Detections
Analytics

Item Search

NameAudit NamePluginCategory
1.1.12 Ensure auditing is configured for Docker files and directories - /etc/containerd/config.tomlCIS Docker v1.7.0 L2 Docker - LinuxUnix

AUDIT AND ACCOUNTABILITY

2.1 Restrict network traffic between containersCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

2.5 Do not use the aufs storage driverCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

2.7 Set default ulimit as appropriate - default-ulimitCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

2.16 Control the number of manager nodes in a swarmCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

2.16 Ensure Userland Proxy is DisabledCIS Docker v1.7.0 L1 Docker - LinuxUnix

CONFIGURATION MANAGEMENT

2.17 Bind swarm services to a specific host interfaceCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

2.17 Ensure that a daemon-wide custom seccomp profile is applied if appropriateCIS Docker v1.7.0 L2 Docker - LinuxUnix

SYSTEM AND SERVICES ACQUISITION

2.24 Rotate swarm manager auto-lock key periodicallyCIS Docker 1.13.0 v1.0.0 L1 DockerUnix
3.2 Verify that docker.service file permissions are set to 644 or more restrictiveCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.4 Ensure that docker.socket file permissions are set to 644 or more restrictiveCIS Docker v1.7.0 L1 Docker - LinuxUnix

ACCESS CONTROL, MEDIA PROTECTION

3.10 Verify that TLS CA certificate file permissions are set to 444 or more restrictiveCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.23 Ensure that the Containerd socket file ownership is set to root:rootCIS Docker v1.7.0 L1 Docker - LinuxUnix

ACCESS CONTROL

4.3 Do not install unnecessary packages in the containerCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.4 Rebuild the images to include security patchesCIS Docker 1.6 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.4 Rebuild the images to include security patchesCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.5 Enable Content trust for DockerCIS Docker 1.13.0 v1.0.0 L2 DockerUnix

SYSTEM AND INFORMATION INTEGRITY

4.7 Ensure update instructions are not used alone in DockerfilesCIS Docker v1.7.0 L1 Docker - LinuxUnix

CONFIGURATION MANAGEMENT

4.9 Use COPY instead of ADD in DockerfileCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.10 Ensure secrets are not stored in DockerfilesCIS Docker v1.7.0 L1 Docker - LinuxUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.2 Ensure that, if applicable, an AppArmor Profile is enabledCIS Docker v1.7.0 L1 Docker - LinuxUnix

SYSTEM AND INFORMATION INTEGRITY

5.4 Ensure that Linux kernel capabilities are restricted within containersCIS Docker v1.7.0 L1 Docker - LinuxUnix

CONFIGURATION MANAGEMENT

5.5 Do not mount sensitive host system directories on containersCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.5 Do not mount sensitive host system directories on containersCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.6 Do not run ssh within containersCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.8 Open only needed ports on containerCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.9 Open only needed ports on containerCIS Docker 1.6 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.11 Set container CPU priority appropriatelyCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.11 Set container CPU priority appropriatelyCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.14 Bind incoming container traffic to a specific host interfaceCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=on-failureCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.15 Do not share the host's process namespaceCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.15 Do not share the host's process namespaceCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.16 Do not share the host's process namespaceCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.16 Ensure that the host's process namespace is not sharedCIS Docker v1.7.0 L1 Docker - LinuxUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.17 Do not directly expose host devices to containersCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.17 Do not directly expose host devices to containersCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.17 Do not directly expose host devices to containersCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.18 Override default ulimit at runtime only if neededCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.20 Do not share the host's UTS namespaceCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.24 Confirm cgroup usageCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.24 Confirm cgroup usageCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.30 Do not share the host's user namespacesCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.31 Ensure that the host's user namespaces are not sharedCIS Docker v1.7.0 L1 Docker - LinuxUnix

SYSTEM AND COMMUNICATIONS PROTECTION

6.1 Perform regular security audits of your host system and containersCIS Docker 1.12.0 v1.0.0 L1 DockerUnix
6.1 Perform regular security audits of your host system and containersCIS Docker 1.6 v1.0.0 L1 DockerUnix
6.2 Ensure that container sprawl is avoidedCIS Docker v1.7.0 L1 Docker - LinuxUnix

SYSTEM AND COMMUNICATIONS PROTECTION

6.4 Backup container dataCIS Docker 1.6 v1.0.0 L1 DockerUnix
7.3 Ensure that all Docker swarm overlay networks are encryptedCIS Docker v1.7.0 L1 Docker SwarmUnix

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

DKER-EE-002010 - Memory usage for all containers must be limited in Docker Enterprise.DISA STIG Docker Enterprise 2.x Linux/Unix v2r2Unix

CONFIGURATION MANAGEMENT