CIS Docker Community Edition v1.1.0 L1 Docker

Audit Details

Name: CIS Docker Community Edition v1.1.0 L1 Docker

Updated: 1/4/2023

Authority: CIS

Plugin: Unix

Revision: 1.14

Estimated Item Count: 78

File Details

Filename: CIS_Docker_Community_Edition_L1_Docker_v1.1.0.audit

Size: 180 kB

MD5: fbc75081a91c39e84d3694a04cf05326
SHA256: 7f542b70abbff3d4ef1409c53d4a52b43af8bece79d9a3a8ae861572f6217b0f

Audit Items

DescriptionCategories
2.1 Ensure network traffic is restricted between containers on the default bridge

SYSTEM AND COMMUNICATIONS PROTECTION

2.2 Ensure the logging level is set to 'info'

AUDIT AND ACCOUNTABILITY

2.3 Ensure Docker is allowed to make changes to iptables

SYSTEM AND COMMUNICATIONS PROTECTION

2.4 Ensure insecure registries are not used

SYSTEM AND INFORMATION INTEGRITY

2.5 Ensure aufs storage driver is not used

CONFIGURATION MANAGEMENT

2.6 Ensure TLS authentication for Docker daemon is configured --tlscacert

SYSTEM AND COMMUNICATIONS PROTECTION

2.6 Ensure TLS authentication for Docker daemon is configured --tlscert

SYSTEM AND COMMUNICATIONS PROTECTION

2.6 Ensure TLS authentication for Docker daemon is configured --tlskey

SYSTEM AND COMMUNICATIONS PROTECTION

2.6 Ensure TLS authentication for Docker daemon is configured --tlsverify

SYSTEM AND COMMUNICATIONS PROTECTION

2.7 Ensure the default ulimit is configured appropriately

SYSTEM AND COMMUNICATIONS PROTECTION

2.13 Ensure operations on legacy registry (v1) are Disabled

CONFIGURATION MANAGEMENT

2.14 Ensure live restore is Enabled

SYSTEM AND COMMUNICATIONS PROTECTION

2.15 Ensure Userland Proxy is Disabled

CONFIGURATION MANAGEMENT

2.17 Ensure experimental features are avoided in production

SYSTEM AND COMMUNICATIONS PROTECTION

2.18 Ensure containers are restricted from acquiring new privileges

ACCESS CONTROL

3.1 Ensure that docker.service file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.2 Ensure that docker.service file permissions are set to 644 or more restrictive

CONFIGURATION MANAGEMENT

3.3 Ensure that docker.socket file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.4 Ensure that docker.socket file permissions are set to 644 or more restrictive

CONFIGURATION MANAGEMENT

3.5 Ensure that /etc/docker directory ownership is set to root:root
3.6 Ensure that /etc/docker directory permissions are set to 755 or more restrictive
3.7 Ensure that registry certificate file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.8 Ensure that registry certificate file permissions are set to 444 or more restrictive

CONFIGURATION MANAGEMENT

3.9 Ensure that TLS CA certificate file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.10 Ensure that TLS CA certificate file permissions are set to 444 or more restrictive

CONFIGURATION MANAGEMENT

3.11 Ensure that Docker server certificate file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.12 Ensure that Docker server certificate file permissions are set to 444 or more restrictive

CONFIGURATION MANAGEMENT

3.13 Ensure that Docker server certificate key file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.14 Ensure that Docker server certificate key file permissions are set to 400

CONFIGURATION MANAGEMENT

3.15 Ensure that Docker socket file ownership is set to root:docker

CONFIGURATION MANAGEMENT

3.16 Ensure that Docker socket file permissions are set to 660 or more restrictive

CONFIGURATION MANAGEMENT

3.17 Ensure that daemon.json file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.18 Ensure that daemon.json file permissions are set to 644 or more restrictive

CONFIGURATION MANAGEMENT

3.19 Ensure that /etc/default/docker file ownership is set to root:root

CONFIGURATION MANAGEMENT

3.20 Ensure that /etc/default/docker file permissions are set to 644 or more restrictive

CONFIGURATION MANAGEMENT

4.1 Ensure a user for the container has been created

ACCESS CONTROL

4.2 Ensure that containers use trusted base images

CONFIGURATION MANAGEMENT

4.3 Ensure unnecessary packages are not installed in the container

CONFIGURATION MANAGEMENT

4.4 Ensure images are scanned and rebuilt to include security patches

CONFIGURATION MANAGEMENT

4.6 Ensure HEALTHCHECK instructions have been added to the container image

CONFIGURATION MANAGEMENT

4.7 Ensure update instructions are not use alone in the Dockerfile

CONFIGURATION MANAGEMENT

4.9 Ensure COPY is used instead of ADD in Dockerfile

CONFIGURATION MANAGEMENT

4.10 Ensure secrets are not stored in Dockerfiles

CONFIGURATION MANAGEMENT

5.1 Ensure AppArmor Profile is Enabled

ACCESS CONTROL

5.3 Ensure Linux Kernel Capabilities are restricted within containers

ACCESS CONTROL

5.4 Ensure privileged containers are not used

ACCESS CONTROL

5.5 Ensure sensitive host system directories are not mounted on containers

CONFIGURATION MANAGEMENT

5.6 Ensure ssh is not run within containers

CONFIGURATION MANAGEMENT

5.7 Ensure privileged ports are not mapped within containers

CONFIGURATION MANAGEMENT

5.8 Ensure only needed ports are open on the container

CONFIGURATION MANAGEMENT