2.1 Restrict network traffic between containers

Information

By default, all network traffic is allowed between containers on the same host. If not desired, restrict all the inter container communication. Link specific containers together that require inter communication.

Rationale:

By default, unrestricted network traffic is enabled between all containers on the same host. Thus, each container has the potential of reading all packets across the container network on the same host. This might lead to unintended and unwanted disclosure of information to other containers. Hence, restrict the inter container communication.

Solution

Run the docker in daemon mode and pass '--icc=false' as argument.

For Example,

/usr/bin/dockerd --icc=false

Impact:

The inter container communication would be disabled. No containers would be able to talk to another container on the same host. If any communication between containers on the same host is desired, then it needs to be explicitly defined using container linking.

Default Value:

By default, all inter container communication is allowed.

See Also

https://workbench.cisecurity.org/files/1476

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(21)

Plugin: Unix

Control ID: 0f6d654c714f4ce663681473698465eff9b52307e735422ee7acbf61f92f1e92