2.2 Ensure network traffic is restricted between containers on the default bridge

Information

By default, all network traffic is allowed between containers on the same host on the default network bridge. If not desired, restrict all inter-container communication. Link specific containers together that require communication. Alternatively, you can create custom network and only join containers that need to communicate to that custom network.

Rationale:

By default, unrestricted network traffic is enabled between all containers on the same host on the default network bridge. Thus, each container has the potential of reading all packets across the container network on the same host. This might lead to an unintended and unwanted disclosure of information to other containers. Hence, restrict inter-container communication on the default network bridge.

Impact:

Inter-container communication would be disabled on the default network bridge. If any communication between containers on the same host is desired, then it needs to be explicitly defined using container linking or alternatively custom networks have to be defined.

Solution

Edit the Docker daemon configuration file to ensure that icc is disabled. It should include the following setting

'icc': false

Alernatively, run the docker daemon directly and pass --icc=false as an argument.
For Example,

dockerd --icc=false

Alternatively, you can follow the Docker documentation and create a custom network and only join containers that need to communicate to that custom network. The --icc parameter only applies to the default docker bridge, if custom networks are used then the approach of segmenting networks should be adopted instead.
In order for this control to be fully effective, all containers connected to the docker0 bridge should drop the NET_RAW capability, otherwise a compromised container could use raw ethernet packets to communicate with other containers despite this restriction.

Default Value:

By default, all inter-container communication is allowed on the default network bridge.

See Also

https://workbench.cisecurity.org/files/3353

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-23, CSCv6|2.1, CSCv7|9

Plugin: Unix

Control ID: c42e7ef648909b9dcf7281ad653e2d07c9b50435d61ee631d3a7e08b3b643804