Details
It is possible to make the Docker daemon to listen on a specific IP and port and any other
Unix socket other than default Unix socket. Configure TLS authentication to restrict access
to Docker daemon via IP and Port.
By default, Docker daemon binds to a non-networked Unix socket and runs with ‘root’
privileges. If you change the default docker daemon binding to a TCP port or any other Unix
socket, anyone with access to that port or socket can have full access to Docker daemon
and in turn to the host system. Hence, you should not bind the Docker daemon to another
IP/Port or a Unix socket.If you must expose the Docker daemon via a network socket, configure TLS authentication
for the daemon and Docker Swarm APIs (if using). This would restrict the connections to
your Docker daemon over the network to a limited number of clients who could
successfully authenticate over TLS.
Solution
Follow the steps mentioned in the Docker documentation or other references.
Impact-You would need to manage and guard certificates and keys for Docker daemon and Docker
clients.
Default Value-By default, TLS authentication is not configured.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system Unix.