2.6 Configure TLS authentication for Docker daemon - tlskey

Information

It is possible to make the Docker daemon to listen on a specific IP and port and any other
Unix socket other than default Unix socket. Configure TLS authentication to restrict access
to Docker daemon via IP and port.By default, Docker daemon binds to a non-networked Unix socket and runs with 'root'
privileges. If you change the default docker daemon binding to a TCP port or any other Unix
socket, anyone with access to that port or socket can have full access to Docker daemon
and in turn to the host system. Hence, you should not bind the Docker daemon to another
IP/port or a Unix socket.If you must expose the Docker daemon via a network socket, configure TLS authentication
for the daemon and Docker Swarm APIs (if using). This would restrict the connections to
your Docker daemon over the network to a limited number of clients who could
successfully authenticate over TLS.

Solution

Follow the steps mentioned in the Docker documentation or other references.Impact-You would need to manage and guard certificates and keys for Docker daemon and Docker
clients.
Default Value-By default, TLS authentication is not configured.

See Also

https://workbench.cisecurity.org/files/517

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13

Plugin: Unix

Control ID: 924b05034388712ef7ca1352d2d5a394c241c090eff2bac6fa36ca92a8099687