5.7 Do not map privileged ports within containers

Information

The TCP/IP port numbers below 1024 are considered privileged ports. Normal users and
processes are not allowed to use them for various security reasons. Docker allows a
container port to be mapped to a privileged port.By default, if the user does not specifically declare the container port to host port mapping,
Docker automatically and correctly maps the container port to one available in 49153-
65535 block on the host. But, Docker allows a container port to be mapped to a privileged
port on the host if the user explicitly declared it. This is so because containers are executed
with NET_BIND_SERVICE Linux kernel capability that does not restrict the privileged port
mapping. The privileged ports receive and transmit various sensitive and privileged data.
Allowing containers to use them can bring serious implications.

Solution

Do not map the container ports to privileged host ports when starting a container. Also,
ensure that there is no such container to host privileged port mapping declarations in the
Dockerfile.Impact-None.Default Value-By default, mapping a container port to a privileged port on the host is allowed.Note- There might be certain cases where you want to map privileged ports, because if you
forbid it, then the corresponding application has to run outside of a container.For example- HTTP and HTTPS load balancers have to bind 80/tcp and 443/tcp
respectively. Forbidding to map privileged ports effectively forbids from running those in a
container, and mandates using an external load balancer. In such cases, those containers
instances should be marked as exceptions for this recommendation.

See Also

https://workbench.cisecurity.org/files/517

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b.

Plugin: Unix

Control ID: 3e0ce2ae4a841a18b8eb60b482a6d30cfb69f788c2f588516aabdbb8eafd1b69