v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/docker_compliance
Overview
1Dashboards
88Controls
88Queries
2Variables
GitHub

Control: 7.2 Ensure that swarm services are bound to a specific host interface

Description

You should not keep a large number of containers on the same host.

The flexibility of containers makes it easy to run multiple instances of applications and therefore indirectly leads to Docker images that can exist at varying security patch levels. It also means that you are consuming host resources that otherwise could have been used for running 'useful' containers. Having more than just an essential number of containers on a particular host makes the system vulnerable to mishandling, misconfiguration and fragmentation. You should therefore keep the number of containers on a given host to the minimum number commensurate with serving production applications.

Remediation

You should periodically check your container inventory on each host and clean up containers which are not in active use with the command below:

docker container prune

Default Value

By default, Docker does not restrict the number of containers you may have on a host.

Usage

Run the control in your terminal:

powerpipe control run docker_compliance.control.cis_v160_7_2

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run docker_compliance.control.cis_v160_7_2 --share

SQL

This control uses a named query:

exec_swarm_services_bound_to_specific_host_interface

Tags

category = Compliance
cis = true
cis_item_id = 7.2
cis_level = 1
cis_section_id = 7
cis_type = manual
cis_version = v1.6.0
plugin = docker
service = Docker