| 2.10 Do not change base device size until needed | CIS Docker 1.13.0 v1.0.0 L2 Docker | Unix | |
| 2.10 Do not change base device size until needed | CIS Docker 1.11.0 v1.0.0 L2 Docker | Unix | |
| 2.14 Ensure containers are restricted from acquiring new privileges | CIS Docker v1.7.0 L1 Docker - Linux | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 2.16 Control the number of manager nodes in a swarm | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 2.20 Apply a daemon-wide custom seccomp profile, if needed | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1 Verify that docker.service file ownership is set to root:root | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.2 Ensure that docker.service file permissions are appropriately set | CIS Docker v1.7.0 L1 Docker - Linux | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 3.2 Verify that docker.service file permissions are set to 644 or more restrictive | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.3 Ensure that docker.socket file ownership is set to root:root | CIS Docker v1.7.0 L1 Docker - Linux | Unix | ACCESS CONTROL |
| 3.9 Verify that TLS CA certificate file ownership is set to root:root | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.10 Verify that TLS CA certificate file permissions are set to 444 or more restrictive | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.18 Verify that daemon.json file permissions are set to 644 or more restrictive | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.20 Verify that TLS CA certificate file permissions are set to 444 or more restrictive | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.4 Rebuild the images to include security patches | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.5 Enable Content trust for Docker | CIS Docker 1.12.0 v1.0.0 L2 Docker | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 4.7 Do not use update instructions alone in the Dockerfile | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.7 Do not use update instructions alone in the Dockerfile | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.8 Ensure setuid and setgid permissions are removed | CIS Docker v1.7.0 L2 Docker - Linux | Unix | ACCESS CONTROL |
| 4.8 Remove setuid and setgid permissions in the images | CIS Docker 1.12.0 v1.0.0 L2 Docker | Unix | |
| 4.8 Remove setuid and setgid permissions in the images | CIS Docker 1.13.0 v1.0.0 L2 Docker | Unix | |
| 4.9 Enable Kernel Level Auditing, Check if 'flags:lo,ad,cc' is set in /etc/security/audit_control. | CIS Solaris 10 L1 v5.2 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.10 Do not store secrets in Dockerfiles | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.3 Verify that containers are running only a single main process | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.5 Ensure that privileged containers are not used | CIS Docker v1.7.0 L1 Docker - Linux | Unix | ACCESS CONTROL |
| 5.7 Do not map privileged ports within containers | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.8 Do not map privileged ports within containers | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 5.9 Ensure that only needed ports are open on the container | CIS Docker v1.7.0 L1 Docker - Linux | Unix | CONFIGURATION MANAGEMENT |
| 5.10 Limit memory usage for container | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.11 Limit memory usage for container | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 5.11 Set container CPU priority appropriately | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.11 Set container CPU priority appropriately | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.12 Mount container's root filesystem as read only | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.14 Ensure that incoming container traffic is bound to a specific host interface | CIS Docker v1.7.0 L1 Docker - Linux | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.14 Set the 'on-failure' container restart policy to 5 - 'MaximumRetryCount' | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=on-failure | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.15 Ensure that the 'on-failure' container restart policy is set to '5' | CIS Docker v1.7.0 L1 Docker - Linux | Unix | CONFIGURATION MANAGEMENT |
| 5.17 Do not directly expose host devices to containers | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.17 Do not share the host's IPC namespace | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 5.18 Do not directly expose host devices to containers | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 5.19 Override default ulimit at runtime only if needed | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 5.20 Do not share the host's UTS namespace | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.22 Ensure the default seccomp profile is not Disabled | CIS Docker v1.7.0 L1 Docker - Linux | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.25 Ensure that cgroup usage is confirmed | CIS Docker v1.7.0 L1 Docker - Linux | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 5.25 Restrict container from acquiring additional privileges | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.26 Check container health at runtime | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.27 Ensure that container health is checked at runtime | CIS Docker v1.7.0 L1 Docker - Linux | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 5.28 Use PIDs cgroup limit | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.3 Backup container data | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | |
| 7.6 Ensure that the swarm manager auto-lock key is rotated periodically | CIS Docker v1.7.0 L1 Docker Swarm | Unix | IDENTIFICATION AND AUTHENTICATION |
| DKER-EE-003230 - An appropriate Docker Engine - Enterprise log driver plugin must be configured to collect audit events from Universal Control Plane (UCP) and Docker Trusted Registry (DTR). | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
