Control: 2.7 Ensure TLS authentication for Docker daemon is configured
Description
It is possible to make the Docker daemon available remotely over a TCP port. If this is required, you should ensure that TLS authentication is configured in order to restrict access to the Docker daemon via IP address and port.
By default, the Docker daemon binds to a non-networked Unix socket and runs with root privileges. If you change the default Docker daemon binding to a TCP port or any other Unix socket, anyone with access to that port or socket could have full access to the Docker daemon and therefore in turn to the host system. For this reason, you should not bind the Docker daemon to another IP/port or a Unix socket.
If you must expose the Docker daemon via a network socket, you should configure TLS authentication for the daemon and for any Docker Swarm APIs (if they are in use). This type of configuration restricts the connections to your Docker daemon over the network to a limited number of clients who have access to the TLS client credentials.
Remediation
Follow the steps mentioned in the Docker documentation or other references.
Default Value
By default, TLS authentication is not configured.
Usage
Run the control in your terminal:
powerpipe control run docker_compliance.control.cis_v160_2_7
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run docker_compliance.control.cis_v160_2_7 --share
SQL
This control uses a named query:
exec_tls_authentication_docker_daemon_configured