2.15 Do not enable swarm mode, if not needed

Information

Do not enable swarm mode on a docker engine instance unless needed.

Rationale:

By default, a Docker engine instance will not listen on any network ports, with all communications with the client coming over the Unix socket. When Docker swarm mode is enabled on a docker engine instance, multiple network ports are opened on the system and made available to other systems on the network for the purposes of cluster management and node communications.

Opening network ports on a system increase its attack surface and this should be avoided unless required.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

If swarm mode has been enabled on a system in error, run

docker swarm leave

Impact:

None.

Default Value:

By default, docker swarm mode is not enabled.

See Also

https://workbench.cisecurity.org/files/1476

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Unix

Control ID: 70de63f0f68418e40b452816504aa744c4a75ea1ff1a79126dc3918a9683b14f