CIS Docker v1.6.0 L1 Docker Linux

Audit Details

Name: CIS Docker v1.6.0 L1 Docker Linux

Updated: 6/17/2024

Authority: CIS

Plugin: Unix

Revision: 1.2

Estimated Item Count: 87

File Details

Filename: CIS_Docker_v1.6.0_L1_Docker_Linux.audit

Size: 212 kB

MD5: a04b60280c4204090f6a8fd07dc054ad
SHA256: 451833da3ba75c2e4d6b377e01677b2041531107ca4143d680895e8931818939

Audit Items

DescriptionCategories
1.1.1 Ensure a separate partition for containers has been created

SYSTEM AND COMMUNICATIONS PROTECTION

1.1.2 Ensure only trusted users are allowed to control Docker daemon

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

1.1.3 Ensure auditing is configured for the Docker daemon

AUDIT AND ACCOUNTABILITY

1.1.4 Ensure auditing is configured for Docker files and directories - /run/containerd

AUDIT AND ACCOUNTABILITY

1.1.5 Ensure auditing is configured for Docker files and directories - /var/lib/docker

AUDIT AND ACCOUNTABILITY

1.1.6 Ensure auditing is configured for Docker files and directories - /etc/docker

AUDIT AND ACCOUNTABILITY

1.2.1 Ensure the container host has been Hardened

CONFIGURATION MANAGEMENT

1.2.2 Ensure that the version of Docker is up to date

SYSTEM AND INFORMATION INTEGRITY

2.1 Run the Docker daemon as a non-root user, if possible

CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

2.2 Ensure network traffic is restricted between containers on the default bridge

CONFIGURATION MANAGEMENT, SYSTEM AND COMMUNICATIONS PROTECTION

2.3 Ensure the logging level is set to 'info' - daemon.json

AUDIT AND ACCOUNTABILITY

2.3 Ensure the logging level is set to 'info' - dockerd

AUDIT AND ACCOUNTABILITY

2.4 Ensure Docker is allowed to make changes to iptables - daemon.json

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

2.4 Ensure Docker is allowed to make changes to iptables - dockerd

CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION

2.5 Ensure insecure registries are not used

CONFIGURATION MANAGEMENT

2.6 Ensure aufs storage driver is not used

SYSTEM AND SERVICES ACQUISITION

2.7 Ensure TLS authentication for Docker daemon is configured - tlscacert

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

2.7 Ensure TLS authentication for Docker daemon is configured - tlscert

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

2.7 Ensure TLS authentication for Docker daemon is configured - tlskey

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

2.7 Ensure TLS authentication for Docker daemon is configured - tlsverify

ACCESS CONTROL, SYSTEM AND COMMUNICATIONS PROTECTION, SYSTEM AND INFORMATION INTEGRITY

2.8 Ensure the default ulimit is configured appropriately - daemon.json nofile hard

CONFIGURATION MANAGEMENT

2.8 Ensure the default ulimit is configured appropriately - daemon.json nofile soft

CONFIGURATION MANAGEMENT

2.8 Ensure the default ulimit is configured appropriately - daemon.json nproc hard

CONFIGURATION MANAGEMENT

2.8 Ensure the default ulimit is configured appropriately - daemon.json nproc soft

CONFIGURATION MANAGEMENT

2.8 Ensure the default ulimit is configured appropriately - ps

CONFIGURATION MANAGEMENT

2.14 Ensure containers are restricted from acquiring new privileges

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

2.15 Ensure live restore is enabled

PLANNING, SYSTEM AND SERVICES ACQUISITION

2.16 Ensure Userland Proxy is Disabled

CONFIGURATION MANAGEMENT

2.18 Ensure that experimental features are not implemented in production

CONFIGURATION MANAGEMENT

3.1 Ensure that the docker.service file ownership is set to root:root

ACCESS CONTROL

3.2 Ensure that docker.service file permissions are appropriately set

ACCESS CONTROL, MEDIA PROTECTION

3.3 Ensure that docker.socket file ownership is set to root:root

ACCESS CONTROL

3.4 Ensure that docker.socket file permissions are set to 644 or more restrictive

ACCESS CONTROL, MEDIA PROTECTION

3.5 Ensure that the /etc/docker directory ownership is set to root:root

ACCESS CONTROL

3.6 Ensure that /etc/docker directory permissions are set to 755 or more restrictively

ACCESS CONTROL, MEDIA PROTECTION

3.7 Ensure that registry certificate file ownership is set to root:root

ACCESS CONTROL

3.8 Ensure that registry certificate file permissions are set to 444 or more restrictively

ACCESS CONTROL, MEDIA PROTECTION

3.9 Ensure that TLS CA certificate file ownership is set to root:root

ACCESS CONTROL

3.10 Ensure that TLS CA certificate file permissions are set to 444 or more restrictively

ACCESS CONTROL, MEDIA PROTECTION

3.11 Ensure that Docker server certificate file ownership is set to root:root

ACCESS CONTROL

3.12 Ensure that the Docker server certificate file permissions are set to 444 or more restrictively

ACCESS CONTROL, MEDIA PROTECTION

3.13 Ensure that the Docker server certificate key file ownership is set to root:root

ACCESS CONTROL

3.14 Ensure that the Docker server certificate key file permissions are set to 400

ACCESS CONTROL, MEDIA PROTECTION

3.15 Ensure that the Docker socket file ownership is set to root:docker

ACCESS CONTROL, MEDIA PROTECTION

3.16 Ensure that the Docker socket file permissions are set to 660 or more restrictively

ACCESS CONTROL, MEDIA PROTECTION

3.23 Ensure that the Containerd socket file ownership is set to root:root

ACCESS CONTROL

3.24 Ensure that the Containerd socket file permissions are set to 660 or more restrictively

ACCESS CONTROL, MEDIA PROTECTION

4.1 Ensure that a user for the container has been created

ACCESS CONTROL

4.2 Ensure that containers use only trusted base images

CONFIGURATION MANAGEMENT

4.3 Ensure that unnecessary packages are not installed in the container

CONFIGURATION MANAGEMENT