Only needed ports are open on the container

docker

Classification:

compliance

Framework:

cis-docker

Control:

5.8

Set up the docker integration.

Description

The Dockerfile for a container image defines the ports which are opened by default on a container instance. The list of ports are relevant to the application you are running within the container and should only be open if they are needed.

Rationale

A container can be run with only the ports defined in the Dockerfile for its image or can alternatively be arbitrarily passed run time parameters to open a list of ports. Additionally, in the course of time, the Dockerfile may undergo various changes and the list of exposed ports may or may not still be relevant to the application you are running within the container. Opening unneeded ports increases the attack surface of the container and the associated containerized application. Good security practice is to only open ports that are needed for the correct operation of the application.

Audit

List all the running instances of containers and their associated port mappings by executing this command: docker ps --quiet | xargs docker inspect --format '{{ .Id }}: Ports={{ .NetworkSettings.Ports }}' Then review the list and ensure that all the ports mapped are required by each container.

Remediation

You should ensure that the Dockerfile for each container image only exposes needed ports. You can also completely ignore the list of ports defined in the Dockerfile by NOT using -P (UPPERCASE) or the –publish-all flag when starting the container. Instead, use the -p (lowercase) or –publish flag to explicitly define the ports that you need for a particular container instance. For example: docker run –interactive –tty –publish 5000 –publish 5001 –publish 5002 centos /bin/bash

Impact

None.

Default value

By default, all the ports that are listed in the Dockerfile under the EXPOSE instruction for an image are opened when a container is run with the -P or –publish-all flags.

References

  1. https://docs.docker.com/engine/userguide/networking/

CIS controls

Version 6 9.1 Limit Open Ports, Protocols, and Services Ensure that only ports, protocols, and services with validated business needs are running on each system. Version 7 9.2 Ensure Only Approved Ports, Protocols and Services Are Running Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.