| 1.1.11 Ensure separate partition exists for /var/log | CIS Debian 9 Workstation L2 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY |
| 1.4 Remove all non-essential services from the host - DPKG | CIS Docker 1.11.0 v1.0.0 L1 Linux | Unix | CONFIGURATION MANAGEMENT |
| 1.4 Remove all non-essential services from the host - RPM | CIS Docker 1.11.0 v1.0.0 L1 Linux | Unix | CONFIGURATION MANAGEMENT |
| 1.6.1.2 Ensure the SELinux state is enforcing - sestatus | CIS Debian 9 Workstation L2 v1.0.1 | Unix | ACCESS CONTROL |
| 1.6.1.3 Ensure SELinux policy is configured | CIS Debian 9 Workstation L2 v1.0.1 | Unix | ACCESS CONTROL |
| 1.6.2.1 Ensure AppArmor is enabled in the bootloader configuration - security=apparmor | CIS Debian 9 Workstation L2 v1.0.1 | Unix | ACCESS CONTROL |
| 1.6.2.2 Ensure all AppArmor Profiles are enforcing - 0 processes are unconfined | CIS Debian 9 Workstation L2 v1.0.1 | Unix | ACCESS CONTROL |
| 1.10 Audit Docker files and directories - docker.service | CIS Docker 1.11.0 v1.0.0 L1 Linux | Unix | AUDIT AND ACCOUNTABILITY |
| 2.1 Restrict network traffic between containers | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.2 Set the logging level | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | AUDIT AND ACCOUNTABILITY |
| 2.2.4 Ensure CUPS is not enabled | CIS Debian 9 Workstation L2 v1.0.1 | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 2.3 Allow Docker to make changes to iptables | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.6 Configure TLS authentication for Docker daemon - tlskey | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.11 Use authorization plugin | CIS Docker 1.11.0 v1.0.0 L2 Docker | Unix | IDENTIFICATION AND AUTHENTICATION |
| 3.1 Verify that docker.service file ownership is set to root:root | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.8 Verify that registry certificate file permissions are set to 444 or more restrictive | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.13 Verify that Docker server certificate key file ownership is set to root:root | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.14 Verify that Docker server certificate key file permissions are set to 400 | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.15 Verify that Docker socket file ownership is set to root:docker | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.16 Verify that Docker socket file permissions are set to 660 or more restrictive | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.19 Verify that /etc/default/docker file ownership is set to root:root | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.1 Create a user for the container | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | ACCESS CONTROL |
| 4.1.4 Ensure events that modify date and time information are collected - auditctl adjtimex | CIS Debian 9 Workstation L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.4 Ensure events that modify date and time information are collected - clock_settime | CIS Debian 9 Workstation L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.4 Ensure events that modify date and time information are collected - settimeofday,adjtimex x64 | CIS Debian 9 Workstation L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.5 Ensure events that modify user/group information are collected - auditctl /etc/passwd | CIS Debian 9 Workstation L2 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.5 Ensure events that modify user/group information are collected - auditctl /etc/security/opasswd | CIS Debian 9 Workstation L2 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected - /etc/apparmor | CIS Debian 9 Workstation L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected - /usr/share/selinux | CIS Debian 9 Workstation L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.7 Ensure events that modify the system's Mandatory Access Controls are collected - auditctl /etc/selinux | CIS Debian 9 Workstation L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.8 Ensure login and logout events are collected - auditctl lastlog | CIS Debian 9 Workstation L2 v1.0.1 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.9 Ensure session initiation information is collected - /var/log/wtmp | CIS Debian 9 Workstation L2 v1.0.1 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.9 Ensure session initiation information is collected - auditctl /var/log/wtmp | CIS Debian 9 Workstation L2 v1.0.1 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 4.1.10 Ensure discretionary access control permission modification events are collected - auditctl chmod fchmod fchmodat | CIS Debian 9 Workstation L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 4.1.15 Ensure changes to system administration scope (sudoers) is collected - auditctl /etc/sudoers.d/ | CIS Debian 9 Workstation L2 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.16 Ensure system administrator actions (sudolog) are collected - /var/log/sudo.log | CIS Debian 9 Workstation L2 v1.0.1 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.1.17 Ensure kernel module loading and unloading is collected - auditctl init_module | CIS Debian 9 Workstation L2 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 5.4.5 Ensure default user shell timeout is 900 seconds or less - /etc/profile | CIS Debian 9 Workstation L2 v1.0.1 | Unix | ACCESS CONTROL |
| 5.4.5 Ensure default user shell timeout is 900 seconds or less - /etc/profile.d/*.sh | CIS Debian 9 Workstation L2 v1.0.1 | Unix | ACCESS CONTROL |
| 5.5 Do not mount sensitive host system directories on containers | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.6 Do not run ssh within containers | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.8 Open only needed ports on container | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.9 Do not share the host's network namespace | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.19 Do not set mount propagation mode to shared | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.22 Do not docker exec commands with privileged option | CIS Docker 1.11.0 v1.0.0 L2 Docker | Unix | |
| 5.24 Confirm cgroup usage | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.2.6 Ensure root PATH Integrity | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 6.2.7 Ensure all users' home directories exist | CIS Debian 9 Workstation L1 v1.0.1 | Unix | CONFIGURATION MANAGEMENT |
| 6.2.14 Ensure no users have .rhosts files | CIS Debian 9 Workstation L1 v1.0.1 | Unix | IDENTIFICATION AND AUTHENTICATION |
| 6.5 Avoid container sprawl | CIS Docker 1.11.0 v1.0.0 L1 Linux | Unix | SYSTEM AND INFORMATION INTEGRITY |
