| 1.1.8 Ensure auditing is configured for Docker files and directories - containerd.sock | CIS Docker v1.8.0 L2 OS Linux | Unix | AUDIT AND ACCOUNTABILITY |
| 1.1.9 Ensure auditing is configured for Docker files and directories - docker.sock | CIS Docker v1.8.0 L2 OS Linux | Unix | AUDIT AND ACCOUNTABILITY |
| 2.1 Restrict network traffic between containers | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5 Do not use the aufs storage driver | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 2.7 Set default ulimit as appropriate - default-ulimit | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.16 Control the number of manager nodes in a swarm | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 2.17 Bind swarm services to a specific host interface | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.24 Rotate swarm manager auto-lock key periodically | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | |
| 3.1 Verify that docker.service file ownership is set to root:root | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.20 Verify that TLS CA certificate file permissions are set to 444 or more restrictive | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.23 Ensure that the Containerd socket file ownership is set to root:root | CIS Docker v1.8.0 L1 OS Linux | Unix | ACCESS CONTROL |
| 4.3 Do not install unnecessary packages in the container | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.4 Rebuild the images to include security patches | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.5 Enable Content trust for Docker | CIS Docker 1.13.0 v1.0.0 L2 Docker | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 4.9 Use COPY instead of ADD in Dockerfile | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.3 Verify that containers are running only a single main process | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.5 Do not mount sensitive host system directories on containers | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.5 Do not mount sensitive host system directories on containers | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.6 Do not run ssh within containers | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.8 Do not map privileged ports within containers | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 5.8 Open only needed ports on container | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.9 Open only needed ports on container | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.11 Limit memory usage for container | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 5.11 Set container CPU priority appropriately | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.14 Bind incoming container traffic to a specific host interface | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 5.15 Do not share the host's process namespace | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.15 Do not share the host's process namespace | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.16 Do not share the host's process namespace | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 5.17 Do not directly expose host devices to containers | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.17 Do not directly expose host devices to containers | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.17 Do not share the host's IPC namespace | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 5.18 Do not directly expose host devices to containers | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 5.18 Override default ulimit at runtime only if needed | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.19 Do not set mount propagation mode to shared | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.19 Override default ulimit at runtime only if needed | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 5.20 Do not share the host's UTS namespace | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.24 Confirm cgroup usage | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.24 Confirm cgroup usage | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.30 Do not share the host's user namespaces | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.1 Perform regular security audits of your host system and containers | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | |
| 6.1 Perform regular security audits of your host system and containers | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 6.4 Backup container data | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 7.1 Ensure that the minimum number of manager nodes have been created in a swarm | CIS Docker v1.8.0 L1 Docker Swarm | Unix | CONFIGURATION MANAGEMENT |
| 7.2 Ensure that swarm services are bound to a specific host interface | CIS Docker v1.8.0 L1 Docker Swarm | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.3 Ensure that all Docker swarm overlay networks are encrypted | CIS Docker v1.8.0 L1 Docker Swarm | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.4 Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster | CIS Docker v1.8.0 L1 Docker Swarm | Unix | CONFIGURATION MANAGEMENT |
| 7.9 Ensure that management plane traffic is separated from data plane traffic | CIS Docker v1.8.0 L1 Docker Swarm | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| DKER-EE-002010 - Memory usage for all containers must be limited in Docker Enterprise. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | CONFIGURATION MANAGEMENT |
| DKER-EE-002120 - The Docker Enterprise hosts user namespace must not be shared. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | CONFIGURATION MANAGEMENT |
| DKER-EE-003230 - An appropriate Docker Engine - Enterprise log driver plugin must be configured to collect audit events from Universal Control Plane (UCP) and Docker Trusted Registry (DTR). | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT |
