Detections
Analytics

Item Search

NameAudit NamePluginCategory
2.1 Restrict network traffic between containersCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

2.1 Restrict network traffic between containersCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

2.10 Do not change base device size until neededCIS Docker 1.13.0 v1.0.0 L2 DockerUnix
2.10 Do not change base device size until neededCIS Docker 1.11.0 v1.0.0 L2 DockerUnix
2.10 Do not change base device size until neededCIS Docker 1.12.0 v1.0.0 L2 DockerUnix
2.16 Control the number of manager nodes in a swarmCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

2.17 Bind swarm services to a specific host interfaceCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

2.17 Bind swarm services to a specific host interfaceCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

3.1 Verify that docker.service file ownership is set to root:rootCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.2 Verify that docker.service file permissions are set to 644 or more restrictiveCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.10 Verify that TLS CA certificate file permissions are set to 444 or more restrictiveCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.20 Verify that TLS CA certificate file permissions are set to 444 or more restrictiveCIS Docker 1.6 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.23 Ensure that the Containerd socket file ownership is set to root:rootCIS Docker v1.8.0 L1 OS LinuxUnix

ACCESS CONTROL

4.3 Do not install unnecessary packages in the containerCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.4 Rebuild the images to include security patchesCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.8 Remove setuid and setgid permissions in the imagesCIS Docker 1.13.0 v1.0.0 L2 DockerUnix
4.11 Install verified packages onlyCIS Docker 1.13.0 v1.0.0 L2 DockerUnix

CONFIGURATION MANAGEMENT

5.3 Verify that containers are running only a single main processCIS Docker 1.6 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.4 Do not use privileged containersCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

ACCESS CONTROL

5.4 Ensure that Linux kernel capabilities are restricted within containersCIS Docker v1.8.0 L1 OS LinuxUnix

CONFIGURATION MANAGEMENT

5.5 Do not mount sensitive host system directories on containersCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.6 Do not mount sensitive host system directories on containersCIS Docker 1.6 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.7 Do not map privileged ports within containersCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.7 Do not run ssh within containersCIS Docker 1.6 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.8 Do not map privileged ports within containersCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.8 Open only needed ports on containerCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.10 Limit memory usage for containerCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.10 Limit memory usage for containerCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.11 Limit memory usage for containerCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.11 Set container CPU priority appropriatelyCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.12 Set container CPU priority appropriatelyCIS Docker 1.6 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.14 Set the 'on-failure' container restart policy to 5 - 'MaximumRetryCount'CIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=alwaysCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=on-failureCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.15 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=on-failureCIS Docker 1.6 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.17 Do not directly expose host devices to containersCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.17 Do not share the host's IPC namespaceCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.18 Do not directly expose host devices to containersCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.19 Do not set mount propagation mode to sharedCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.19 Override default ulimit at runtime only if neededCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.20 Do not share the host's UTS namespaceCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.24 Confirm cgroup usageCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.25 Restrict container from acquiring additional privilegesCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.25 Restrict container from acquiring additional privilegesCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

6.2 Monitor Docker containers usage, performance and meteringCIS Docker 1.12.0 v1.0.0 L1 DockerUnix
7.3 Ensure that all Docker swarm overlay networks are encryptedCIS Docker v1.8.0 L1 Docker SwarmUnix

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

7.9 Ensure that management plane traffic is separated from data plane trafficCIS Docker v1.8.0 L1 Docker SwarmUnix

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

DKER-EE-002010 - Memory usage for all containers must be limited in Docker Enterprise.DISA STIG Docker Enterprise 2.x Linux/Unix v2r2Unix

CONFIGURATION MANAGEMENT

DKER-EE-002120 - The Docker Enterprise hosts user namespace must not be shared.DISA STIG Docker Enterprise 2.x Linux/Unix v2r2Unix

CONFIGURATION MANAGEMENT

DKER-EE-003230 - An appropriate Docker Engine - Enterprise log driver plugin must be configured to collect audit events from Universal Control Plane (UCP) and Docker Trusted Registry (DTR).DISA STIG Docker Enterprise 2.x Linux/Unix v2r2Unix

ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT