5.9 Open only needed ports on container

Information

Dockerfile for a container image defines the ports to be opened by default on a container
instance. The list of ports may or may not be relevant to the application you are running
within the container.

A container can be run just with the ports defined in the Dockerfile for its image or can be
arbitrarily passed run time parameters to open a list of ports. Additionally, Overtime,
Dockerfile may undergo various changes and the list of exposed ports may or may not be
relevant to the application you are running within the container. Opening unneeded ports
increase the attack surface of the container and the containerized application. As a
recommended practice, do not open unneeded ports.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Fix the Dockerfile of the container image to expose only needed ports by your
containerized application. You can also completely ignore the list of ports defined in the
Dockerfile by NOT using '-P' (UPPERCASE) flag when starting the container. Use the '-p'
(lowercase) flag to explicitly define the ports that you need for a particular container
instance.For example,$> docker run -i -t -p 5000 -p 5001 -p 5002 centos /bin/bash

Impact-None.

Default Value-By default, all the ports that are listed in the Dockerfile under EXPOSE instruction for an
image are opened when container is run with '-P' flag.

See Also

https://workbench.cisecurity.org/files/514

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b.

Plugin: Unix

Control ID: 765cff8d84318c1d6ea58a43d5e73e1fdbc2c195ae85ff9b579461b4b88ee4fd