Profile Applicability:
Level 1
Description:
In Docker Swarm, services should be bound to specific host interfaces to ensure they are only accessible via the intended network interface. This is a security measure to prevent the service from being exposed to unwanted interfaces or networks.
Rationale:
Binding services to a specific host interface limits their exposure and ensures that only the necessary interfaces have access to the service. This reduces the attack surface by preventing accidental exposure on the public or non-secure networks.
Impact:
Pros:
Restricts the exposure of services, ensuring that they are only accessible through trusted interfaces.
Reduces potential attack vectors by controlling the service's network access.
Cons:
Misconfigurations or overlooking the correct interfaces may lead to services being inaccessible when needed.
Default Value:
By default, Docker Swarm services may bind to all available interfaces unless specified otherwise.
Pre-requisites:
Docker Swarm must be set up and running.
Administrative privileges on the Docker host to modify Swarm configurations.
Remediation:
Test Plan:
Using AWS Console:
Log into the EC2 instance running Docker Swarm.
Inspect the service configuration to ensure it is bound to the correct network interface by using the docker service inspect command.
Check the "Endpoint", "Ports", and "Host" fields to verify that services are bound to a specific network interface.
Using AWS CLI:
Connect to the EC2 instance.
Run the following command to inspect the Docker service configuration:
docker service inspect --format '{{json .Endpoint.Ports}}' <service_name>
Implementation Plan:
Using AWS Console:
Log into the EC2 instance.
When creating or updating the service, specify the network interface to which the service should be bound by using the --publish flag in the docker service create or docker service update command. For example:
docker service create --name my_service --publish 8080:80 --network my_network --endpoint-mode dnsrr my_image
This binds the service to a specific network interface and port.
Using AWS CLI:
Use the following command to deploy the service with the desired interface binding:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker service create --name my_service --publish 8080:80 --network my_network --endpoint-mode dnsrr my_image"]'
Backout Plan:
Using AWS Console:
If a misconfiguration is detected, update the service to bind to the correct interface or reset it to the default configuration.
Run the command to update the service:
docker service update --publish-rm 8080:80 --publish-add 8080:80 --network my_network --endpoint-mode dnsrr my_service
Using AWS CLI:
If needed, use SSM to revert the service back to its original configuration or to bind to the correct interface:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["docker service update --publish-rm 8080:80 --publish-add 8080:80 --network my_network --endpoint-mode dnsrr my_service"]'
References:
CIS Docker Benchmark v1.7