| 2.1 Restrict network traffic between containers | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.2 Set the logging level | AUDIT AND ACCOUNTABILITY |
| 2.3 Allow Docker to make changes to iptables | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.4 Do not use insecure registries | SYSTEM AND INFORMATION INTEGRITY |
| 2.5 Do not use the aufs storage driver | CONFIGURATION MANAGEMENT |
| 2.6 Configure TLS authentication for Docker daemon --tlskey | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.6 Configure TLS authentication for Docker daemon --tlscacert | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.6 Configure TLS authentication for Docker daemon --tlscert | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.6 Configure TLS authentication for Docker daemon --tlsverify | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.7 Set default ulimit as appropriate | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.13 Disable operations on legacy registry (v1) | CONFIGURATION MANAGEMENT |
| 2.14 Enable live restore | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.15 Do not enable swarm mode, if not needed | CONFIGURATION MANAGEMENT |
| 2.16 Control the number of manager nodes in a swarm | CONFIGURATION MANAGEMENT |
| 2.17 Bind swarm services to a specific host interface | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.18 Disable Userland Proxy | CONFIGURATION MANAGEMENT |
| 2.19 Encrypt data exchanged between containers on different nodes on the overlay network | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.20 Apply a daemon-wide custom seccomp profile, if needed | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.21 Avoid experimental features in production | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.23 Run swarm manager in auto-lock mode | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.24 Rotate swarm manager auto-lock key periodically | |
| 3.1 Verify that docker.service file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.2 Verify that docker.service file permissions are set to 644 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.3 Verify that docker.socket file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.4 Verify that docker.socket file permissions are set to 644 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.5 Verify that /etc/docker directory ownership is set to root:root | |
| 3.6 Verify that /etc/docker directory permissions are set to 755 or more restrictive | |
| 3.7 Verify that registry certificate file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.8 Verify that registry certificate file permissions are set to 444 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.9 Verify that TLS CA certificate file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.10 Verify that TLS CA certificate file permissions are set to 444 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.11 Verify that Docker server certificate file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.12 Verify that Docker server certificate file permissions are set to 444 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.13 Verify that Docker server certificate key file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.14 Verify that Docker server certificate key file permissions are set to 400 | CONFIGURATION MANAGEMENT |
| 3.15 Verify that Docker socket file ownership is set to root:docker | CONFIGURATION MANAGEMENT |
| 3.16 Verify that Docker socket file permissions are set to 660 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.17 Verify that daemon.json file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.18 Verify that daemon.json file permissions are set to 644 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.19 Verify that /etc/default/docker file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.20 Verify that /etc/default/docker file permissions are set to 644 or more restrictive | CONFIGURATION MANAGEMENT |
| 4.1 Create a user for the container | ACCESS CONTROL |
| 4.2 Use trusted base images for containers | CONFIGURATION MANAGEMENT |
| 4.3 Do not install unnecessary packages in the container | CONFIGURATION MANAGEMENT |
| 4.4 Scan and rebuild the images to include security patches | CONFIGURATION MANAGEMENT |
| 4.6 Add HEALTHCHECK instruction to the container image | CONFIGURATION MANAGEMENT |
| 4.7 Do not use update instructions alone in the Dockerfile | CONFIGURATION MANAGEMENT |
| 4.9 Use COPY instead of ADD in Dockerfile | CONFIGURATION MANAGEMENT |
| 4.10 Do not store secrets in Dockerfiles | CONFIGURATION MANAGEMENT |
| 5.1 Do not disable AppArmor Profile | ACCESS CONTROL |
