Containers use a non-default bridge network.

docker

Classification:

compliance

Framework:

cis-docker

Control:

5.29

Set up the docker integration.

Description

You should not use Docker’s default bridge docker0. Instead you should use Docker’s user-defined networks for container networking.

Rationale

Docker connects virtual interfaces created in bridge mode to a common bridge called docker0. This default networking model is vulnerable to ARP spoofing and MAC flooding attacks as there is no filtering applied to it.

Audit

Run this command, and verify that containers are on a user-defined network and not the default docker bridge: docker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}'

Remediation

You should follow the Docker documentation and set up a user-defined network. All the containers should be run in this network.

Impact

User-defined networks need to be configured and managed in line with organizational security policy.

Default value

By default, Docker runs containers within the default docker0 bridge.

References

  1. https://github.com/nyantec/narwhal
  2. https://arxiv.org/pdf/1501.02967
  3. https://docs.docker.com/engine/userguide/networking/

CIS controls

Version 6

9 Limitation and Control of Network Ports, Protocols, and Services