| 1.1.9 Ensure auditing is configured for Docker files and directories - docker.sock | CIS Docker v1.7.0 L2 Docker - Linux | Unix | AUDIT AND ACCOUNTABILITY |
| 1.2.1 Ensure the container host has been Hardened | CIS Docker v1.7.0 L1 Docker - Linux | Unix | CONFIGURATION MANAGEMENT |
| 2.1 Restrict network traffic between containers | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.5 Ensure aufs storage driver is not used | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 2.8 Enable user namespace support - /etc/subgid | CIS Docker Community Edition v1.1.0 L2 Docker | Unix | |
| 2.8 Enable user namespace support --userns-remap=default | CIS Docker Community Edition v1.1.0 L2 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.9 Enable user namespace support | CIS Docker v1.7.0 L2 Docker - Linux | Unix | SYSTEM AND SERVICES ACQUISITION |
| 2.10 Do not change base device size until needed | CIS Docker 1.11.0 v1.0.0 L2 Docker | Unix | |
| 2.10 Do not change base device size until needed | CIS Docker 1.12.0 v1.0.0 L2 Docker | Unix | |
| 2.11 Ensure base device size is not changed until needed | CIS Docker v1.7.0 L2 Docker - Linux | Unix | CONFIGURATION MANAGEMENT |
| 2.17 Bind swarm services to a specific host interface | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1 Ensure that the docker.service file ownership is set to root:root | CIS Docker v1.7.0 L1 Docker - Linux | Unix | ACCESS CONTROL |
| 3.10 Ensure that TLS CA certificate file permissions are set to 444 or more restrictively | CIS Docker v1.7.0 L1 Docker - Linux | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2 Enable Auditing of Incoming Network Connections | CIS Oracle Solaris 11.4 L1 v1.1.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.3 Do not install unnecessary packages in the container | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.3 Enable Auditing of File Metadata Modification Events | CIS Oracle Solaris 11.4 L1 v1.1.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.3 Ensure that unnecessary packages are not installed in the container | CIS Docker v1.7.0 L1 Docker - Linux | Unix | CONFIGURATION MANAGEMENT |
| 4.4 Enable Auditing of Process and Privilege Events | CIS Oracle Solaris 11.4 L1 v1.1.0 | Unix | AUDIT AND ACCOUNTABILITY |
| 4.8 Ensure setuid and setgid permissions are removed in the images | CIS Docker Community Edition v1.1.0 L2 Docker | Unix | |
| 4.10 Ensure secrets are not stored in Dockerfiles | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.11 Install verified packages only | CIS Docker 1.13.0 v1.0.0 L2 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.12 Ensure all signed artifacts are validated | CIS Docker v1.7.0 L1 Docker - Linux | Unix | CONFIGURATION MANAGEMENT, SYSTEM AND INFORMATION INTEGRITY |
| 5.4 Do not use privileged containers | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | ACCESS CONTROL |
| 5.6 Do not mount sensitive host system directories on containers | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.7 Do not run ssh within containers | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.7 Ensure privileged ports are not mapped within containers | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions | CIS Kubernetes v1.10.0 L2 Master | Unix | CONFIGURATION MANAGEMENT |
| 5.10 Limit memory usage for container | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.12 Set container CPU priority appropriately | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=always | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.15 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=on-failure | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.18 Ensure that host devices are not directly exposed to containers | CIS Docker v1.7.0 L1 Docker - Linux | Unix | ACCESS CONTROL |
| 5.19 Ensure mount propagation mode is not set to shared | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.20 Ensure the host's UTS namespace is not shared | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.21 Ensure that the host's UTS namespace is not shared | CIS Docker v1.7.0 L1 Docker - Linux | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.25 Ensure the container is restricted from acquiring additional privileges | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.25 Restrict container from acquiring additional privileges | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.25 Restrict container from acquiring additional privileges | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.26 Ensure that the container is restricted from acquiring additional privileges | CIS Docker v1.7.0 L1 Docker - Linux | Unix | ACCESS CONTROL |
| 5.28 Ensure PIDs cgroup limit is used | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.29 Ensure that the PIDs cgroup limit is used | CIS Docker v1.7.0 L1 Docker - Linux | Unix | CONFIGURATION MANAGEMENT |
| 6.2 Monitor Docker containers usage, performance and metering | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | |
| 7.8 Ensure that CA certificates are rotated as appropriate | CIS Docker v1.7.0 L1 Docker Swarm | Unix | IDENTIFICATION AND AUTHENTICATION |
| 7.9 Ensure that management plane traffic is separated from data plane traffic | CIS Docker v1.7.0 L1 Docker Swarm | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| DKER-EE-001190 - Docker Enterprise sensitive host system directories must not be mounted on containers. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | ACCESS CONTROL |
| DKER-EE-001240 - The Docker Enterprise hosts process namespace must not be shared. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | ACCESS CONTROL |
| DKER-EE-001250 - The Docker Enterprise hosts IPC namespace must not be shared. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | ACCESS CONTROL |
| DKER-EE-002150 - Docker Enterprise privileged ports must not be mapped within containers. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | CONFIGURATION MANAGEMENT |
| DKER-EE-003200 - Docker Enterprise images must be built with the USER instruction to prevent containers from running as root. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | ACCESS CONTROL |
| DKER-EE-003340 - Log aggregation/SIEM systems must be configured to notify SA and ISSO on Docker Engine - Enterprise audit failure events. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | AUDIT AND ACCOUNTABILITY |
