2.4 Do not use insecure registries

Information

Docker considers a private registry either secure or insecure. By default, registries are
considered secure.A secure registry uses TLS. A copy of registry's CA certificate is placed on the Docker host at
'/etc/docker/certs.d/<registry-name>/' directory. An insecure registry is the one not
having either valid registry certificate or is not using TLS. You should not be using any
insecure registries in the production environment. Insecure registries can be tampered
with leading to possible compromise to your production system.Additionally, If a registry is marked as insecure then 'docker pull', 'docker push', and
'docker search' commands will not result in an error message and the user might be
indefinitely working with insecure registries without ever being notified of potential
danger.

Solution

Do not use any insecure registries.For example, do not start the Docker daemon as below-dockerd --insecure-registry 10.1.0.0/16Impact-None.
Default Value-By default, Docker assumes all, but local, registries are secure.

See Also

https://workbench.cisecurity.org/files/517

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-7(6)

Plugin: Unix

Control ID: 6c2ee7f9d73c1b9ad7738abcf54f4d215f38b7dd8fb87b4ff74f5494b22f29bc