2.1 Restrict network traffic between containers | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
2.1 Run the Docker daemon as a non-root user, if possible | CIS Docker v1.7.0 L1 Docker - Linux | Unix | CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION |
2.2 Restrict network traffic between containers | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
2.7 Set default ulimit as appropriate - default-ulimit | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
2.8 Ensure the default ulimit is configured appropriately | CIS Docker v1.7.0 L1 Docker - Linux | Unix | CONFIGURATION MANAGEMENT |
2.10 Set default ulimit as appropriate '--default-ulimit' | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
2.18 Disable Userland Proxy | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
2.19 Encrypt data exchanged between containers on different nodes on the overlay network | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
3.1 Verify that docker.service file ownership is set to root:root | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
3.2 Verify that docker.service file permissions are set to 644 or more restrictive | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
3.2 Verify that docker.service file permissions are set to 644 or more restrictive | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
3.4 Verify that docker.socket file permissions are set to 644 or more restrictive | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
3.10 Verify that TLS CA certificate file permissions are set to 444 or more restrictive | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
3.17 Ensure that the daemon.json file ownership is set to root:root | CIS Docker v1.7.0 L2 Docker - Linux | Unix | ACCESS CONTROL |
3.18 Verify that daemon.json file permissions are set to 644 or more restrictive | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
3.23 Ensure that the Containerd socket file ownership is set to root:root | CIS Docker v1.7.0 L1 Docker - Linux | Unix | ACCESS CONTROL |
3.24 Ensure that the Containerd socket file permissions are set to 660 or more restrictively | CIS Docker v1.7.0 L1 Docker - Linux | Unix | ACCESS CONTROL, MEDIA PROTECTION |
4.2 Use trusted base images for containers | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
4.4 Ensure images are scanned and rebuilt to include security patches | CIS Docker v1.7.0 L1 Docker - Linux | Unix | RISK ASSESSMENT |
4.4 Scan and rebuild the images to include security patches | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
4.9 Use COPY instead of ADD in Dockerfile | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
4.11 Ensure only verified packages are installed | CIS Docker v1.7.0 L2 Docker - Linux | Unix | SYSTEM AND SERVICES ACQUISITION |
5.4 Ensure that Linux kernel capabilities are restricted within containers | CIS Docker v1.7.0 L1 Docker - Linux | Unix | CONFIGURATION MANAGEMENT |
5.5 Do not mount sensitive host system directories on containers | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
5.5 Ensure that privileged containers are not used | CIS Docker v1.7.0 L1 Docker - Linux | Unix | ACCESS CONTROL |
5.7 Do not map privileged ports within containers | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | |
5.8 Open only needed ports on container | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
5.8 Open only needed ports on container | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
5.9 Ensure that only needed ports are open on the container | CIS Docker v1.7.0 L1 Docker - Linux | Unix | CONFIGURATION MANAGEMENT |
5.11 Ensure that the memory usage for containers is limited | CIS Docker v1.7.0 L1 Docker - Linux | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
5.12 Ensure that CPU priority is set appropriately on containers | CIS Docker v1.7.0 L1 Docker - Linux | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
5.12 Mount container's root filesystem as read only | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
5.13 Bind incoming container traffic to a specific host interface | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
5.13 Bind incoming container traffic to a specific host interface | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
5.13 Mount container's root filesystem as read only | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=always | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | |
5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=on-failure | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
5.18 Override default ulimit at runtime only if needed | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
5.19 Ensure that the default ulimit is overwritten at runtime if needed | CIS Docker v1.7.0 L1 Docker - Linux | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
5.20 Ensure mount propagation mode is not set to shared | CIS Docker v1.7.0 L1 Docker - Linux | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
5.25 Ensure that cgroup usage is confirmed | CIS Docker v1.7.0 L1 Docker - Linux | Unix | ACCESS CONTROL, MEDIA PROTECTION |
5.27 Ensure that container health is checked at runtime | CIS Docker v1.7.0 L1 Docker - Linux | Unix | SYSTEM AND INFORMATION INTEGRITY |
5.28 Use PIDs cgroup limit | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
5.30 Do not share the host's user namespaces | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
6.2 Monitor Docker containers usage, performance and metering | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | |
6.3 Backup container data | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | |
7.7 Ensure that node certificates are rotated as appropriate | CIS Docker v1.7.0 L1 Docker Swarm | Unix | IDENTIFICATION AND AUTHENTICATION |
DKER-EE-002010 - Memory usage for all containers must be limited in Docker Enterprise. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | CONFIGURATION MANAGEMENT |
DKER-EE-002780 - PIDs cgroup limits must be used in Docker Enterprise. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
DKER-EE-003230 - An appropriate Docker Engine - Enterprise log driver plugin must be configured to collect audit events from Universal Control Plane (UCP) and Docker Trusted Registry (DTR). | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |