Authorization for Docker client commands is enabled

docker

Classification:

compliance

Framework:

cis-docker

Control:

2.11

Set up the docker integration.

Description

You should use native Docker authorization plugins or a third party authorization mechanism with the Docker daemon to manage access to Docker client commands.

Rationale

Dockers out-of-the-box authorization model is currently “all or nothing”. This means that any user with permission to access the Docker daemon can run any Docker client command. The same is true for remote users accessing Dockers API to contact the daemon. If you require greater access control, you can create authorization plugins and add them to your Docker daemon configuration. Using an authorization plugin, a Docker administrator can configure granular access policies for managing access to the Docker daemon. Third party integrations of Docker may implement their own authorization models to require authorization with the Docker daemon outside of docker’s native authorization plugin (i.e. Kubernetes, Cloud Foundry, Openshift).

Audit

Check the authorization plugin in use by reviewing the dockerd startup options and settings in the /etc/docker/daemon.json file. To review the dockerd startup options, run:

ps -ef | grep dockerd

Ensure that the --authorization-plugin parameter is set appropriately if you are using docker native authorization. Also review the authorization-plugin setting in the /etc/docker/daemon.json file.

The native Docker authentication plugin is only one method of enforcing this control, so other methods that could potentially be in use should be reviewed before assessing this as a pass or fail in an audit.

Remediation

  1. Install/Create an authorization plugin.
  2. Configure the authorization policy as desired.
  3. Start the Docker daemon as below: dockerd --authorization-plugin=<PLUGIN_ID>

Impact

Each Docker command needs to pass through the authorization plugin mechanism. This may have a performance impact. It may be possible to use alternative mechanisms that do not have this performance hit.

Default value

By default, authorization plugins are not set up.

References

  1. https://docs.docker.com/engine/reference/commandline/dockerd/#access-authorization
  2. https://docs.docker.com/engine/extend/plugins_authorization/
  3. https://github.com/twistlock/authz

CIS controls

Version 6

16 Account Monitoring and Control Account Monitoring and Control