CIS Docker 1.13.0 v1.0.0 L1 Docker

Audit Details

Name: CIS Docker 1.13.0 v1.0.0 L1 Docker

Updated: 4/25/2022

Authority: CIS

Plugin: Unix

Revision: 1.12

Estimated Item Count: 81

File Details

Filename: CIS_Docker_1.13.0_L1_v1.0.0.audit

Size: 178 kB

MD5: bed89fa25c0b17f2a30b9b98160be6a5
SHA256: 47a4c88975455e3832e55d049d208933494492d2e7d155b82f51f777f509e8e3

Audit Items

DescriptionCategories
2.1 Restrict network traffic between containers

SYSTEM AND COMMUNICATIONS PROTECTION

2.2 Set the logging level

AUDIT AND ACCOUNTABILITY

2.3 Allow Docker to make changes to iptables

SYSTEM AND COMMUNICATIONS PROTECTION

2.4 Do not use insecure registries

SYSTEM AND INFORMATION INTEGRITY

2.5 Do not use the aufs storage driver

CONFIGURATION MANAGEMENT

2.6 Configure TLS authentication for Docker daemon --tlskey

SYSTEM AND COMMUNICATIONS PROTECTION

2.6 Configure TLS authentication for Docker daemon --tlscacert

SYSTEM AND COMMUNICATIONS PROTECTION

2.6 Configure TLS authentication for Docker daemon --tlscert

SYSTEM AND COMMUNICATIONS PROTECTION

2.6 Configure TLS authentication for Docker daemon --tlsverify

SYSTEM AND COMMUNICATIONS PROTECTION

2.7 Set default ulimit as appropriate

SYSTEM AND COMMUNICATIONS PROTECTION

2.13 Disable operations on legacy registry (v1)

CONFIGURATION MANAGEMENT

2.14 Enable live restore

SYSTEM AND COMMUNICATIONS PROTECTION

2.15 Do not enable swarm mode, if not needed

CONFIGURATION MANAGEMENT

2.16 Control the number of manager nodes in a swarm

CONFIGURATION MANAGEMENT

2.17 Bind swarm services to a specific host interface

SYSTEM AND COMMUNICATIONS PROTECTION

2.18 Disable Userland Proxy

CONFIGURATION MANAGEMENT

2.19 Encrypt data exchanged between containers on different nodes on the overlay network

SYSTEM AND COMMUNICATIONS PROTECTION

2.20 Apply a daemon-wide custom seccomp profile, if needed

SYSTEM AND COMMUNICATIONS PROTECTION

2.21 Avoid experimental features in production

SYSTEM AND COMMUNICATIONS PROTECTION

2.23 Run swarm manager in auto-lock mode

SYSTEM AND COMMUNICATIONS PROTECTION

2.24 Rotate swarm manager auto-lock key periodically
3.1 Verify that docker.service file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.2 Verify that docker.service file permissions are set to 644 or more restrictive

CONFIGURATION MANAGEMENT

3.3 Verify that docker.socket file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.4 Verify that docker.socket file permissions are set to 644 or more restrictive

CONFIGURATION MANAGEMENT

3.5 Verify that /etc/docker directory ownership is set to root:root
3.6 Verify that /etc/docker directory permissions are set to 755 or more restrictive
3.7 Verify that registry certificate file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.8 Verify that registry certificate file permissions are set to 444 or more restrictive

CONFIGURATION MANAGEMENT

3.9 Verify that TLS CA certificate file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.10 Verify that TLS CA certificate file permissions are set to 444 or more restrictive

CONFIGURATION MANAGEMENT

3.11 Verify that Docker server certificate file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.12 Verify that Docker server certificate file permissions are set to 444 or more restrictive

CONFIGURATION MANAGEMENT

3.13 Verify that Docker server certificate key file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.14 Verify that Docker server certificate key file permissions are set to 400

CONFIGURATION MANAGEMENT

3.15 Verify that Docker socket file ownership is set to root:docker

CONFIGURATION MANAGEMENT

3.16 Verify that Docker socket file permissions are set to 660 or more restrictive

CONFIGURATION MANAGEMENT

3.17 Verify that daemon.json file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.18 Verify that daemon.json file permissions are set to 644 or more restrictive

CONFIGURATION MANAGEMENT

3.19 Verify that /etc/default/docker file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.20 Verify that /etc/default/docker file permissions are set to 644 or more restrictive

CONFIGURATION MANAGEMENT

4.1 Create a user for the container

ACCESS CONTROL

4.2 Use trusted base images for containers

CONFIGURATION MANAGEMENT

4.3 Do not install unnecessary packages in the container

CONFIGURATION MANAGEMENT

4.4 Scan and rebuild the images to include security patches

CONFIGURATION MANAGEMENT

4.6 Add HEALTHCHECK instruction to the container image

CONFIGURATION MANAGEMENT

4.7 Do not use update instructions alone in the Dockerfile

CONFIGURATION MANAGEMENT

4.9 Use COPY instead of ADD in Dockerfile

CONFIGURATION MANAGEMENT

4.10 Do not store secrets in Dockerfiles

CONFIGURATION MANAGEMENT

5.1 Do not disable AppArmor Profile

ACCESS CONTROL