Item Search

NameAudit NamePluginCategory
2.10 Do not change base device size until neededCIS Docker 1.13.0 v1.0.0 L2 DockerUnix
2.14 Ensure containers are restricted from acquiring new privilegesCIS Docker v1.7.0 L1 Docker - LinuxUnix

ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION

2.16 Control the number of manager nodes in a swarmCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

2.20 Apply a daemon-wide custom seccomp profile, if neededCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

3.1 Verify that docker.service file ownership is set to root:rootCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.1 Verify that docker.service file ownership is set to root:rootCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.2 Ensure that docker.service file permissions are appropriately setCIS Docker v1.7.0 L1 Docker - LinuxUnix

ACCESS CONTROL, MEDIA PROTECTION

3.2 Verify that docker.service file permissions are set to 644 or more restrictiveCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.3 Ensure that docker.socket file ownership is set to root:rootCIS Docker v1.7.0 L1 Docker - LinuxUnix

ACCESS CONTROL

3.9 Verify that TLS CA certificate file ownership is set to root:rootCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.9 Verify that TLS CA certificate file ownership is set to root:rootCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.17 Verify that daemon.json file ownership is set to root:rootCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.18 Verify that daemon.json file permissions are set to 644 or more restrictiveCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.18 Verify that daemon.json file permissions are set to 644 or more restrictiveCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.20 Verify that TLS CA certificate file permissions are set to 444 or more restrictiveCIS Docker 1.6 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.3 Do not install unnecessary packages in the containerCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.5 Enable Content trust for DockerCIS Docker 1.12.0 v1.0.0 L2 DockerUnix

SYSTEM AND INFORMATION INTEGRITY

4.7 Do not use update instructions alone in the DockerfileCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.7 Do not use update instructions alone in the DockerfileCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.8 Ensure setuid and setgid permissions are removedCIS Docker v1.7.0 L2 Docker - LinuxUnix

ACCESS CONTROL

4.8 Remove setuid and setgid permissions in the imagesCIS Docker 1.12.0 v1.0.0 L2 DockerUnix
4.8 Remove setuid and setgid permissions in the imagesCIS Docker 1.13.0 v1.0.0 L2 DockerUnix
4.10 Do not store secrets in DockerfilesCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.3 Verify that containers are running only a single main processCIS Docker 1.6 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.4 Do not use privileged containersCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

ACCESS CONTROL

5.7 Do not map privileged ports within containersCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.8 Do not map privileged ports within containersCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.10 Limit memory usage for containerCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.10 Limit memory usage for containerCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.11 Limit memory usage for containerCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.11 Set container CPU priority appropriatelyCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.12 Mount container's root filesystem as read onlyCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.12 Mount container's root filesystem as read onlyCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.14 Ensure that incoming container traffic is bound to a specific host interfaceCIS Docker v1.7.0 L1 Docker - LinuxUnix

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.14 Set the 'on-failure' container restart policy to 5 - 'MaximumRetryCount'CIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.15 Do not share the host's process namespaceCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.15 Ensure that the 'on-failure' container restart policy is set to '5'CIS Docker v1.7.0 L1 Docker - LinuxUnix

CONFIGURATION MANAGEMENT

5.17 Do not share the host's IPC namespaceCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.18 Do not directly expose host devices to containersCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.19 Override default ulimit at runtime only if neededCIS Docker 1.6 v1.0.0 L1 DockerUnix
5.20 Do not share the host's UTS namespaceCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.22 Ensure the default seccomp profile is not DisabledCIS Docker v1.7.0 L1 Docker - LinuxUnix

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.25 Ensure that cgroup usage is confirmedCIS Docker v1.7.0 L1 Docker - LinuxUnix

ACCESS CONTROL, MEDIA PROTECTION

5.26 Check container health at runtimeCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.27 Ensure that container health is checked at runtimeCIS Docker v1.7.0 L1 Docker - LinuxUnix

SYSTEM AND INFORMATION INTEGRITY

5.28 Use PIDs cgroup limitCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

6.1 Ensure that image sprawl is avoidedCIS Docker v1.7.0 L1 Docker - LinuxUnix

PLANNING, SYSTEM AND SERVICES ACQUISITION

6.3 Backup container dataCIS Docker 1.12.0 v1.0.0 L1 DockerUnix
7.6 Ensure that the swarm manager auto-lock key is rotated periodicallyCIS Docker v1.7.0 L1 Docker SwarmUnix

IDENTIFICATION AND AUTHENTICATION

DKER-EE-002120 - The Docker Enterprise hosts user namespace must not be shared.DISA STIG Docker Enterprise 2.x Linux/Unix v2r2Unix

CONFIGURATION MANAGEMENT