Details
By default, the docker swarm services will listen to all interfaces on the host, which may not be necessary for the operation of the swarm where the host has multiple network interfaces.
Rationale:
When a swarm is initialized the default value for the –listen-addr flag is 0.0.0.0:2377 which means that the swarm services will listen on all interfaces on the host. If a host has multiple network interfaces this may be undesirable as it may expose the docker swarm services to networks which are not involved in the operation of the swarm.
By passing a specific IP address to the –listen-addr, a specific network interface can be specified limiting this exposure.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Remediation of this requires re-initialization of the swarm specifying a specific interface for the –listen-addr parameter.
Impact:
None
Default Value:
By default,docker swarm services listen on all available host interfaces.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.