2.6 Configure TLS authentication for Docker daemon --tlskey

Information

It is possible to make the Docker daemon to listen on a specific IP and port and any other Unix socket other than default Unix socket. Configure TLS authentication to restrict access to Docker daemon via IP and port.

Rationale:

By default, Docker daemon binds to a non-networked Unix socket and runs with 'root' privileges. If you change the default docker daemon binding to a TCP port or any other Unix socket, anyone with access to that port or socket can have full access to Docker daemon and in turn to the host system. Hence, you should not bind the Docker daemon to another IP/port or a Unix socket.

If you must expose the Docker daemon via a network socket, configure TLS authentication for the daemon and Docker Swarm APIs (if using).This would restrict the connections to your Docker daemon over the network to a limited number of clients who could successfully authenticate over TLS.

Solution

Follow the steps mentioned in the Docker documentation or other references.

Impact:

You would need to manage and guard certificates and keys for Docker daemon and Docker clients.

Default Value:

By default, TLS authentication is not configured.

See Also

https://workbench.cisecurity.org/files/1476

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-13

Plugin: Unix

Control ID: ff81f7d02a9c185adefb2a60ba4e7efa4b866e97188141f5013c903190ca003c