Rule ID
SV-235805r960963_rule
Version
V2R2
CCIs
The networking mode on a container when set to --net=host, skips placing the container inside separate network stack. In essence, this choice tells Docker to not containerize the container's networking. This would network-wise mean that the container lives "outside" in the main Docker host and has full access to its network interfaces. This is potentially dangerous. It allows the container process to open low-numbered ports like any other root process. It also allows the container to access network services like D-bus on the Docker host. Thus, a container process can potentially do unexpected things such as shutting down the Docker host. Do not use this option. By default, container connects to Docker bridge.
Ensure the host's network namespace is not shared.
This check should be executed on all nodes in a Docker Enterprise cluster.
via CLI:
Linux: As a Docker EE Admin, execute the following command using a Universal Control Plane (UCP) client bundle:
docker ps --all | grep -iv "ucp\|kube\|dtr" | awk '{print $1}' | xargs docker inspect --format '{{ .Id }}: NetworkMode={{ .HostConfig.NetworkMode }}'
If the above command returns NetworkMode=host, this is a finding.Do not pass --net=host or --network=host options when starting the container. For example, when executing docker run, do not use the --net=host nor --network=host arguments. A more detailed reference for the docker run command can be found at https://docs.docker.com/engine/reference/run/.