Detections
Analytics

Item Search

NameAudit NamePluginCategory
1.1.4 Ensure auditing is configured for Docker files and directories - /run/containerdCIS Docker v1.6.0 L1 Docker LinuxUnix

AUDIT AND ACCOUNTABILITY

1.1.9 Ensure auditing is configured for Docker files and directories - docker.sockCIS Docker v1.6.0 L2 Docker LinuxUnix

AUDIT AND ACCOUNTABILITY

1.1.12 Ensure auditing is configured for Docker files and directories - /etc/containerd/config.tomlCIS Docker v1.6.0 L2 Docker LinuxUnix

AUDIT AND ACCOUNTABILITY

2.5 Do not use the aufs storage driverCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

2.11 Ensure base device size is not changed until needed - daemon.jsonCIS Docker v1.6.0 L2 Docker LinuxUnix

CONFIGURATION MANAGEMENT

2.16 Ensure Userland Proxy is Disabled - daemon.jsonCIS Docker v1.6.0 L1 Docker LinuxUnix
2.17 Ensure that a daemon-wide custom seccomp profile is applied if appropriateCIS Docker v1.6.0 L2 Docker LinuxUnix

SYSTEM AND SERVICES ACQUISITION

2.24 Rotate swarm manager auto-lock key periodicallyCIS Docker 1.13.0 v1.0.0 L1 DockerUnix
3.1 Ensure that the docker.service file ownership is set to root:rootCIS Docker v1.6.0 L2 Docker LinuxUnix

ACCESS CONTROL

3.3 Ensure that docker.socket file ownership is set to root:rootCIS Docker v1.6.0 L1 Docker LinuxUnix

ACCESS CONTROL

3.9 Verify that TLS CA certificate file ownership is set to root:rootCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.10 Ensure that TLS CA certificate file permissions are set to 444 or more restrictivelyCIS Docker v1.6.0 L2 Docker LinuxUnix

ACCESS CONTROL, MEDIA PROTECTION

3.17 Ensure that the daemon.json file ownership is set to root:rootCIS Docker v1.6.0 L2 Docker LinuxUnix

ACCESS CONTROL

3.18 Verify that daemon.json file permissions are set to 644 or more restrictiveCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.3 Do not install unnecessary packages in the containerCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.3 Enable Auditing of File Metadata Modification EventsCIS Oracle Solaris 11.4 L1 v1.1.0Unix

AUDIT AND ACCOUNTABILITY

4.3 Ensure that unnecessary packages are not installed in the containerCIS Docker v1.6.0 L1 Docker LinuxUnix

CONFIGURATION MANAGEMENT

4.4 Ensure images are scanned and rebuilt to include security patchesCIS Docker v1.6.0 L1 Docker LinuxUnix

RISK ASSESSMENT

4.4 Rebuild the images to include security patchesCIS Docker 1.6 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.5 Enable Content trust for DockerCIS Docker 1.13.0 v1.0.0 L2 DockerUnix

SYSTEM AND INFORMATION INTEGRITY

4.7 Ensure update instructions are not used alone in DockerfilesCIS Docker v1.6.0 L1 Docker LinuxUnix

CONFIGURATION MANAGEMENT

4.9 Ensure that COPY is used instead of ADD in DockerfilesCIS Docker v1.6.0 L1 Docker LinuxUnix

CONFIGURATION MANAGEMENT

4.10 Ensure secrets are not stored in DockerfilesCIS Docker v1.6.0 L1 Docker LinuxUnix

SYSTEM AND COMMUNICATIONS PROTECTION

4.12 Ensure all signed artifacts are validatedCIS Docker v1.6.0 L1 Docker LinuxUnix

CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY

5.5 Do not mount sensitive host system directories on containersCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.9 Ensure that only needed ports are open on the containerCIS Docker v1.6.0 L1 Docker LinuxUnix

CONFIGURATION MANAGEMENT

5.9 Open only needed ports on containerCIS Docker 1.6 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.11 Set container CPU priority appropriatelyCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.12 Mount container's root filesystem as read onlyCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.14 Bind incoming container traffic to a specific host interfaceCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.15 Do not share the host's process namespaceCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.15 Do not share the host's process namespaceCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.15 Ensure that the 'on-failure' container restart policy is set to '5'CIS Docker v1.6.0 L1 Docker LinuxUnix

CONFIGURATION MANAGEMENT

5.15 Set the 'on-failure' container restart policy to 5CIS Docker 1.6 v1.0.0 L1 DockerUnix
5.16 Do not share the host's process namespaceCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.17 Do not directly expose host devices to containersCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.17 Ensure that the host's IPC namespace is not sharedCIS Docker v1.6.0 L1 Docker LinuxUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.18 Override default ulimit at runtime only if neededCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.22 Ensure the default seccomp profile is not DisabledCIS Docker v1.6.0 L1 Docker LinuxUnix

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.24 Confirm cgroup usageCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.29 Ensure that the PIDs cgroup limit is usedCIS Docker v1.6.0 L1 Docker LinuxUnix

CONFIGURATION MANAGEMENT

6.1 Perform regular security audits of your host system and containersCIS Docker 1.6 v1.0.0 L1 DockerUnix
6.4 Backup container dataCIS Docker 1.6 v1.0.0 L1 DockerUnix
7.2 Ensure that swarm services are bound to a specific host interfaceCIS Docker v1.6.0 L1 Docker SwarmUnix

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

7.7 Ensure that node certificates are rotated as appropriateCIS Docker v1.6.0 L1 Docker SwarmUnix

IDENTIFICATION AND AUTHENTICATION

Check if this is a Docker Vessel/HostCIS Docker 1.12.0 v1.0.0 L2 DockerUnix
Check if this is a Docker Vessel/HostCIS Docker 1.6 v1.0.0 L1 DockerUnix
Check if this is a Docker Vessel/HostCIS Docker 1.6 v1.0.0 L2 DockerUnix
Check if this is a Docker Vessel/HostCIS Docker v1.6.0 L1 Docker SwarmUnix
CIS_Docker_1.12.0_v1.0.0_L2.audit Level 2CIS Docker 1.12.0 v1.0.0 L2 DockerUnix