Item Search

NameAudit NamePluginCategory
2.1 Restrict network traffic between containersCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

2.1 Run the Docker daemon as a non-root user, if possibleCIS Docker v1.7.0 L1 Docker - LinuxUnix

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.2 Restrict network traffic between containersCIS Docker 1.6 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

2.7 Set default ulimit as appropriate - default-ulimitCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

2.8 Ensure the default ulimit is configured appropriatelyCIS Docker v1.7.0 L1 Docker - LinuxUnix

CONFIGURATION MANAGEMENT

2.10 Set default ulimit as appropriate '--default-ulimit'CIS Docker 1.6 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

2.18 Disable Userland ProxyCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

2.19 Encrypt data exchanged between containers on different nodes on the overlay networkCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

3.1 Verify that docker.service file ownership is set to root:rootCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.2 Verify that docker.service file permissions are set to 644 or more restrictiveCIS Docker 1.6 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.2 Verify that docker.service file permissions are set to 644 or more restrictiveCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.4 Verify that docker.socket file permissions are set to 644 or more restrictiveCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.10 Verify that TLS CA certificate file permissions are set to 444 or more restrictiveCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.17 Ensure that the daemon.json file ownership is set to root:rootCIS Docker v1.7.0 L2 Docker - LinuxUnix

ACCESS CONTROL

3.18 Verify that daemon.json file permissions are set to 644 or more restrictiveCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.23 Ensure that the Containerd socket file ownership is set to root:rootCIS Docker v1.7.0 L1 Docker - LinuxUnix

ACCESS CONTROL

3.24 Ensure that the Containerd socket file permissions are set to 660 or more restrictivelyCIS Docker v1.7.0 L1 Docker - LinuxUnix

ACCESS CONTROL, MEDIA PROTECTION

4.2 Use trusted base images for containersCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.4 Ensure images are scanned and rebuilt to include security patchesCIS Docker v1.7.0 L1 Docker - LinuxUnix

RISK ASSESSMENT

4.4 Scan and rebuild the images to include security patchesCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.9 Use COPY instead of ADD in DockerfileCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.11 Ensure only verified packages are installedCIS Docker v1.7.0 L2 Docker - LinuxUnix

SYSTEM AND SERVICES ACQUISITION

5.4 Ensure that Linux kernel capabilities are restricted within containersCIS Docker v1.7.0 L1 Docker - LinuxUnix

CONFIGURATION MANAGEMENT

5.5 Do not mount sensitive host system directories on containersCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.5 Ensure that privileged containers are not usedCIS Docker v1.7.0 L1 Docker - LinuxUnix

ACCESS CONTROL

5.7 Do not map privileged ports within containersCIS Docker 1.11.0 v1.0.0 L1 DockerUnix
5.8 Open only needed ports on containerCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.8 Open only needed ports on containerCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.9 Ensure that only needed ports are open on the containerCIS Docker v1.7.0 L1 Docker - LinuxUnix

CONFIGURATION MANAGEMENT

5.11 Ensure that the memory usage for containers is limitedCIS Docker v1.7.0 L1 Docker - LinuxUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.12 Ensure that CPU priority is set appropriately on containersCIS Docker v1.7.0 L1 Docker - LinuxUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.12 Mount container's root filesystem as read onlyCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.13 Bind incoming container traffic to a specific host interfaceCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.13 Bind incoming container traffic to a specific host interfaceCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.13 Mount container's root filesystem as read onlyCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=alwaysCIS Docker 1.11.0 v1.0.0 L1 DockerUnix
5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=on-failureCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.18 Override default ulimit at runtime only if neededCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.19 Ensure that the default ulimit is overwritten at runtime if neededCIS Docker v1.7.0 L1 Docker - LinuxUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.20 Ensure mount propagation mode is not set to sharedCIS Docker v1.7.0 L1 Docker - LinuxUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.25 Ensure that cgroup usage is confirmedCIS Docker v1.7.0 L1 Docker - LinuxUnix

ACCESS CONTROL, MEDIA PROTECTION

5.27 Ensure that container health is checked at runtimeCIS Docker v1.7.0 L1 Docker - LinuxUnix

SYSTEM AND INFORMATION INTEGRITY

5.28 Use PIDs cgroup limitCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.30 Do not share the host's user namespacesCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

6.2 Monitor Docker containers usage, performance and meteringCIS Docker 1.11.0 v1.0.0 L1 DockerUnix
6.3 Backup container dataCIS Docker 1.13.0 v1.0.0 L1 DockerUnix
7.7 Ensure that node certificates are rotated as appropriateCIS Docker v1.7.0 L1 Docker SwarmUnix

IDENTIFICATION AND AUTHENTICATION

DKER-EE-002010 - Memory usage for all containers must be limited in Docker Enterprise.DISA STIG Docker Enterprise 2.x Linux/Unix v2r2Unix

CONFIGURATION MANAGEMENT

DKER-EE-002780 - PIDs cgroup limits must be used in Docker Enterprise.DISA STIG Docker Enterprise 2.x Linux/Unix v2r2Unix

SYSTEM AND COMMUNICATIONS PROTECTION

DKER-EE-003230 - An appropriate Docker Engine - Enterprise log driver plugin must be configured to collect audit events from Universal Control Plane (UCP) and Docker Trusted Registry (DTR).DISA STIG Docker Enterprise 2.x Linux/Unix v2r2Unix

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT