| 1.4 Remove all non-essential services from the host - DPKG | CIS Docker 1.12.0 v1.0.0 L1 Linux | Unix | CONFIGURATION MANAGEMENT |
| 1.5 Remove all non-essential services from the host - DPKG | CIS Docker 1.6 v1.0.0 L1 Linux | Unix | CONFIGURATION MANAGEMENT |
| 1.5 Remove all non-essential services from the host - RPM | CIS Docker 1.6 v1.0.0 L1 Linux | Unix | CONFIGURATION MANAGEMENT |
| 1.5 Remove all non-essential services from the host - running processes | CIS Docker 1.6 v1.0.0 L1 Linux | Unix | CONFIGURATION MANAGEMENT |
| 1.5 Remove all non-essential services from the host - sockets | CIS Docker 1.6 v1.0.0 L1 Linux | Unix | CONFIGURATION MANAGEMENT |
| 2.1 Ensure network traffic is restricted between containers on the default bridge | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.7 Ensure the default ulimit is configured appropriately | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.10 Ensure base device size is not changed until needed | CIS Docker Community Edition v1.1.0 L2 Docker | Unix | |
| 2.15 Ensure Userland Proxy is Disabled | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 2.16 Ensure daemon-wide custom seccomp profile is applied, if needed | CIS Docker Community Edition v1.1.0 L2 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.1 Ensure that docker.service file ownership is set to root:root | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.2 Ensure that docker.service file permissions are set to 644 or more restrictive | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.3 Ensure that docker.socket file ownership is set to root:root | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.4 Ensure that docker.socket file permissions are set to 644 or more restrictive | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.9 Ensure that TLS CA certificate file ownership is set to root:root | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.10 Ensure that TLS CA certificate file permissions are set to 444 or more restrictive | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.17 Ensure that daemon.json file ownership is set to root:root | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.18 Ensure that daemon.json file permissions are set to 644 or more restrictive | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.1 Ensure a user for the container has been created | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | ACCESS CONTROL |
| 4.7 Ensure update instructions are not use alone in the Dockerfile | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.8 Ensure setuid and setgid permissions are removed in the images | CIS Docker Community Edition v1.1.0 L2 Docker | Unix | |
| 4.9 Ensure COPY is used instead of ADD in Dockerfile | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.11 Ensure verified packages are only Installed | CIS Docker Community Edition v1.1.0 L2 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.5 Ensure sensitive host system directories are not mounted on containers | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions | CIS Kubernetes v1.24 Benchmark v1.0.0 L2 Master | Unix | CONFIGURATION MANAGEMENT |
| 5.8 Ensure only needed ports are open on the container | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.10 Ensure memory usage for container is limited | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.11 Ensure CPU priority is set appropriately on the container | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.13 Ensure incoming container traffic is binded to a specific host interface | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.14 Ensure 'on-failure' container restart policy is set to '5' - 'MaximumRetryCount' | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.14 Ensure 'on-failure' container restart policy is set to '5' - RestartPolicyName | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.15 Ensure the host's process namespace is not shared | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.16 Ensure the host's IPC namespace is not shared | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.17 Ensure host devices are not directly exposed to containers | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.18 Ensure the default ulimit is overwritten at runtime, only if needed | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.19 Ensure mount propagation mode is not set to shared | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.20 Ensure the host's UTS namespace is not shared | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.21 Ensure the default seccomp profile is not Disabled | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.25 Ensure the container is restricted from acquiring additional privileges | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.26 Ensure container health is checked at runtime | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.28 Ensure PIDs cgroup limit is used | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.30 Ensure the host's user namespaces is not shared | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.2 Ensure the minimum number of manager nodes have been created in a swarm | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 7.3 Ensure swarm services are binded to a specific host interface | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.4 Ensure data exchanged between containers are encrypted on different nodes on the overlay network | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.7 Ensure swarm manager auto-lock key is rotated periodically | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | |
| 7.8 Ensure node certificates are rotated as appropriate | CIS Docker Community Edition v1.1.0 L2 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 7.9 Ensure CA certificates are rotated as appropriate | CIS Docker Community Edition v1.1.0 L2 Docker | Unix | IDENTIFICATION AND AUTHENTICATION |
| 7.10 Ensure management plane traffic has been separated from data plane traffic | CIS Docker Community Edition v1.1.0 L2 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| DKER-EE-002660 - Docker Secrets must be used to store configuration files and small amounts of user-generated data (up to 500 kb in size) in Docker Enterprise. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
