Detections
Analytics

Item Search

NameAudit NamePluginCategory
2.1 Run the Docker daemon as a non-root user, if possibleCIS Docker v1.7.0 L1 Docker - LinuxUnix

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.10 Do not change base device size until neededCIS Docker 1.13.0 v1.0.0 L2 DockerUnix
2.14 Ensure containers are restricted from acquiring new privilegesCIS Docker v1.7.0 L1 Docker - LinuxUnix

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

2.16 Control the number of manager nodes in a swarmCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

2.20 Apply a daemon-wide custom seccomp profile, if neededCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

3.1 Verify that docker.service file ownership is set to root:rootCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.1 Verify that docker.service file ownership is set to root:rootCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.2 Ensure that docker.service file permissions are appropriately setCIS Docker v1.7.0 L1 Docker - LinuxUnix

ACCESS CONTROL, MEDIA PROTECTION

3.2 Verify that docker.service file permissions are set to 644 or more restrictiveCIS Docker 1.6 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.2 Verify that docker.service file permissions are set to 644 or more restrictiveCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.3 Ensure that docker.socket file ownership is set to root:rootCIS Docker v1.7.0 L1 Docker - LinuxUnix

ACCESS CONTROL

3.9 Verify that TLS CA certificate file ownership is set to root:rootCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.9 Verify that TLS CA certificate file ownership is set to root:rootCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.17 Verify that daemon.json file ownership is set to root:rootCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.18 Verify that daemon.json file permissions are set to 644 or more restrictiveCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.18 Verify that daemon.json file permissions are set to 644 or more restrictiveCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.20 Verify that TLS CA certificate file permissions are set to 444 or more restrictiveCIS Docker 1.6 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.3 Do not install unnecessary packages in the containerCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.5 Enable Content trust for DockerCIS Docker 1.12.0 v1.0.0 L2 DockerUnix

SYSTEM AND INFORMATION INTEGRITY

4.7 Do not use update instructions alone in the DockerfileCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.7 Do not use update instructions alone in the DockerfileCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.8 Ensure setuid and setgid permissions are removedCIS Docker v1.7.0 L2 Docker - LinuxUnix

ACCESS CONTROL

4.8 Remove setuid and setgid permissions in the imagesCIS Docker 1.12.0 v1.0.0 L2 DockerUnix
4.8 Remove setuid and setgid permissions in the imagesCIS Docker 1.13.0 v1.0.0 L2 DockerUnix
4.9 Enable Kernel Level Auditing - Check audit policies is set to arge,argv,cntCIS Solaris 10 L1 v5.2Unix

AUDIT AND ACCOUNTABILITY

4.9 Enable Kernel Level Auditing, Check if 'root:lo,ad:no' is set in /etc/security/audit_user.CIS Solaris 10 L1 v5.2Unix

AUDIT AND ACCOUNTABILITY

4.10 Do not store secrets in DockerfilesCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.3 Verify that containers are running only a single main processCIS Docker 1.6 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.4 Do not use privileged containersCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

ACCESS CONTROL

5.7 Do not map privileged ports within containersCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.8 Do not map privileged ports within containersCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.10 Limit memory usage for containerCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.10 Limit memory usage for containerCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.11 Limit memory usage for containerCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.11 Set container CPU priority appropriatelyCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.12 Mount container's root filesystem as read onlyCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.12 Mount container's root filesystem as read onlyCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.14 Set the 'on-failure' container restart policy to 5 - 'MaximumRetryCount'CIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.15 Do not share the host's process namespaceCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.17 Do not share the host's IPC namespaceCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.18 Do not directly expose host devices to containersCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.19 Override default ulimit at runtime only if neededCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.20 Do not share the host's UTS namespaceCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.26 Check container health at runtimeCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.28 Use PIDs cgroup limitCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

6.1.1 Configure SSH - Check if Host * is set in /etc/ssh/ssh_config.CIS Solaris 10 L1 v5.2Unix

CONFIGURATION MANAGEMENT

6.3 Backup container dataCIS Docker 1.12.0 v1.0.0 L1 DockerUnix
7.6 Ensure that the swarm manager auto-lock key is rotated periodicallyCIS Docker v1.7.0 L1 Docker SwarmUnix

IDENTIFICATION AND AUTHENTICATION

DKER-EE-002120 - The Docker Enterprise hosts user namespace must not be shared.DISA STIG Docker Enterprise 2.x Linux/Unix v2r2Unix

CONFIGURATION MANAGEMENT

DKER-EE-002780 - PIDs cgroup limits must be used in Docker Enterprise.DISA STIG Docker Enterprise 2.x Linux/Unix v2r2Unix

SYSTEM AND COMMUNICATIONS PROTECTION