5.9 Do not share the host's network namespace

Information

The networking mode on a container when set to '--net=host', skips placing the container inside separate network stack. In essence, this choice tells Docker to not containerize the container's networking. This wouldnetwork-wise mean that the container lives "outside" in the main Docker host and has full access to its network interfaces.

Rationale:

This is potentially dangerous. It allows the container process to open low-numbered ports like any other root process. It also allows the container to access network services like D-bus on the Docker host. Thus, a container process can potentially do unexpected things such as shutting down the Docker host. You should not use this option.

Solution

Do not pass '--net=host' option when starting the container.

Impact:

None.

Default Value:

By default, container connects to Docker bridge.

See Also

https://workbench.cisecurity.org/files/1476

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-39

Plugin: Unix

Control ID: 283f39d8c96bc1d70236d61f4362cd47d452101146325610ccb2bb82851a612d