| 1.1.14 Ensure auditing is configured for Docker files and directories - /usr/bin/containerd | CIS Docker v1.6.0 L2 Docker Linux | Unix | AUDIT AND ACCOUNTABILITY |
| 1.1.17 Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 | CIS Docker v1.6.0 L2 Docker Linux | Unix | AUDIT AND ACCOUNTABILITY |
| 2.2 Restrict network traffic between containers | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.8 Ensure the default ulimit is configured appropriately - ps | CIS Docker v1.6.0 L1 Docker Linux | Unix | CONFIGURATION MANAGEMENT |
| 2.10 Set default ulimit as appropriate '--default-ulimit' | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.12 Ensure that authorization for Docker client commands is enabled - daemon.json | CIS Docker v1.6.0 L2 Docker Linux | Unix | |
| 2.14 Ensure containers are restricted from acquiring new privileges | CIS Docker v1.6.0 L1 Docker Linux | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION |
| 2.14 Ensure containers are restricted from acquiring new privileges - dockerd | CIS Docker v1.6.0 L1 Docker Linux | Unix | |
| 2.18 Disable Userland Proxy | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 2.19 Encrypt data exchanged between containers on different nodes on the overlay network | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.2 Ensure that docker.service file permissions are appropriately set | CIS Docker v1.6.0 L1 Docker Linux | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 3.2 Verify that docker.service file permissions are set to 644 or more restrictive | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.4 Verify that docker.socket file permissions are set to 644 or more restrictive | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.9 Ensure that TLS CA certificate file ownership is set to root:root | CIS Docker v1.6.0 L1 Docker Linux | Unix | ACCESS CONTROL |
| 3.10 Ensure that TLS CA certificate file permissions are set to 444 or more restrictively | CIS Docker v1.6.0 L1 Docker Linux | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 3.10 Verify that TLS CA certificate file permissions are set to 444 or more restrictive | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.18 Ensure that daemon.json file permissions are set to 644 or more restrictive | CIS Docker v1.6.0 L2 Docker Linux | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 3.18 Verify that daemon.json file permissions are set to 644 or more restrictive | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.23 Ensure that the Containerd socket file ownership is set to root:root | CIS Docker v1.6.0 L2 Docker Linux | Unix | ACCESS CONTROL |
| 3.24 Ensure that the Containerd socket file permissions are set to 660 or more restrictively | CIS Docker v1.6.0 L2 Docker Linux | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 4.2 Use trusted base images for containers | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.4 Scan and rebuild the images to include security patches | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.9 Use COPY instead of ADD in Dockerfile | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.4 Ensure that Linux kernel capabilities are restricted within containers | CIS Docker v1.6.0 L1 Docker Linux | Unix | CONFIGURATION MANAGEMENT |
| 5.5 Do not mount sensitive host system directories on containers | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.6 Ensure sensitive host system directories are not mounted on containers | CIS Docker v1.6.0 L1 Docker Linux | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.7 Do not map privileged ports within containers | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | |
| 5.8 Open only needed ports on container | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.8 Open only needed ports on container | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.12 Ensure that CPU priority is set appropriately on containers | CIS Docker v1.6.0 L1 Docker Linux | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.12 Mount container's root filesystem as read only | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.13 Bind incoming container traffic to a specific host interface | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.13 Bind incoming container traffic to a specific host interface | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.13 Mount container's root filesystem as read only | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=always | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | |
| 5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=on-failure | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.18 Ensure that host devices are not directly exposed to containers | CIS Docker v1.6.0 L1 Docker Linux | Unix | ACCESS CONTROL |
| 5.18 Override default ulimit at runtime only if needed | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.21 Ensure that the host's UTS namespace is not shared | CIS Docker v1.6.0 L1 Docker Linux | Unix | SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.28 Use PIDs cgroup limit | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.30 Do not share the host's user namespaces | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.2 Ensure that container sprawl is avoided | CIS Docker v1.6.0 L1 Docker Linux | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.2 Monitor Docker containers usage, performance and metering | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | |
| 6.3 Backup container data | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | |
| 7.4 Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster | CIS Docker v1.6.0 L1 Docker Swarm | Unix | CONFIGURATION MANAGEMENT |
| 7.6 Ensure that the swarm manager auto-lock key is rotated periodically | CIS Docker v1.6.0 L1 Docker Swarm | Unix | IDENTIFICATION AND AUTHENTICATION |
| 7.8 Ensure that CA certificates are rotated as appropriate | CIS Docker v1.6.0 L1 Docker Swarm | Unix | IDENTIFICATION AND AUTHENTICATION |
| Check if this is a Docker Vessel/Host | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | |
| Check if this is a Docker Vessel/Host | CIS Docker v1.6.0 L1 Docker Linux | Unix | |
| CIS_Docker_1.13.0_L2_v1.0.0.audit Level 2 | CIS Docker 1.13.0 v1.0.0 L2 Docker | Unix | |
