1.1.8 Ensure auditing is configured for Docker files and directories - containerd.sock | CIS Docker v1.7.0 L2 Docker - Linux | Unix | AUDIT AND ACCOUNTABILITY |
2.2 Ensure network traffic is restricted between containers on the default bridge | CIS Docker v1.7.0 L1 Docker - Linux | Unix | CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION |
2.7 Set default ulimit as appropriate | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
2.8 Enable user namespace support | CIS Docker 1.13.0 v1.0.0 L2 Docker | Unix | |
2.10 Ensure the default cgroup usage has been confirmed | CIS Docker v1.7.0 L2 Docker - Linux | Unix | SYSTEM AND SERVICES ACQUISITION |
3.3 Verify that docker.socket file ownership is set to root:root | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
3.9 Ensure that TLS CA certificate file ownership is set to root:root | CIS Docker v1.7.0 L1 Docker - Linux | Unix | ACCESS CONTROL |
3.9 Verify that TLS CA certificate file ownership is set to root:root | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
3.10 Verify that TLS CA certificate file permissions are set to 444 or more restrictive | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
3.17 Verify that daemon.json file ownership is set to root:root | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
3.18 Ensure that daemon.json file permissions are set to 644 or more restrictive | CIS Docker v1.7.0 L2 Docker - Linux | Unix | ACCESS CONTROL, MEDIA PROTECTION |
3.19 Verify that TLS CA certificate file ownership is set to root:root | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
3.23 Ensure that the Containerd socket file ownership is set to root:root | CIS Docker v1.7.0 L1 Docker - Linux | Unix | ACCESS CONTROL |
4.1 Create a user for the container | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | ACCESS CONTROL |
4.1 Ensure that a user for the container has been created | CIS Docker v1.7.0 L1 Docker - Linux | Unix | ACCESS CONTROL |
4.3 Do not install unnecessary packages in the container | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
4.4 Rebuild the images to include security patches | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
4.5 Enable Content trust for Docker | CIS Docker 1.11.0 v1.0.0 L2 Docker | Unix | SYSTEM AND INFORMATION INTEGRITY |
4.5 Ensure Content trust for Docker is Enabled | CIS Docker v1.7.0 L2 Docker - Linux | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
4.9 Ensure that COPY is used instead of ADD in Dockerfiles | CIS Docker v1.7.0 L1 Docker - Linux | Unix | CONFIGURATION MANAGEMENT |
5.4 Do not use privileged containers | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | ACCESS CONTROL |
5.4 Ensure that Linux kernel capabilities are restricted within containers | CIS Docker v1.7.0 L1 Docker - Linux | Unix | CONFIGURATION MANAGEMENT |
5.5 Do not use privileged containers | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
5.6 Ensure sensitive host system directories are not mounted on containers | CIS Docker v1.7.0 L1 Docker - Linux | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
5.7 Do not map privileged ports within containers | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
5.8 Ensure privileged ports are not mapped within containers | CIS Docker v1.7.0 L1 Docker - Linux | Unix | CONFIGURATION MANAGEMENT |
5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
5.15 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=always | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
5.16 Do not share the host's IPC namespace | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
5.16 Do not share the host's IPC namespace | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
5.17 Ensure that the host's IPC namespace is not shared | CIS Docker v1.7.0 L1 Docker - Linux | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
5.19 Do not set mount propagation mode to shared | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
5.19 Do not set mount propagation mode to shared | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
5.20 Do not share the host's UTS namespace | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
5.21 Do not disable default seccomp profile | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
5.25 Restrict container from acquiring additional privileges | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
5.26 Check container health at runtime | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
5.30 Ensure that Docker's default bridge "docker0" is not used | CIS Docker v1.7.0 L2 Docker - Linux | Unix | CONFIGURATION MANAGEMENT |
6.1 Ensure that image sprawl is avoided | CIS Docker v1.7.0 L1 Docker - Linux | Unix | PLANNING, SYSTEM AND SERVICES ACQUISITION |
6.1 Perform regular security audits of your host system and containers | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | |
6.1 Perform regular security audits of your host system and containers | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | |
6.2 Monitor Docker containers usage, performance and metering | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | |
6.2 Monitor Docker containers usage, performance and metering | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
6.3 Backup container data | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | |
6.3 Endpoint protection platform (EPP) tools for containers (Not Scored) | CIS Docker 1.6 v1.0.0 L2 Docker | Unix | |
7.1 Ensure that the minimum number of manager nodes have been created in a swarm | CIS Docker v1.7.0 L1 Docker Swarm | Unix | CONFIGURATION MANAGEMENT |
7.2 Ensure that swarm services are bound to a specific host interface | CIS Docker v1.7.0 L1 Docker Swarm | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
7.4 Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster | CIS Docker v1.7.0 L1 Docker Swarm | Unix | CONFIGURATION MANAGEMENT |
DKER-EE-002010 - Memory usage for all containers must be limited in Docker Enterprise. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | CONFIGURATION MANAGEMENT |
DKER-EE-002060 - The Docker Enterprise hosts UTS namespace must not be shared. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | CONFIGURATION MANAGEMENT |