Item Search

NameAudit NamePluginCategory
1.1.8 Ensure auditing is configured for Docker files and directories - containerd.sockCIS Docker v1.7.0 L2 Docker - LinuxUnix

AUDIT AND ACCOUNTABILITY

2.2 Ensure network traffic is restricted between containers on the default bridgeCIS Docker v1.7.0 L1 Docker - LinuxUnix

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

2.7 Set default ulimit as appropriateCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

2.8 Enable user namespace supportCIS Docker 1.13.0 v1.0.0 L2 DockerUnix
2.10 Ensure the default cgroup usage has been confirmedCIS Docker v1.7.0 L2 Docker - LinuxUnix

SYSTEM AND SERVICES ACQUISITION

3.3 Verify that docker.socket file ownership is set to root:rootCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.9 Ensure that TLS CA certificate file ownership is set to root:rootCIS Docker v1.7.0 L1 Docker - LinuxUnix

ACCESS CONTROL

3.9 Verify that TLS CA certificate file ownership is set to root:rootCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.10 Verify that TLS CA certificate file permissions are set to 444 or more restrictiveCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.17 Verify that daemon.json file ownership is set to root:rootCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.18 Ensure that daemon.json file permissions are set to 644 or more restrictiveCIS Docker v1.7.0 L2 Docker - LinuxUnix

ACCESS CONTROL, MEDIA PROTECTION

3.19 Verify that TLS CA certificate file ownership is set to root:rootCIS Docker 1.6 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.23 Ensure that the Containerd socket file ownership is set to root:rootCIS Docker v1.7.0 L1 Docker - LinuxUnix

ACCESS CONTROL

4.1 Create a user for the containerCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

ACCESS CONTROL

4.1 Ensure that a user for the container has been createdCIS Docker v1.7.0 L1 Docker - LinuxUnix

ACCESS CONTROL

4.3 Do not install unnecessary packages in the containerCIS Docker 1.6 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.4 Rebuild the images to include security patchesCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.5 Enable Content trust for DockerCIS Docker 1.11.0 v1.0.0 L2 DockerUnix

SYSTEM AND INFORMATION INTEGRITY

4.5 Ensure Content trust for Docker is EnabledCIS Docker v1.7.0 L2 Docker - LinuxUnix

SYSTEM AND COMMUNICATIONS PROTECTION

4.9 Ensure that COPY is used instead of ADD in DockerfilesCIS Docker v1.7.0 L1 Docker - LinuxUnix

CONFIGURATION MANAGEMENT

5.4 Do not use privileged containersCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

ACCESS CONTROL

5.4 Ensure that Linux kernel capabilities are restricted within containersCIS Docker v1.7.0 L1 Docker - LinuxUnix

CONFIGURATION MANAGEMENT

5.5 Do not use privileged containersCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.6 Ensure sensitive host system directories are not mounted on containersCIS Docker v1.7.0 L1 Docker - LinuxUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.7 Do not map privileged ports within containersCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.8 Ensure privileged ports are not mapped within containersCIS Docker v1.7.0 L1 Docker - LinuxUnix

CONFIGURATION MANAGEMENT

5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyNameCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.15 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=alwaysCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.16 Do not share the host's IPC namespaceCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.16 Do not share the host's IPC namespaceCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.17 Ensure that the host's IPC namespace is not sharedCIS Docker v1.7.0 L1 Docker - LinuxUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.19 Do not set mount propagation mode to sharedCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.19 Do not set mount propagation mode to sharedCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.20 Do not share the host's UTS namespaceCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.21 Do not disable default seccomp profileCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.25 Restrict container from acquiring additional privilegesCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.26 Check container health at runtimeCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.30 Ensure that Docker's default bridge "docker0" is not usedCIS Docker v1.7.0 L2 Docker - LinuxUnix

CONFIGURATION MANAGEMENT

6.1 Ensure that image sprawl is avoidedCIS Docker v1.7.0 L1 Docker - LinuxUnix

PLANNING, SYSTEM AND SERVICES ACQUISITION

6.1 Perform regular security audits of your host system and containersCIS Docker 1.11.0 v1.0.0 L1 DockerUnix
6.1 Perform regular security audits of your host system and containersCIS Docker 1.13.0 v1.0.0 L1 DockerUnix
6.2 Monitor Docker containers usage, performance and meteringCIS Docker 1.13.0 v1.0.0 L1 DockerUnix
6.2 Monitor Docker containers usage, performance and meteringCIS Docker 1.6 v1.0.0 L1 DockerUnix
6.3 Backup container dataCIS Docker 1.11.0 v1.0.0 L1 DockerUnix
6.3 Endpoint protection platform (EPP) tools for containers (Not Scored)CIS Docker 1.6 v1.0.0 L2 DockerUnix
7.1 Ensure that the minimum number of manager nodes have been created in a swarmCIS Docker v1.7.0 L1 Docker SwarmUnix

CONFIGURATION MANAGEMENT

7.2 Ensure that swarm services are bound to a specific host interfaceCIS Docker v1.7.0 L1 Docker SwarmUnix

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

7.4 Ensure that Docker's secret management commands are used for managing secrets in a swarm clusterCIS Docker v1.7.0 L1 Docker SwarmUnix

CONFIGURATION MANAGEMENT

DKER-EE-002010 - Memory usage for all containers must be limited in Docker Enterprise.DISA STIG Docker Enterprise 2.x Linux/Unix v2r2Unix

CONFIGURATION MANAGEMENT

DKER-EE-002060 - The Docker Enterprise hosts UTS namespace must not be shared.DISA STIG Docker Enterprise 2.x Linux/Unix v2r2Unix

CONFIGURATION MANAGEMENT