Details
https://docs.docker.com/articles/networking/#binding-ports
Solution
Fix the Dockerfile of the container image to expose only needed ports by your
containerized application. You can also completely ignore the list of ports defined in the
Dockerfile by NOT using ‘-P’ (UPPERCASE) flag when starting the container. Use the ‘-p’
(lowercase) flag to explicitly define the ports that you need for a particular container
instance.For example,$> docker run -i -t -p 5000 -p 5001 -p 5002 centos /bin/bash
Impact-None.
Default Value-By default, all the ports that are listed in the Dockerfile under EXPOSE instruction for an
image are opened when container is run with ‘-P’ flag.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Unix.