CIS Docker 1.12.0 v1.0.0 L1 Docker

Audit Details

Name: CIS Docker 1.12.0 v1.0.0 L1 Docker

Updated: 4/12/2023

Authority: CIS

Plugin: Unix

Revision: 1.18

Estimated Item Count: 75

File Details

Filename: CIS_Docker_1.12.0_v1.0.0_L1.audit

Size: 180 kB

MD5: 92476be6e7a49e3463388df7ef176ea8
SHA256: 07e8f2c7b7f71776d015ee5e14da2ca2837536c8c9a96235f56172bc3feaa951

Audit Items

DescriptionCategories
2.1 Restrict network traffic between containers

SYSTEM AND COMMUNICATIONS PROTECTION

2.2 Set the logging level

AUDIT AND ACCOUNTABILITY

2.3 Allow Docker to make changes to iptables

SYSTEM AND COMMUNICATIONS PROTECTION

2.4 Do not use insecure registries

SYSTEM AND INFORMATION INTEGRITY

2.5 Do not use the aufs storage driver

CONFIGURATION MANAGEMENT

2.6 Configure TLS authentication for Docker daemon - tlscacert

SYSTEM AND COMMUNICATIONS PROTECTION

2.6 Configure TLS authentication for Docker daemon - tlscert

SYSTEM AND COMMUNICATIONS PROTECTION

2.6 Configure TLS authentication for Docker daemon - tlskey

SYSTEM AND COMMUNICATIONS PROTECTION

2.6 Configure TLS authentication for Docker daemon -tlsverify

SYSTEM AND COMMUNICATIONS PROTECTION

2.7 Set default ulimit as appropriate - default-ulimit

SYSTEM AND COMMUNICATIONS PROTECTION

2.13 Disable operations on legacy registry (v1)

CONFIGURATION MANAGEMENT

2.14 Enable live restore

SYSTEM AND COMMUNICATIONS PROTECTION

2.15 Do not enable swarm mode, if not needed

CONFIGURATION MANAGEMENT

2.16 Control the number of manager nodes in a swarm

CONFIGURATION MANAGEMENT

2.17 Bind swarm services to a specific host interface

SYSTEM AND COMMUNICATIONS PROTECTION

2.18 Disable Userland Proxy

CONFIGURATION MANAGEMENT

3.1 Verify that docker.service file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.2 Verify that docker.service file permissions are set to 644 or more restrictive

CONFIGURATION MANAGEMENT

3.3 Verify that docker.socket file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.4 Verify that docker.socket file permissions are set to 644 or more restrictive

CONFIGURATION MANAGEMENT

3.5 Verify that /etc/docker directory ownership is set to root:root
3.6 Verify that /etc/docker directory permissions are set to 755 or more restrictive
3.7 Verify that registry certificate file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.8 Verify that registry certificate file permissions are set to 444 or more restrictive

CONFIGURATION MANAGEMENT

3.9 Verify that TLS CA certificate file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.10 Verify that TLS CA certificate file permissions are set to 444 or more restrictive

CONFIGURATION MANAGEMENT

3.11 Verify that Docker server certificate file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.12 Verify that Docker server certificate file permissions are set to 444 or more restrictive

CONFIGURATION MANAGEMENT

3.13 Verify that Docker server certificate key file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.14 Verify that Docker server certificate key file permissions are set to 400

CONFIGURATION MANAGEMENT

3.15 Verify that Docker socket file ownership is set to root:docker

CONFIGURATION MANAGEMENT

3.16 Verify that Docker socket file permissions are set to 660 or more restrictive

CONFIGURATION MANAGEMENT

3.17 Verify that daemon.json file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.18 Verify that daemon.json file permissions are set to 644 or more restrictive

CONFIGURATION MANAGEMENT

3.19 Verify that /etc/default/docker file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.20 Verify that /etc/default/docker file permissions are set to 644 or more restrictive

CONFIGURATION MANAGEMENT

4.1 Create a user for the container

ACCESS CONTROL

4.2 Use trusted base images for containers

CONFIGURATION MANAGEMENT

4.3 Do not install unnecessary packages in the container

CONFIGURATION MANAGEMENT

4.4 Rebuild the images to include security patches

CONFIGURATION MANAGEMENT

4.6 Add HEALTHCHECK instruction to the container image

CONFIGURATION MANAGEMENT

4.7 Do not use update instructions alone in the Dockerfile

CONFIGURATION MANAGEMENT

4.9 Use COPY instead of ADD in Dockerfile

CONFIGURATION MANAGEMENT

4.10 Do not store secrets in Dockerfiles

CONFIGURATION MANAGEMENT

5.3 Restrict Linux Kernel Capabilities within containers

ACCESS CONTROL

5.4 Do not use privileged containers

ACCESS CONTROL

5.5 Do not mount sensitive host system directories on containers

CONFIGURATION MANAGEMENT

5.6 Do not run ssh within containers

CONFIGURATION MANAGEMENT

5.7 Do not map privileged ports within containers

CONFIGURATION MANAGEMENT

5.8 Open only needed ports on container

CONFIGURATION MANAGEMENT