| 2.5 Ensure aufs storage driver is not used | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 2.7 Ensure the default ulimit is configured appropriately | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.7 Set default ulimit as appropriate | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.8 Enable user namespace support | CIS Docker 1.13.0 v1.0.0 L2 Docker | Unix | |
| 2.8 Enable user namespace support - /etc/subuid | CIS Docker Community Edition v1.1.0 L2 Docker | Unix | |
| 2.8 Enable user namespace support --userns-remap=default | CIS Docker Community Edition v1.1.0 L2 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.10 Enable user namespace support | CIS Docker v1.8.0 L2 OS Linux | Unix | SYSTEM AND SERVICES ACQUISITION |
| 3.1 Ensure that docker.service file ownership is set to root:root | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.3 Ensure that docker.socket file ownership is set to root:root | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.3 Verify that docker.socket file ownership is set to root:root | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.9 Verify that TLS CA certificate file ownership is set to root:root | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.10 Verify that TLS CA certificate file permissions are set to 444 or more restrictive | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.17 Verify that daemon.json file ownership is set to root:root | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.19 Verify that TLS CA certificate file ownership is set to root:root | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.1 Create a user for the container | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | ACCESS CONTROL |
| 4.2 Enable Auditing of Incoming Network Connections | CIS Oracle Solaris 11.4 L1 v1.1.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.3 Do not install unnecessary packages in the container | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.4 Enable Auditing of Process and Privilege Events | CIS Oracle Solaris 11.4 L1 v1.1.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.4 Rebuild the images to include security patches | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.5 Enable Content trust for Docker | CIS Docker 1.11.0 v1.0.0 L2 Docker | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 4.10 Ensure secrets are not stored in Dockerfiles | CIS Docker v1.8.0 L1 OS Linux | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 4.10 Ensure secrets are not stored in Dockerfiles | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.2 Ensure that, if applicable, an AppArmor Profile is enabled | CIS Docker v1.8.0 L1 OS Linux | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 5.4 Do not use privileged containers | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | ACCESS CONTROL |
| 5.4 Ensure privileged containers are not used | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | ACCESS CONTROL |
| 5.4 Ensure that Linux kernel capabilities are restricted within containers | CIS Docker v1.8.0 L1 OS Linux | Unix | CONFIGURATION MANAGEMENT |
| 5.5 Do not use privileged containers | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 5.6.2 Ensure that the seccomp profile is set to docker/default in your pod definitions | CIS Kubernetes v1.11.1 L2 Master Node | Unix | CONFIGURATION MANAGEMENT |
| 5.7 Do not map privileged ports within containers | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.7 Ensure privileged ports are not mapped within containers | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.8 Ensure privileged ports are not mapped within containers | CIS Docker v1.8.0 L1 OS Linux | Unix | CONFIGURATION MANAGEMENT |
| 5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.15 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=always | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 5.16 Do not share the host's IPC namespace | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.16 Do not share the host's IPC namespace | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.19 Do not set mount propagation mode to shared | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.19 Do not set mount propagation mode to shared | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.21 Do not disable default seccomp profile | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.25 Restrict container from acquiring additional privileges | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.26 Check container health at runtime | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 6.1 Perform regular security audits of your host system and containers | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | |
| 6.2 Monitor Docker containers usage, performance and metering | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | |
| 6.2 Monitor Docker containers usage, performance and metering | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 6.3 Endpoint protection platform (EPP) tools for containers (Not Scored) | CIS Docker 1.6 v1.0.0 L2 Docker | Unix | |
| 7.6 Ensure that the swarm manager auto-lock key is rotated periodically | CIS Docker v1.8.0 L1 Docker Swarm | Unix | IDENTIFICATION AND AUTHENTICATION |
| 7.7 Ensure that node certificates are rotated as appropriate | CIS Docker v1.8.0 L1 Docker Swarm | Unix | IDENTIFICATION AND AUTHENTICATION |
| DKER-EE-001190 - Docker Enterprise sensitive host system directories must not be mounted on containers. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | ACCESS CONTROL |
| DKER-EE-002150 - Docker Enterprise privileged ports must not be mapped within containers. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | CONFIGURATION MANAGEMENT |
| DKER-EE-003330 - Log aggregation/SIEM systems must be configured to alarm when audit storage space for Docker Engine - Enterprise nodes exceed 75% usage. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | AUDIT AND ACCOUNTABILITY |
| DKER-EE-003340 - Log aggregation/SIEM systems must be configured to notify SA and ISSO on Docker Engine - Enterprise audit failure events. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | AUDIT AND ACCOUNTABILITY |
