turbot/docker_compliance

Control: 2.7 Ensure TLS authentication for Docker daemon is configured

Description

It is possible to make the Docker daemon available remotely over a TCP port. If this is required, you should ensure that TLS authentication is configured in order to restrict access to the Docker daemon via IP address and port.

By default, the Docker daemon binds to a non-networked Unix socket and runs with root privileges. If you change the default Docker daemon binding to a TCP port or any other Unix socket, anyone with access to that port or socket could have full access to the Docker daemon and therefore in turn to the host system. For this reason, you should not bind the Docker daemon to another IP/port or a Unix socket.

If you must expose the Docker daemon via a network socket, you should configure TLS authentication for the daemon and for any Docker Swarm APIs (if they are in use). This type of configuration restricts the connections to your Docker daemon over the network to a limited number of clients who have access to the TLS client credentials.

Remediation

Follow the steps mentioned in the Docker documentation or other references.

Default Value

By default, TLS authentication is not configured.

Usage

Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_2_7

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_2_7 --share

SQL

This control uses a named query:

exec_tls_authentication_docker_daemon_configured

Tags