| 2.1 Ensure network traffic is restricted between containers on the default bridge | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.2 Ensure the logging level is set to 'info' | AUDIT AND ACCOUNTABILITY |
| 2.3 Ensure Docker is allowed to make changes to iptables | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.4 Ensure insecure registries are not used | SYSTEM AND INFORMATION INTEGRITY |
| 2.5 Ensure aufs storage driver is not used | CONFIGURATION MANAGEMENT |
| 2.6 Ensure TLS authentication for Docker daemon is configured --tlscacert | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.6 Ensure TLS authentication for Docker daemon is configured --tlscert | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.6 Ensure TLS authentication for Docker daemon is configured --tlskey | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.6 Ensure TLS authentication for Docker daemon is configured --tlsverify | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.7 Ensure the default ulimit is configured appropriately | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.13 Ensure operations on legacy registry (v1) are Disabled | CONFIGURATION MANAGEMENT |
| 2.14 Ensure live restore is Enabled | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.15 Ensure Userland Proxy is Disabled | CONFIGURATION MANAGEMENT |
| 2.17 Ensure experimental features are avoided in production | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.18 Ensure containers are restricted from acquiring new privileges | ACCESS CONTROL |
| 3.1 Ensure that docker.service file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.2 Ensure that docker.service file permissions are set to 644 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.3 Ensure that docker.socket file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.4 Ensure that docker.socket file permissions are set to 644 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.5 Ensure that /etc/docker directory ownership is set to root:root | |
| 3.6 Ensure that /etc/docker directory permissions are set to 755 or more restrictive | |
| 3.7 Ensure that registry certificate file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.8 Ensure that registry certificate file permissions are set to 444 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.9 Ensure that TLS CA certificate file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.10 Ensure that TLS CA certificate file permissions are set to 444 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.11 Ensure that Docker server certificate file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.12 Ensure that Docker server certificate file permissions are set to 444 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.13 Ensure that Docker server certificate key file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.14 Ensure that Docker server certificate key file permissions are set to 400 | CONFIGURATION MANAGEMENT |
| 3.15 Ensure that Docker socket file ownership is set to root:docker | CONFIGURATION MANAGEMENT |
| 3.16 Ensure that Docker socket file permissions are set to 660 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.17 Ensure that daemon.json file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.18 Ensure that daemon.json file permissions are set to 644 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.19 Ensure that /etc/default/docker file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.20 Ensure that /etc/default/docker file permissions are set to 644 or more restrictive | CONFIGURATION MANAGEMENT |
| 4.1 Ensure a user for the container has been created | ACCESS CONTROL |
| 4.2 Ensure that containers use trusted base images | CONFIGURATION MANAGEMENT |
| 4.3 Ensure unnecessary packages are not installed in the container | CONFIGURATION MANAGEMENT |
| 4.4 Ensure images are scanned and rebuilt to include security patches | CONFIGURATION MANAGEMENT |
| 4.6 Ensure HEALTHCHECK instructions have been added to the container image | CONFIGURATION MANAGEMENT |
| 4.7 Ensure update instructions are not use alone in the Dockerfile | CONFIGURATION MANAGEMENT |
| 4.9 Ensure COPY is used instead of ADD in Dockerfile | CONFIGURATION MANAGEMENT |
| 4.10 Ensure secrets are not stored in Dockerfiles | CONFIGURATION MANAGEMENT |
| 5.1 Ensure AppArmor Profile is Enabled | ACCESS CONTROL |
| 5.3 Ensure Linux Kernel Capabilities are restricted within containers | ACCESS CONTROL |
| 5.4 Ensure privileged containers are not used | ACCESS CONTROL |
| 5.5 Ensure sensitive host system directories are not mounted on containers | CONFIGURATION MANAGEMENT |
| 5.6 Ensure ssh is not run within containers | CONFIGURATION MANAGEMENT |
| 5.7 Ensure privileged ports are not mapped within containers | CONFIGURATION MANAGEMENT |
| 5.8 Ensure only needed ports are open on the container | CONFIGURATION MANAGEMENT |
