2.11 Ensure that authorization for Docker client commands is enabled

Information

Use native Docker authorization plugins or a third party authorization mechanism with Docker daemon to manage access to Docker client commands.
Rationale:
Dockers out-of-the-box authorization model is all or nothing. Any user with permission to access the Docker daemon can run any Docker client command. The same is true for callers using Dockers remote API to contact the daemon. If you require greater access control, you can create authorization plugins and add them to your Docker daemon configuration. Using an authorization plugin, a Docker administrator can configure granular access policies for managing access to Docker daemon.
Third party integrations of Docker may implement their own authorization models to require authorization with the Docker daemon outside of docker's native authorization plugin (i.e. Kubernetes, Cloud Foundry, Openshift).

Solution

Step 1: Install/Create an authorization plugin.
Step 2: Configure the authorization policy as desired.
Step 3: Start the docker daemon as below:
dockerd --authorization-plugin=<PLUGIN_ID>
Impact:
Each docker command specifically passes through authorization plugin mechanism. This might introduce a slight performance drop.
Third party use of alternative container engines that utilize the docker daemon may provide alternative mechanisms to provide this security control.
Default Value:
By default, authorization plugins are not set up.

See Also

https://workbench.cisecurity.org/files/1726

Item Details

Category: IDENTIFICATION AND AUTHENTICATION

References: 800-53|IA-2, CSCv6|16

Plugin: Unix

Control ID: 9dd1a52a57a27d4153b99e70e4d25150955074a7242411551ef054cbfd426a64