2.7 Ensure TLS authentication for Docker daemon is configured - tlsverify

Information

It is possible to make the Docker daemon available remotely over a TCP port. If this is required, you should ensure that TLS authentication is configured in order to restrict access to the Docker daemon via IP address and port.

Rationale:

By default, the Docker daemon binds to a non-networked Unix socket and runs with root privileges. If you change the default Docker daemon binding to a TCP port or any other Unix socket, anyone with access to that port or socket could have full access to the Docker daemon and therefore in turn to the host system. For this reason, you should not bind the Docker daemon to another IP/port or a Unix socket.

If you must expose the Docker daemon via a network socket, you should configure TLS authentication for the daemon and for any Docker Swarm APIs (if they are in use). This type of configuration restricts the connections to your Docker daemon over the network to a limited number of clients who have access to the TLS client credentials.

Impact:

You would need to manage and guard certificates and keys for the Docker daemon and Docker clients.

Solution

Follow the steps mentioned in the Docker documentation or other references.

Default Value:

By default, TLS authentication is not configured.

See Also

https://workbench.cisecurity.org/files/4532

Item Details

Category: ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

References: 800-53|AC-17, 800-53|AC-17(1), 800-53|SC-7, 800-53|SI-4, CSCv7|9.2

Plugin: Unix

Control ID: a7809a86b4a09ba71872957cc803b7e30d8358d4da8d6ca8c19750b480024f0e