CIS Docker 1.11.0 v1.0.0 L1 Docker

Audit Details

Name: CIS Docker 1.11.0 v1.0.0 L1 Docker

Updated: 1/4/2023

Authority: CIS

Plugin: Unix

Revision: 1.16

Estimated Item Count: 61

File Details

Filename: CIS_Docker_1.11.0_v1.0.0_L1.audit

Size: 150 kB

MD5: 74d9b4400b375b0284b3f34d7738f286
SHA256: baa06429f005c71a2deef72f024436a75339d958a39d22a63f5c256f80a9b086

Audit Items

DescriptionCategories
2.1 Restrict network traffic between containers

SYSTEM AND COMMUNICATIONS PROTECTION

2.2 Set the logging level

AUDIT AND ACCOUNTABILITY

2.3 Allow Docker to make changes to iptables

SYSTEM AND COMMUNICATIONS PROTECTION

2.4 Do not use insecure registries

SYSTEM AND INFORMATION INTEGRITY

2.5 Do not use the aufs storage driver

CONFIGURATION MANAGEMENT

2.6 Configure TLS authentication for Docker daemon - tlscacert

SYSTEM AND COMMUNICATIONS PROTECTION

2.6 Configure TLS authentication for Docker daemon - tlscert

SYSTEM AND COMMUNICATIONS PROTECTION

2.6 Configure TLS authentication for Docker daemon - tlskey

SYSTEM AND COMMUNICATIONS PROTECTION

2.6 Configure TLS authentication for Docker daemon -tlsverify

SYSTEM AND COMMUNICATIONS PROTECTION

2.7 Set default ulimit as appropriate - default-ulimit

SYSTEM AND COMMUNICATIONS PROTECTION

2.13 Disable operations on legacy registry (v1)

CONFIGURATION MANAGEMENT

3.1 Verify that docker.service file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.2 Verify that docker.service file permissions are set to 644 or more restrictive

CONFIGURATION MANAGEMENT

3.3 Verify that docker.socket file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.4 Verify that docker.socket file permissions are set to 644 or more restrictive

CONFIGURATION MANAGEMENT

3.5 Verify that /etc/docker directory ownership is set to root:root
3.6 Verify that /etc/docker directory permissions are set to 755 or more restrictive
3.7 Verify that registry certificate file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.8 Verify that registry certificate file permissions are set to 444 or more restrictive

CONFIGURATION MANAGEMENT

3.9 Verify that TLS CA certificate file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.10 Verify that TLS CA certificate file permissions are set to 444 or more restrictive

CONFIGURATION MANAGEMENT

3.11 Verify that Docker server certificate file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.12 Verify that Docker server certificate file permissions are set to 444 or more restrictive

CONFIGURATION MANAGEMENT

3.13 Verify that Docker server certificate key file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.14 Verify that Docker server certificate key file permissions are set to 400

CONFIGURATION MANAGEMENT

3.15 Verify that Docker socket file ownership is set to root:docker

CONFIGURATION MANAGEMENT

3.16 Verify that Docker socket file permissions are set to 660 or more restrictive

CONFIGURATION MANAGEMENT

3.17 Verify that daemon.json file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.18 Verify that daemon.json file permissions are set to 644 or more restrictive

CONFIGURATION MANAGEMENT

3.19 Verify that /etc/default/docker file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.20 Verify that /etc/default/docker file permissions are set to 644 or more restrictive

CONFIGURATION MANAGEMENT

4.1 Create a user for the container

ACCESS CONTROL

4.2 Use trusted base images for containers

CONFIGURATION MANAGEMENT

4.3 Do not install unnecessary packages in the container

CONFIGURATION MANAGEMENT

4.4 Rebuild the images to include security patches

CONFIGURATION MANAGEMENT

5.3 Restrict Linux Kernel Capabilities within containers

ACCESS CONTROL

5.4 Do not use privileged containers

ACCESS CONTROL

5.5 Do not mount sensitive host system directories on containers

CONFIGURATION MANAGEMENT

5.6 Do not run ssh within containers

CONFIGURATION MANAGEMENT

5.7 Do not map privileged ports within containers
5.8 Open only needed ports on container

CONFIGURATION MANAGEMENT

5.9 Do not share the host's network namespace

SYSTEM AND COMMUNICATIONS PROTECTION

5.10 Limit memory usage for container

SYSTEM AND COMMUNICATIONS PROTECTION

5.11 Set container CPU priority appropriately

SYSTEM AND COMMUNICATIONS PROTECTION

5.12 Mount container's root filesystem as read only

CONFIGURATION MANAGEMENT

5.13 Bind incoming container traffic to a specific host interface

CONFIGURATION MANAGEMENT

5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=always
5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=on-failure

SYSTEM AND COMMUNICATIONS PROTECTION

5.15 Do not share the host's process namespace

SYSTEM AND COMMUNICATIONS PROTECTION

5.16 Do not share the host's IPC namespace

SYSTEM AND COMMUNICATIONS PROTECTION