Set up the docker integration.
Description
Do not enable swarm mode on a Docker engine instance unless this is needed.
Rationale
By default, a Docker engine instance will not listen on any network ports, with all communications with the client coming over the Unix socket. When Docker swarm mode is enabled on a Docker engine instance, multiple network ports are opened on the system and made available to other systems on the network for the purposes of cluster management and node communications. Opening network ports on a system increases its attack surface and this should be avoided unless required. It should be noted that swarm mode is required for the operation of Docker Enterprise components.
Audit
Review the output of the docker info command. If the output includes Swarm: active, it indicates that swarm mode has been activated on the Docker engine. In this case, confirm if swarm mode on the Docker engine instance is actually needed.
If swarm mode has been enabled on a system in error, you should run the command below: docker swarm leave
Impact
Disabling swarm mode will impact the operation of Docker Enterprise components if these are in use.
Default value
By default, Docker swarm mode is not enabled.
References
- https://docs.docker.com/engine/reference/commandline/swarm_init/
CIS controls
Version 6
9.1 Limit Open Ports, Protocols, and Services - Ensure that only ports, protocols, and services with validated business needs are running on each system.
Version 7
9.2 Ensure Only Approved Ports, Protocols and Services Are Running - Ensure that only network ports, protocols, and services listening on a system with validated business needs, are running on each system.
