| 2.1 Do not use lxc execution driver | CONFIGURATION MANAGEMENT |
| 2.2 Restrict network traffic between containers | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3 Set the logging level | AUDIT AND ACCOUNTABILITY |
| 2.4 Allow Docker to make changes to iptables | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5 Do not use insecure registries | SYSTEM AND INFORMATION INTEGRITY |
| 2.6 Setup a local registry mirror | CONFIGURATION MANAGEMENT |
| 2.7 Do not use the aufs storage driver | CONFIGURATION MANAGEMENT |
| 2.8 Do not bind Docker to another IP/Port or a Unix socket | CONFIGURATION MANAGEMENT |
| 2.9 Configure TLS authentication for Docker daemon '--tlscacert' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.9 Configure TLS authentication for Docker daemon '--tlscert' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.9 Configure TLS authentication for Docker daemon '--tlskey'' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.9 Configure TLS authentication for Docker daemon '--tlsverify' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.10 Set default ulimit as appropriate '--default-ulimit' | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1 Verify that docker.service file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.2 Verify that docker.service file permissions are set to 644 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.3 Verify that docker-registry.service file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.4 Verify that docker-registry.service file permissions are set to 644 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.5 Verify that docker.socket file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.6 Verify that docker.socket file permissions are set to 644 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.7 Verify that Docker environment file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.8 Verify that Docker environment file permissions are set to 644 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.9 Verify that docker-network environment file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.10 Verify that docker-network environment file permissions are set to 644 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.11 Verify that docker-registry environment file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.12 Verify that docker-registry environment file permissions are set to 644 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.13 Verify that docker-storage environment file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.14 Verify that docker-storage environment file permissions are set to 644 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.15 Verify that /etc/docker directory ownership is set to root:root | |
| 3.16 Verify that /etc/docker directory permissions are set to 755 or more restrictive | |
| 3.17 Verify that registry certificate file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.18 Verify that registry certificate file permissions are set to 444 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.19 Verify that TLS CA certificate file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.20 Verify that TLS CA certificate file permissions are set to 444 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.21 Verify that Docker server certificate file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.22 Verify that Docker server certificate file permissions are set to 444 or more restrictive | CONFIGURATION MANAGEMENT |
| 3.23 Verify that Docker server certificate key file ownership is set to root:root | CONFIGURATION MANAGEMENT |
| 3.24 Verify that Docker server certificate key file permissions are set to 400 | CONFIGURATION MANAGEMENT |
| 3.25 Verify that Docker socket file ownership is set to root:docker - /var/run/docker.sock | CONFIGURATION MANAGEMENT |
| 3.26 Verify that Docker socket file permissions are set to 660 or more restrictive | CONFIGURATION MANAGEMENT |
| 4.1 Create a user for the container | |
| 4.2 Use trusted base images for containers | CONFIGURATION MANAGEMENT |
| 4.3 Do not install unnecessary packages in the container | CONFIGURATION MANAGEMENT |
| 4.4 Rebuild the images to include security patches | CONFIGURATION MANAGEMENT |
| 5.3 Verify that containers are running only a single main process | CONFIGURATION MANAGEMENT |
| 5.4 Restrict Linux Kernel Capabilities within containers | ACCESS CONTROL |
| 5.5 Do not use privileged containers | |
| 5.6 Do not mount sensitive host system directories on containers | CONFIGURATION MANAGEMENT |
| 5.7 Do not run ssh within containers | CONFIGURATION MANAGEMENT |
| 5.8 Do not map privileged ports within containers | |
| 5.9 Open only needed ports on container | CONFIGURATION MANAGEMENT |
