-sign-in/). For Image Access Management to take effect, Docker Desktop users must authenticate to your organization. - -## Configure Image Access Management permissions - 1. Sign in to {{ $product_link }}. 2. {{ $iam_navigation }} 3. Enable Image Access Management to set the permissions for the following categories of images you can manage: diff --git a/layouts/shortcodes/admin-registry-access.html b/layouts/shortcodes/admin-registry-access.html index 56c1998e3e..5282238831 100644 --- a/layouts/shortcodes/admin-registry-access.html +++ b/layouts/shortcodes/admin-registry-access.html @@ -1,34 +1,12 @@ {{ $product_link := "[Docker Hub](https://hub.docker.com)" }} -{{ $ram_navigation := "Select your organization in the left navigation drop-down menu, and then select **Registry Access**." }} {{ if eq (.Get "product") "admin" }} {{ $product_link = "[Docker Admin](https://admin.docker.com)" }} - {{ $ram_navigation = "Select **Organizations**, your organization, **Settings**, and then select **Registry Access**." }} {{ end }} -> Note -> -> Registry Access Management is available to Docker Business customers only. - -With Registry Access Management (RAM), administrators can ensure that their developers using Docker Desktop only access registries that are allowed. This is done through the Registry Access Management dashboard on Docker Hub. - -Registry Access Management supports both cloud and on-prem registries. Example registries administrators can allow include: - - Docker Hub. This is enabled by default. - - Amazon ECR - - GitHub Container Registry - - Google Container Registry - - Nexus - - Artifactory - -## Prerequisites - -You need to [configure a registry.json to enforce sign-in](/docker-hub/configure-sign-in/). For Registry Access Management to take effect, Docker Desktop users must authenticate to your organization. - -## Configure Registry Access Management permissions - To configure Registry Access Management permissions, perform the following steps: 1. Sign in to {{ $product_link }}. -2. {{ $ram_navigation }} +2. Select **Organizations**, your organization, **Settings**, and then select **Registry Access**. 3. Enable Registry Access Management to set the permissions for your registry. > **Note** @@ -46,20 +24,3 @@ To configure Registry Access Management permissions, perform the following steps > > Since RAM sets policies about where content can be fetched from, the [ADD](/engine/reference/builder/#add) instruction of the Dockerfile, when the parameter of the ADD instruction is a URL, is also subject to registry restrictions. It's recommended that you add the domains of URL parameters to the list of allowed registry addresses under the Registry Access Management settings of your organization. { .tip } - -## Verify the restrictions - -The new Registry Access Management policy takes effect after the developer successfully authenticates to Docker Desktop using their organization credentials. If a developer attempts to pull an image from a disallowed registry via the Docker CLI, they receive an error message that the organization has disallowed this registry. - -## Caveats - -There are certain limitations when using Registry Access Management; they are as follows: - -- Windows image pulls, and image builds are not restricted -- Builds such as `docker buildx` using a Kubernetes driver are not restricted -- Builds such as `docker buildx` using a custom docker-container driver are not restricted -- Blocking is DNS-based; you must use a registry's access control mechanisms to distinguish between “push” and “pull” -- WSL 2 requires at least a 5.4 series Linux kernel (this does not apply to earlier Linux kernel series) -- Under the WSL 2 network, traffic from all Linux distributions is restricted (this will be resolved in the updated 5.15 series Linux kernel) - -Also, Registry Access Management operates on the level of hosts, not IP addresses. Developers can bypass this restriction within their domain resolution, for example by running Docker against a local proxy or modifying their operating system's `sts` file. Blocking these forms of manipulation is outside the remit of Docker Desktop.