Details

Docker considers a private registry either secure or insecure. By default, registries are considered secure.

Rationale:

A secure registry uses TLS. A copy of registry’s CA certificate is placed on the Docker host at ‘/etc/docker/certs.d//’ directory. An insecure registry is the one not having either valid registry certificate or is not using TLS. You should not be using any insecure registries in the production environment. Insecure registries can be tampered with leading to possible compromise to your production system.

Additionally,If a registry is marked as insecure then ‘docker pull’, ‘docker push’, and ‘docker search’ commands will not result in an error message and the user might be indefinitely working with insecure registries without ever being notified of potential danger.

Solution

Do not use any insecure registries.

For example, do not start the Docker daemon as below:

dockerd –insecure-registry 10.1.0.0/16

Impact:

None.

Default Value:

By default, Docker assumes all, but local, registries are secure.

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/1476

This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Unix.

References

• 800-53|SI-7(6)

Source

• Tenable.com/audits