Details
Do not use Docker’s default bridge docker0. Use docker’s user-defined networks for container networking.
Rationale:
Docker connects virtual interfaces created in the bridge mode to a common bridge called docker0. This default networking model is vulnerable to ARP spoofing and MAC flooding attacks since there is no filtering applied.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Follow Docker documentation and setup a user-defined network. Run all the containers in the defined network.
Impact:
You have to manage the user-defined networks.
Default Value:
By default, docker runs containers on its docker0 bridge.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.