Detections
Analytics

CIS Docker v1.6.0 L1 Docker Linux

Warning! Audit Deprecated

This audit file has been deprecated and will be removed in a future update.

View Next Version

Audit Details

Name: CIS Docker v1.6.0 L1 Docker Linux

Updated: 12/3/2024

Authority: CIS

Plugin: Unix

Revision: 1.3

Estimated Item Count: 87

File Details

Filename: CIS_Docker_v1.6.0_L1_Docker_Linux.audit

Size: 162 kB

MD5: a3fd5defa3f99c29188acb644a4eb1e1
SHA256: 5d24522aa48f0cc24517ab0e7de27c02c3ce8ffe33059f71f3830988c1f63e0b

Audit Items

DescriptionCategories
1.1.1 Ensure a separate partition for containers has been created
1.1.2 Ensure only trusted users are allowed to control Docker daemon
1.1.3 Ensure auditing is configured for the Docker daemon
1.1.4 Ensure auditing is configured for Docker files and directories - /run/containerd
1.1.5 Ensure auditing is configured for Docker files and directories - /var/lib/docker
1.1.6 Ensure auditing is configured for Docker files and directories - /etc/docker
1.2.1 Ensure the container host has been Hardened
1.2.2 Ensure that the version of Docker is up to date
2.1 Run the Docker daemon as a non-root user, if possible
2.2 Ensure network traffic is restricted between containers on the default bridge
2.3 Ensure the logging level is set to 'info' - daemon.json
2.3 Ensure the logging level is set to 'info' - dockerd
2.4 Ensure Docker is allowed to make changes to iptables - daemon.json
2.4 Ensure Docker is allowed to make changes to iptables - dockerd
2.5 Ensure insecure registries are not used
2.6 Ensure aufs storage driver is not used
2.7 Ensure TLS authentication for Docker daemon is configured - tlscacert
2.7 Ensure TLS authentication for Docker daemon is configured - tlscert
2.7 Ensure TLS authentication for Docker daemon is configured - tlskey
2.7 Ensure TLS authentication for Docker daemon is configured - tlsverify
2.8 Ensure the default ulimit is configured appropriately - daemon.json nofile hard
2.8 Ensure the default ulimit is configured appropriately - daemon.json nofile soft
2.8 Ensure the default ulimit is configured appropriately - daemon.json nproc hard
2.8 Ensure the default ulimit is configured appropriately - daemon.json nproc soft
2.8 Ensure the default ulimit is configured appropriately - ps
2.14 Ensure containers are restricted from acquiring new privileges
2.15 Ensure live restore is enabled
2.16 Ensure Userland Proxy is Disabled
2.18 Ensure that experimental features are not implemented in production
3.1 Ensure that the docker.service file ownership is set to root:root
3.2 Ensure that docker.service file permissions are appropriately set
3.3 Ensure that docker.socket file ownership is set to root:root
3.4 Ensure that docker.socket file permissions are set to 644 or more restrictive
3.5 Ensure that the /etc/docker directory ownership is set to root:root
3.6 Ensure that /etc/docker directory permissions are set to 755 or more restrictively
3.7 Ensure that registry certificate file ownership is set to root:root
3.8 Ensure that registry certificate file permissions are set to 444 or more restrictively
3.9 Ensure that TLS CA certificate file ownership is set to root:root
3.10 Ensure that TLS CA certificate file permissions are set to 444 or more restrictively
3.11 Ensure that Docker server certificate file ownership is set to root:root
3.12 Ensure that the Docker server certificate file permissions are set to 444 or more restrictively
3.13 Ensure that the Docker server certificate key file ownership is set to root:root
3.14 Ensure that the Docker server certificate key file permissions are set to 400
3.15 Ensure that the Docker socket file ownership is set to root:docker
3.16 Ensure that the Docker socket file permissions are set to 660 or more restrictively
3.23 Ensure that the Containerd socket file ownership is set to root:root
3.24 Ensure that the Containerd socket file permissions are set to 660 or more restrictively
4.1 Ensure that a user for the container has been created
4.2 Ensure that containers use only trusted base images
4.3 Ensure that unnecessary packages are not installed in the container