| 1.1.9 Ensure auditing is configured for Docker files and directories - docker.sock | CIS Docker v1.8.0 L2 OS Linux | Unix | AUDIT AND ACCOUNTABILITY |
| 1.1.16 Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 | CIS Docker v1.8.0 L2 OS Linux | Unix | AUDIT AND ACCOUNTABILITY |
| 2.1 Restrict network traffic between containers | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.1 Run the Docker daemon as a non-root user, if possible | CIS Docker v1.8.0 L1 OS Linux | Unix | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
| 2.1.1 Ensure that the --allow-privileged argument is set to false | CIS Kubernetes 1.7.0 Benchmark v1.1.0 L1 | Unix | ACCESS CONTROL |
| 2.1.1 Ensure that the --allow-privileged argument is set to false | CIS Kubernetes 1.8 Benchmark v1.2.0 L1 | Unix | ACCESS CONTROL |
| 2.7 Set default ulimit as appropriate | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.17 Bind swarm services to a specific host interface | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.19 Ensure that experimental features are not implemented in production | CIS Docker v1.8.0 L1 OS Linux | Unix | CONFIGURATION MANAGEMENT |
| 2.24 Rotate swarm manager auto-lock key periodically | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | |
| 3.2 Verify that docker.service file permissions are set to 644 or more restrictive | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.3 Verify that docker.socket file ownership is set to root:root | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.3 Do not install unnecessary packages in the container | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.4 Rebuild the images to include security patches | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.5 Enable Content trust for Docker | CIS Docker 1.12.0 v1.0.0 L2 Docker | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 4.7 Do not use update instructions alone in the Dockerfile | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.9 Enable Kernel Level Auditing - Check audit policies is set to arge,argv,cnt | CIS Solaris 10 L1 v5.2 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.9 Enable Kernel Level Auditing, Check if 'minfree:20' is set in /etc/security/audit_control. | CIS Solaris 10 L1 v5.2 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.9 Enable Kernel Level Auditing, Check if 'naflags:lo,ad,ex' is set in /etc/security/audit_control. | CIS Solaris 10 L1 v5.2 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.9 Use COPY instead of ADD in Dockerfile | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.3 Verify that containers are running only a single main process | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.5 Do not mount sensitive host system directories on containers | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.5 Do not mount sensitive host system directories on containers | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.5 Do not use privileged containers | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 5.7 Do not map privileged ports within containers | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | |
| 5.9 Open only needed ports on container | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.11 Set container CPU priority appropriately | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.12 Mount container's root filesystem as read only | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.12 Set container CPU priority appropriately | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.13 Bind incoming container traffic to a specific host interface | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.13 Mount container's root filesystem as read only | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=on-failure | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.16 Do not share the host's process namespace | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 5.17 Do not directly expose host devices to containers | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.18 Override default ulimit at runtime only if needed | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.19 Do not set mount propagation mode to shared | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.20 Do not share the host's UTS namespace | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.21 Do not disable default seccomp profile | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.26 Check container health at runtime | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.29 Do not use Docker's default bridge docker0 | CIS Docker 1.13.0 v1.0.0 L2 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.29 Ensure Docker's default bridge docker0 is not used | CIS Docker Community Edition v1.1.0 L2 Docker | Unix | CONFIGURATION MANAGEMENT |
| 6.1 Perform regular security audits of your host system and containers | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | |
| 6.1.1 Configure SSH - Check if Host * is set in /etc/ssh/ssh_config. | CIS Solaris 10 L1 v5.2 | Unix | CONFIGURATION MANAGEMENT |
| 6.2 Monitor Docker containers usage, performance and metering | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | |
| 6.2 Monitor Docker containers usage, performance and metering | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 6.3 Endpoint protection platform (EPP) tools for containers (Not Scored) | CIS Docker 1.6 v1.0.0 L2 Docker | Unix | |
| 6.5 Avoid container sprawl | CIS Docker 1.11.0 v1.0.0 L1 Linux | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 7.2 Ensure that swarm services are bound to a specific host interface | CIS Docker v1.8.0 L1 Docker Swarm | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.8 Ensure that CA certificates are rotated as appropriate | CIS Docker v1.8.0 L1 Docker Swarm | Unix | IDENTIFICATION AND AUTHENTICATION |
| DKER-EE-002120 - The Docker Enterprise hosts user namespace must not be shared. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | CONFIGURATION MANAGEMENT |
