| 1.1.1 Ensure a separate partition for containers has been created | SYSTEM AND COMMUNICATIONS PROTECTION |
| 1.1.2 Ensure only trusted users are allowed to control Docker daemon | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 1.1.3 Ensure auditing is configured for the Docker daemon | AUDIT AND ACCOUNTABILITY |
| 1.1.4 Ensure auditing is configured for Docker files and directories - /run/containerd | AUDIT AND ACCOUNTABILITY |
| 1.1.5 Ensure auditing is configured for Docker files and directories - /var/lib/docker | AUDIT AND ACCOUNTABILITY |
| 1.1.6 Ensure auditing is configured for Docker files and directories - /etc/docker | AUDIT AND ACCOUNTABILITY |
| 1.2.1 Ensure the container host has been Hardened | CONFIGURATION MANAGEMENT |
| 1.2.2 Ensure that the version of Docker is up to date | SYSTEM AND INFORMATION INTEGRITY |
| 2.1 Run the Docker daemon as a non-root user, if possible | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.2 Ensure network traffic is restricted between containers on the default bridge | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3 Ensure the logging level is set to 'info' | AUDIT AND ACCOUNTABILITY |
| 2.4 Ensure Docker is allowed to make changes to iptables | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5 Ensure insecure registries are not used | CONFIGURATION MANAGEMENT |
| 2.6 Ensure aufs storage driver is not used | SYSTEM AND SERVICES ACQUISITION |
| 2.7 Ensure devicemapper storage driver is not used | SYSTEM AND SERVICES ACQUISITION |
| 2.8 Ensure TLS authentication for Docker daemon is configured | ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY |
| 2.9 Ensure the default ulimit is configured appropriately | CONFIGURATION MANAGEMENT |
| 2.15 Ensure containers are restricted from acquiring new privileges | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 2.16 Ensure live restore is enabled | PLANNING, SYSTEM AND SERVICES ACQUISITION |
| 2.17 Ensure Userland Proxy is Disabled | CONFIGURATION MANAGEMENT |
| 2.19 Ensure that experimental features are not implemented in production | CONFIGURATION MANAGEMENT |
| 3.1 Ensure that the docker.service file ownership is set to root:root | ACCESS CONTROL |
| 3.2 Ensure that docker.service file permissions are appropriately set | ACCESS CONTROL, MEDIA PROTECTION |
| 3.3 Ensure that docker.socket file ownership is set to root:root | ACCESS CONTROL |
| 3.4 Ensure that docker.socket file permissions are set to 644 or more restrictive | ACCESS CONTROL, MEDIA PROTECTION |
| 3.5 Ensure that the /etc/docker directory ownership is set to root:root | ACCESS CONTROL |
| 3.6 Ensure that /etc/docker directory permissions are set to 755 or more restrictively | ACCESS CONTROL, MEDIA PROTECTION |
| 3.7 Ensure that registry certificate file ownership is set to root:root | ACCESS CONTROL |
| 3.8 Ensure that registry certificate file permissions are set to 444 or more restrictively | ACCESS CONTROL, MEDIA PROTECTION |
| 3.9 Ensure that TLS CA certificate file ownership is set to root:root | ACCESS CONTROL |
| 3.10 Ensure that TLS CA certificate file permissions are set to 444 or more restrictively | ACCESS CONTROL, MEDIA PROTECTION |
| 3.11 Ensure that Docker server certificate file ownership is set to root:root | ACCESS CONTROL |
| 3.12 Ensure that the Docker server certificate file permissions are set to 444 or more restrictively | ACCESS CONTROL, MEDIA PROTECTION |
| 3.13 Ensure that the Docker server certificate key file ownership is set to root:root | ACCESS CONTROL |
| 3.14 Ensure that the Docker server certificate key file permissions are set to 400 | ACCESS CONTROL, MEDIA PROTECTION |
| 3.15 Ensure that the Docker socket file ownership is set to root:docker | ACCESS CONTROL, MEDIA PROTECTION |
| 3.16 Ensure that the Docker socket file permissions are set to 660 or more restrictively | ACCESS CONTROL, MEDIA PROTECTION |
| 3.23 Ensure that the Containerd socket file ownership is set to root:root | ACCESS CONTROL |
| 3.24 Ensure that the Containerd socket file permissions are set to 660 or more restrictively | ACCESS CONTROL, MEDIA PROTECTION |
| 4.1 Ensure that a user for the container has been created | ACCESS CONTROL |
| 4.2 Ensure that containers use only trusted base images | CONFIGURATION MANAGEMENT |
| 4.3 Ensure that unnecessary packages are not installed in the container | CONFIGURATION MANAGEMENT |
| 4.4 Ensure images are scanned and rebuilt to include security patches | RISK ASSESSMENT |
| 4.6 Ensure that HEALTHCHECK instructions have been added to container images | SYSTEM AND SERVICES ACQUISITION |
| 4.7 Ensure update instructions are not used alone in Dockerfiles | CONFIGURATION MANAGEMENT |
| 4.9 Ensure that COPY is used instead of ADD in Dockerfiles | CONFIGURATION MANAGEMENT |
| 4.10 Ensure secrets are not stored in Dockerfiles | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.12 Ensure all signed artifacts are validated | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 5.1 Ensure swarm mode is not Enabled, if not needed | CONFIGURATION MANAGEMENT |
| 5.2 Ensure that, if applicable, an AppArmor Profile is enabled | SYSTEM AND INFORMATION INTEGRITY |
