Detections
Analytics

Item Search

NameAudit NamePluginCategory
1.1.4 Ensure auditing is configured for Docker files and directories - /run/containerdCIS Docker v1.6.0 L2 Docker LinuxUnix

AUDIT AND ACCOUNTABILITY

1.1.16 Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1CIS Docker v1.6.0 L2 Docker LinuxUnix

AUDIT AND ACCOUNTABILITY

1.1.18 Ensure auditing is configured for Docker files and directories - /usr/bin/runcCIS Docker v1.6.0 L2 Docker LinuxUnix

AUDIT AND ACCOUNTABILITY

1.2.1 Ensure the container host has been HardenedCIS Docker v1.6.0 L1 Docker LinuxUnix

CONFIGURATION MANAGEMENT

2.1 Restrict network traffic between containersCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

2.8 Ensure the default ulimit is configured appropriately - daemon.json nproc hardCIS Docker v1.6.0 L1 Docker LinuxUnix

CONFIGURATION MANAGEMENT

2.8 Ensure the default ulimit is configured appropriately - daemon.json nproc softCIS Docker v1.6.0 L1 Docker LinuxUnix

CONFIGURATION MANAGEMENT

2.10 Do not change base device size until neededCIS Docker 1.11.0 v1.0.0 L2 DockerUnix
2.10 Do not change base device size until neededCIS Docker 1.12.0 v1.0.0 L2 DockerUnix
2.11 Ensure base device size is not changed until needed - dockerdCIS Docker v1.6.0 L2 Docker LinuxUnix

CONFIGURATION MANAGEMENT

2.14 Ensure containers are restricted from acquiring new privileges - daemon.jsonCIS Docker v1.6.0 L1 Docker LinuxUnix
2.17 Bind swarm services to a specific host interfaceCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

3.2 Verify that docker.service file permissions are set to 644 or more restrictiveCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.2 Verify that docker.service file permissions are set to 644 or more restrictiveCIS Docker 1.6 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.4 Ensure that docker.socket file permissions are set to 644 or more restrictiveCIS Docker v1.6.0 L2 Docker LinuxUnix

ACCESS CONTROL, MEDIA PROTECTION

3.4 Ensure that docker.socket file permissions are set to 644 or more restrictiveCIS Docker v1.6.0 L1 Docker LinuxUnix

ACCESS CONTROL, MEDIA PROTECTION

3.10 Verify that TLS CA certificate file permissions are set to 444 or more restrictiveCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

3.24 Ensure that the Containerd socket file permissions are set to 660 or more restrictivelyCIS Docker v1.6.0 L1 Docker LinuxUnix

ACCESS CONTROL, MEDIA PROTECTION

4.3 Do not install unnecessary packages in the containerCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.4 Rebuild the images to include security patchesCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

4.5 Ensure Content trust for Docker is EnabledCIS Docker v1.6.0 L2 Docker LinuxUnix

SYSTEM AND COMMUNICATIONS PROTECTION

4.11 Ensure only verified packages are installedCIS Docker v1.6.0 L2 Docker LinuxUnix

SYSTEM AND SERVICES ACQUISITION

4.11 Install verified packages onlyCIS Docker 1.13.0 v1.0.0 L2 DockerUnix

CONFIGURATION MANAGEMENT

5.4 Do not use privileged containersCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

ACCESS CONTROL

5.6 Do not mount sensitive host system directories on containersCIS Docker 1.6 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.7 Do not run ssh within containersCIS Docker 1.6 v1.0.0 L1 DockerUnix

CONFIGURATION MANAGEMENT

5.10 Limit memory usage for containerCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.11 Set container CPU priority appropriatelyCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.12 Set container CPU priority appropriatelyCIS Docker 1.6 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.14 Ensure that incoming container traffic is bound to a specific host interfaceCIS Docker v1.6.0 L1 Docker LinuxUnix

SECURITY ASSESSMENT AND AUTHORIZATION, SYSTEM AND COMMUNICATIONS PROTECTION

5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=alwaysCIS Docker 1.12.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.14 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=on-failureCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.15 Set the 'on-failure' container restart policy to 5 - RestartPolicyName=on-failureCIS Docker 1.6 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.17 Do not directly expose host devices to containersCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.20 Ensure mount propagation mode is not set to sharedCIS Docker v1.6.0 L1 Docker LinuxUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.25 Restrict container from acquiring additional privilegesCIS Docker 1.11.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.25 Restrict container from acquiring additional privilegesCIS Docker 1.13.0 v1.0.0 L1 DockerUnix

SYSTEM AND COMMUNICATIONS PROTECTION

5.26 Ensure that the container is restricted from acquiring additional privilegesCIS Docker v1.6.0 L1 Docker LinuxUnix

ACCESS CONTROL

5.27 Ensure that container health is checked at runtimeCIS Docker v1.6.0 L1 Docker LinuxUnix

SYSTEM AND INFORMATION INTEGRITY

5.31 Ensure that the host's user namespaces are not sharedCIS Docker v1.6.0 L1 Docker LinuxUnix

SYSTEM AND COMMUNICATIONS PROTECTION

6.1 Ensure that image sprawl is avoidedCIS Docker v1.6.0 L1 Docker LinuxUnix

PLANNING, SYSTEM AND SERVICES ACQUISITION

6.2 Monitor Docker containers usage, performance and meteringCIS Docker 1.12.0 v1.0.0 L1 DockerUnix
7.1 Ensure that the minimum number of manager nodes have been created in a swarmCIS Docker v1.6.0 L1 Docker SwarmUnix

CONFIGURATION MANAGEMENT

7.5 Ensure that swarm manager is run in auto-lock modeCIS Docker v1.6.0 L1 Docker SwarmUnix

IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

Check if this is a Docker Vessel/HostCIS Docker 1.13.0 v1.0.0 L2 DockerUnix
CIS_Docker_1.11.0_v1.0.0_L1.audit Level 1CIS Docker 1.11.0 v1.0.0 L1 DockerUnix
DKER-EE-002060 - The Docker Enterprise hosts UTS namespace must not be shared.DISA STIG Docker Enterprise 2.x Linux/Unix v2r2Unix

CONFIGURATION MANAGEMENT

DKER-EE-002120 - The Docker Enterprise hosts user namespace must not be shared.DISA STIG Docker Enterprise 2.x Linux/Unix v2r2Unix

CONFIGURATION MANAGEMENT

DKER-EE-002780 - PIDs cgroup limits must be used in Docker Enterprise.DISA STIG Docker Enterprise 2.x Linux/Unix v2r2Unix

SYSTEM AND COMMUNICATIONS PROTECTION

DKER-EE-003330 - Log aggregation/SIEM systems must be configured to alarm when audit storage space for Docker Engine - Enterprise nodes exceed 75% usage.DISA STIG Docker Enterprise 2.x Linux/Unix v2r2Unix

AUDIT AND ACCOUNTABILITY