CIS Docker v1.3.1 L1 Docker Linux

Audit Details

Name: CIS Docker v1.3.1 L1 Docker Linux

Updated: 4/25/2022

Authority: CIS

Plugin: Unix

Revision: 1.2

Estimated Item Count: 85

File Details

Filename: CIS_Docker_v1.3.1_L1_Docker_Linux.audit

Size: 194 kB

MD5: 31094d88c525710bfb5eb25a0dd342f0
SHA256: 33beb643127a51e188dc207382a6546e6ddf37d0b3b16e6a151db203ed078185

Audit Items

DescriptionCategories
2.2 Ensure network traffic is restricted between containers on the default bridge

SYSTEM AND COMMUNICATIONS PROTECTION

2.3 Ensure the logging level is set to 'info' - daemon.json

AUDIT AND ACCOUNTABILITY

2.3 Ensure the logging level is set to 'info' - dockerd

AUDIT AND ACCOUNTABILITY

2.4 Ensure Docker is allowed to make changes to iptables - daemon.json

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.4 Ensure Docker is allowed to make changes to iptables - dockerd

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.5 Ensure insecure registries are not used

CONFIGURATION MANAGEMENT

2.6 Ensure aufs storage driver is not used

SYSTEM AND SERVICES ACQUISITION

2.7 Ensure TLS authentication for Docker daemon is configured - tlscacert

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

2.7 Ensure TLS authentication for Docker daemon is configured - tlscert

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

2.7 Ensure TLS authentication for Docker daemon is configured - tlskey

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

2.7 Ensure TLS authentication for Docker daemon is configured - tlsverify

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

2.8 Ensure the default ulimit is configured appropriately - daemon.json nofile hard

CONFIGURATION MANAGEMENT

2.8 Ensure the default ulimit is configured appropriately - daemon.json nofile soft

CONFIGURATION MANAGEMENT

2.8 Ensure the default ulimit is configured appropriately - daemon.json nproc hard

CONFIGURATION MANAGEMENT

2.8 Ensure the default ulimit is configured appropriately - daemon.json nproc soft

CONFIGURATION MANAGEMENT

2.8 Ensure the default ulimit is configured appropriately - ps

CONFIGURATION MANAGEMENT

2.14 Ensure containers are restricted from acquiring new privileges

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

2.15 Ensure live restore is enabled

SYSTEM AND SERVICES ACQUISITION

2.16 Ensure Userland Proxy is Disabled

CONFIGURATION MANAGEMENT

2.18 Ensure that experimental features are not implemented in production

CONFIGURATION MANAGEMENT

3.1 Ensure that the docker.service file ownership is set to root:root

ACCESS CONTROL

3.2 Ensure that docker.service file permissions are appropriately set

ACCESS CONTROL, MEDIA PROTECTION

3.3 Ensure that docker.socket file ownership is set to root:root

ACCESS CONTROL

3.4 Ensure that docker.socket file permissions are set to 644 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

3.5 Ensure that the /etc/docker directory ownership is set to root:root

ACCESS CONTROL

3.6 Ensure that /etc/docker directory permissions are set to 755 or more restrictively

ACCESS CONTROL, MEDIA PROTECTION

3.7 Ensure that registry certificate file ownership is set to root:root

ACCESS CONTROL

3.8 Ensure that registry certificate file permissions are set to 444 or more restrictively

ACCESS CONTROL, MEDIA PROTECTION

3.9 Ensure that TLS CA certificate file ownership is set to root:root

ACCESS CONTROL

3.10 Ensure that TLS CA certificate file permissions are set to 444 or more restrictively

ACCESS CONTROL, MEDIA PROTECTION

3.11 Ensure that Docker server certificate file ownership is set to root:root

ACCESS CONTROL

3.12 Ensure that the Docker server certificate file permissions are set to 444 or more restrictively

ACCESS CONTROL, MEDIA PROTECTION

3.13 Ensure that the Docker server certificate key file ownership is set to root:root

ACCESS CONTROL

3.14 Ensure that the Docker server certificate key file permissions are set to 400

ACCESS CONTROL, MEDIA PROTECTION

3.15 Ensure that the Docker socket file ownership is set to root:docker

ACCESS CONTROL, MEDIA PROTECTION

3.16 Ensure that the Docker socket file permissions are set to 660 or more restrictively

ACCESS CONTROL, MEDIA PROTECTION

3.17 Ensure that the daemon.json file ownership is set to root:root

ACCESS CONTROL

3.18 Ensure that daemon.json file permissions are set to 644 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

3.19 Ensure that the /etc/default/docker file ownership is set to root:root

ACCESS CONTROL

3.20 Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively

ACCESS CONTROL, MEDIA PROTECTION

3.21 Ensure that the /etc/sysconfig/docker file ownership is set to root:root

ACCESS CONTROL

3.22 Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively

ACCESS CONTROL, MEDIA PROTECTION

3.23 Ensure that the Containerd socket file ownership is set to root:root

ACCESS CONTROL

3.24 Ensure that the Containerd socket file permissions are set to 660 or more restrictively

ACCESS CONTROL, MEDIA PROTECTION

4.1 Ensure that a user for the container has been created

ACCESS CONTROL

4.2 Ensure that containers use only trusted base images

CONFIGURATION MANAGEMENT

4.3 Ensure that unnecessary packages are not installed in the container

CONFIGURATION MANAGEMENT

4.4 Ensure images are scanned and rebuilt to include security patches

RISK ASSESSMENT

4.6 Ensure that HEALTHCHECK instructions have been added to container images

CONFIGURATION MANAGEMENT

4.7 Ensure update instructions are not used alone in Dockerfiles

CONFIGURATION MANAGEMENT