Detections
Analytics

CIS Docker v1.5.0 L1 Docker Linux

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Docker v1.5.0 L1 Docker Linux

Updated: 9/6/2023

Authority: CIS

Plugin: Unix

Revision: 1.1

Estimated Item Count: 86

File Details

Filename: CIS_Docker_v1.5.0_L1_Docker_Linux.audit

Size: 161 kB

MD5: c1a78f9b417a0ac9b476712f59c98698
SHA256: 0d25eb27de86b7587eff074f2ecd9573656117510b84b7fd1cd68f961216bb53

Audit Items

DescriptionCategories
2.2 Ensure network traffic is restricted between containers on the default bridge
2.3 Ensure the logging level is set to 'info' - daemon.json
2.3 Ensure the logging level is set to 'info' - dockerd
2.4 Ensure Docker is allowed to make changes to iptables - daemon.json
2.4 Ensure Docker is allowed to make changes to iptables - dockerd
2.5 Ensure insecure registries are not used
2.6 Ensure aufs storage driver is not used
2.7 Ensure TLS authentication for Docker daemon is configured - tlscacert
2.7 Ensure TLS authentication for Docker daemon is configured - tlscert
2.7 Ensure TLS authentication for Docker daemon is configured - tlskey
2.7 Ensure TLS authentication for Docker daemon is configured - tlsverify
2.8 Ensure the default ulimit is configured appropriately - daemon.json nofile hard
2.8 Ensure the default ulimit is configured appropriately - daemon.json nofile soft
2.8 Ensure the default ulimit is configured appropriately - daemon.json nproc hard
2.8 Ensure the default ulimit is configured appropriately - daemon.json nproc soft
2.8 Ensure the default ulimit is configured appropriately - ps
2.14 Ensure containers are restricted from acquiring new privileges
2.15 Ensure live restore is enabled
2.16 Ensure Userland Proxy is Disabled
2.18 Ensure that experimental features are not implemented in production
3.1 Ensure that the docker.service file ownership is set to root:root
3.2 Ensure that docker.service file permissions are appropriately set
3.3 Ensure that docker.socket file ownership is set to root:root
3.4 Ensure that docker.socket file permissions are set to 644 or more restrictive
3.5 Ensure that the /etc/docker directory ownership is set to root:root
3.6 Ensure that /etc/docker directory permissions are set to 755 or more restrictively
3.7 Ensure that registry certificate file ownership is set to root:root
3.8 Ensure that registry certificate file permissions are set to 444 or more restrictively
3.9 Ensure that TLS CA certificate file ownership is set to root:root
3.10 Ensure that TLS CA certificate file permissions are set to 444 or more restrictively
3.11 Ensure that Docker server certificate file ownership is set to root:root
3.12 Ensure that the Docker server certificate file permissions are set to 444 or more restrictively
3.13 Ensure that the Docker server certificate key file ownership is set to root:root
3.14 Ensure that the Docker server certificate key file permissions are set to 400
3.15 Ensure that the Docker socket file ownership is set to root:docker
3.16 Ensure that the Docker socket file permissions are set to 660 or more restrictively
3.17 Ensure that the daemon.json file ownership is set to root:root
3.18 Ensure that daemon.json file permissions are set to 644 or more restrictive
3.19 Ensure that the /etc/default/docker file ownership is set to root:root
3.20 Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively
3.21 Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively
3.22 Ensure that the /etc/sysconfig/docker file ownership is set to root:root
3.23 Ensure that the Containerd socket file ownership is set to root:root
3.24 Ensure that the Containerd socket file permissions are set to 660 or more restrictively
4.1 Ensure that a user for the container has been created
4.2 Ensure that containers use only trusted base images
4.3 Ensure that unnecessary packages are not installed in the container
4.4 Ensure images are scanned and rebuilt to include security patches
4.6 Ensure that HEALTHCHECK instructions have been added to container images
4.7 Ensure update instructions are not used alone in Dockerfiles