2.4 Ensure insecure registries are not used

Information

Docker considers a private registry either secure or insecure. By default, registries are considered secure.
Rationale:
A secure registry uses TLS. A copy of registry's CA certificate is placed on the Docker host at /etc/docker/certs.d/<registry-name>/ directory. An insecure registry is the one not having either valid registry certificate or is not using TLS. You should not be using any insecure registries in the production environment. Insecure registries can be tampered with leading to possible compromise to your production system.
Additionally, If a registry is marked as insecure then docker pull, docker push, and docker search commands will not result in an error message and the user might be indefinitely working with insecure registries without ever being notified of potential danger.

Solution

Do not use any insecure registries.
For example, do not start the Docker daemon as below:
dockerd --insecure-registry 10.1.0.0/16
Impact:
None.
Default Value:
By default, Docker assumes all, but local, registries are secure.

See Also

https://workbench.cisecurity.org/files/1726

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-7(6), CSCv6|14.2

Plugin: Unix

Control ID: d44b3deea9d5738d911048c55c7308dc9c06f39690074b51d0f2fc8af76cd992