2.1 Restrict network traffic between containers | SYSTEM AND COMMUNICATIONS PROTECTION |
2.2 Set the logging level | AUDIT AND ACCOUNTABILITY |
2.3 Allow Docker to make changes to iptables | SYSTEM AND COMMUNICATIONS PROTECTION |
2.4 Do not use insecure registries | SYSTEM AND INFORMATION INTEGRITY |
2.5 Do not use the aufs storage driver | CONFIGURATION MANAGEMENT |
2.6 Configure TLS authentication for Docker daemon - tlscacert | SYSTEM AND COMMUNICATIONS PROTECTION |
2.6 Configure TLS authentication for Docker daemon - tlscert | SYSTEM AND COMMUNICATIONS PROTECTION |
2.6 Configure TLS authentication for Docker daemon - tlskey | SYSTEM AND COMMUNICATIONS PROTECTION |
2.6 Configure TLS authentication for Docker daemon -tlsverify | SYSTEM AND COMMUNICATIONS PROTECTION |
2.7 Set default ulimit as appropriate - default-ulimit | SYSTEM AND COMMUNICATIONS PROTECTION |
2.13 Disable operations on legacy registry (v1) | CONFIGURATION MANAGEMENT |
3.1 Verify that docker.service file ownership is set to root:root | CONFIGURATION MANAGEMENT |
3.2 Verify that docker.service file permissions are set to 644 or more restrictive | CONFIGURATION MANAGEMENT |
3.3 Verify that docker.socket file ownership is set to root:root | CONFIGURATION MANAGEMENT |
3.4 Verify that docker.socket file permissions are set to 644 or more restrictive | CONFIGURATION MANAGEMENT |
3.5 Verify that /etc/docker directory ownership is set to root:root | |
3.6 Verify that /etc/docker directory permissions are set to 755 or more restrictive | |
3.7 Verify that registry certificate file ownership is set to root:root | CONFIGURATION MANAGEMENT |
3.8 Verify that registry certificate file permissions are set to 444 or more restrictive | CONFIGURATION MANAGEMENT |
3.9 Verify that TLS CA certificate file ownership is set to root:root | CONFIGURATION MANAGEMENT |
3.10 Verify that TLS CA certificate file permissions are set to 444 or more restrictive | CONFIGURATION MANAGEMENT |
3.11 Verify that Docker server certificate file ownership is set to root:root | CONFIGURATION MANAGEMENT |
3.12 Verify that Docker server certificate file permissions are set to 444 or more restrictive | CONFIGURATION MANAGEMENT |
3.13 Verify that Docker server certificate key file ownership is set to root:root | CONFIGURATION MANAGEMENT |
3.14 Verify that Docker server certificate key file permissions are set to 400 | CONFIGURATION MANAGEMENT |
3.15 Verify that Docker socket file ownership is set to root:docker | CONFIGURATION MANAGEMENT |
3.16 Verify that Docker socket file permissions are set to 660 or more restrictive | CONFIGURATION MANAGEMENT |
3.17 Verify that daemon.json file ownership is set to root:root | CONFIGURATION MANAGEMENT |
3.18 Verify that daemon.json file permissions are set to 644 or more restrictive | CONFIGURATION MANAGEMENT |
3.19 Verify that /etc/default/docker file ownership is set to root:root | CONFIGURATION MANAGEMENT |
3.20 Verify that /etc/default/docker file permissions are set to 644 or more restrictive | CONFIGURATION MANAGEMENT |
4.1 Create a user for the container | ACCESS CONTROL |
4.2 Use trusted base images for containers | CONFIGURATION MANAGEMENT |
4.3 Do not install unnecessary packages in the container | CONFIGURATION MANAGEMENT |
4.4 Rebuild the images to include security patches | CONFIGURATION MANAGEMENT |
5.3 Restrict Linux Kernel Capabilities within containers | ACCESS CONTROL |
5.4 Do not use privileged containers | ACCESS CONTROL |
5.5 Do not mount sensitive host system directories on containers | CONFIGURATION MANAGEMENT |
5.6 Do not run ssh within containers | CONFIGURATION MANAGEMENT |
5.7 Do not map privileged ports within containers | |
5.8 Open only needed ports on container | CONFIGURATION MANAGEMENT |
5.9 Do not share the host's network namespace | SYSTEM AND COMMUNICATIONS PROTECTION |
5.10 Limit memory usage for container | SYSTEM AND COMMUNICATIONS PROTECTION |
5.11 Set container CPU priority appropriately | SYSTEM AND COMMUNICATIONS PROTECTION |
5.12 Mount container's root filesystem as read only | CONFIGURATION MANAGEMENT |
5.13 Bind incoming container traffic to a specific host interface | CONFIGURATION MANAGEMENT |
5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=always | |
5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=on-failure | SYSTEM AND COMMUNICATIONS PROTECTION |
5.15 Do not share the host's process namespace | SYSTEM AND COMMUNICATIONS PROTECTION |
5.16 Do not share the host's IPC namespace | SYSTEM AND COMMUNICATIONS PROTECTION |