5.9 Ensure the host's network namespace is not shared

Information

The networking mode on a container when set to --net=host, skips placing the container inside separate network stack. In essence, this choice tells Docker to not containerize the container's networking. This would network-wise mean that the container lives "outside" in the main Docker host and has full access to its network interfaces.
Rationale:
This is potentially dangerous. It allows the container process to open low-numbered ports like any other root process. It also allows the container to access network services like D-bus on the Docker host. Thus, a container process can potentially do unexpected things such as shutting down the Docker host. You should not use this option.

Solution

Do not pass --net=host option when starting the container.
Impact:
None.
Default Value:
By default, container connects to Docker bridge.

See Also

https://workbench.cisecurity.org/files/1726

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-39, CSCv6|12

Plugin: Unix

Control ID: d60a9d0f36d34d5cae0d6d55d5ecfae6c8f8c7151b050599b8434659846ad1a1