| 1.1.3 Ensure auditing is configured for the Docker daemon | CIS Docker v1.8.0 L1 OS Linux | Unix | AUDIT AND ACCOUNTABILITY |
| 1.4 Only allow trusted users to control Docker daemon | CIS Docker 1.13.0 v1.0.0 L1 Linux | Unix | ACCESS CONTROL |
| 1.8 Audit Docker files and directories - /var/lib/docker | CIS Docker 1.12.0 v1.0.0 L1 Linux | Unix | AUDIT AND ACCOUNTABILITY |
| 1.8 Audit Docker files and directories - /var/lib/docker | CIS Docker 1.11.0 v1.0.0 L1 Linux | Unix | AUDIT AND ACCOUNTABILITY |
| 1.8 Audit Docker files and directories - docker.service | CIS Docker 1.13.0 v1.0.0 L1 Linux | Unix | AUDIT AND ACCOUNTABILITY |
| 1.8 Ensure auditing is configured for Docker files and directories - docker.service | CIS Docker Community Edition v1.1.0 L1 Linux Host OS | Unix | AUDIT AND ACCOUNTABILITY |
| 1.10 Audit Docker files and directories - docker.service | CIS Docker 1.12.0 v1.0.0 L1 Linux | Unix | AUDIT AND ACCOUNTABILITY |
| 1.11 Audit Docker files and directories - docker.socket | CIS Docker 1.12.0 v1.0.0 L1 Linux | Unix | AUDIT AND ACCOUNTABILITY |
| 1.11 Audit Docker files and directories - docker.socket | CIS Docker 1.11.0 v1.0.0 L1 Linux | Unix | AUDIT AND ACCOUNTABILITY |
| 1.12 Audit Docker files and directories - docker.service | CIS Docker 1.6 v1.0.0 L1 Linux | Unix | AUDIT AND ACCOUNTABILITY |
| 2.7 Ensure devicemapper storage driver is not used | CIS Docker v1.8.0 L1 OS Linux | Unix | SYSTEM AND SERVICES ACQUISITION |
| 2.15 Do not enable swarm mode, if not needed | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 2.15 Do not enable swarm mode, if not needed | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 2.21 Avoid experimental features in production | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3 Verify that docker.socket file ownership is set to root:root | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.3 Verify that docker.socket file ownership is set to root:root | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.6 Ensure that /etc/docker directory permissions are set to 755 or more restrictive | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | |
| 3.7 Verify that registry certificate file ownership is set to root:root | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.8 Ensure that registry certificate file permissions are set to 444 or more restrictively | CIS Docker v1.8.0 L1 OS Linux | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 3.8 Verify that registry certificate file permissions are set to 444 or more restrictive | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.11 Ensure that Docker server certificate file ownership is set to root:root | CIS Docker v1.8.0 L1 OS Linux | Unix | ACCESS CONTROL |
| 3.11 Verify that Docker server certificate file ownership is set to root:root | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.11 Verify that Docker server certificate file ownership is set to root:root | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.12 Verify that Docker server certificate file permissions are set to 444 or more restrictive | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.14 Ensure that the Docker server certificate key file permissions are set to 400 | CIS Docker v1.8.0 L1 OS Linux | Unix | ACCESS CONTROL, MEDIA PROTECTION |
| 3.21 Verify that Docker server certificate file ownership is set to root:root | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.2 Ensure that containers use only trusted base images | CIS Docker v1.8.0 L1 OS Linux | Unix | CONFIGURATION MANAGEMENT |
| 4.2 Ensure that containers use trusted base images | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.6 Ensure that HEALTHCHECK instructions have been added to container images | CIS Docker v1.8.0 L1 OS Linux | Unix | SYSTEM AND SERVICES ACQUISITION |
| 5.4 Restrict Linux Kernel Capabilities within containers | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | ACCESS CONTROL |
| 5.6 Do not run ssh within containers | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.6 Ensure ssh is not run within containers | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.9 Do not share the host's network namespace | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.23 Do not docker exec commands with user option | CIS Docker 1.12.0 v1.0.0 L2 Docker | Unix | |
| 5.23 Do not docker exec commands with user option | CIS Docker 1.13.0 v1.0.0 L2 Docker | Unix | |
| 5.23 Do not docker exec commands with user option | CIS Docker 1.11.0 v1.0.0 L2 Docker | Unix | |
| 5.23 Ensure docker exec commands are not used with user option | CIS Docker Community Edition v1.1.0 L2 Docker | Unix | |
| 5.24 Confirm cgroup usage | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 6.4 Avoid image sprawl | CIS Docker 1.11.0 v1.0.0 L1 Linux | Unix | CONFIGURATION MANAGEMENT |
| 6.6 Avoid image sprawl | CIS Docker 1.6 v1.0.0 L1 Linux | Unix | CONFIGURATION MANAGEMENT |
| 7.1 Ensure swarm mode is not Enabled, if not needed | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 7.6 Ensure swarm manager is run in auto-lock mode | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| DKER-EE-001970 - SSH must not run within Linux containers for Docker Enterprise. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | CONFIGURATION MANAGEMENT |
| DKER-EE-002030 - All Docker Enterprise containers root filesystem must be mounted as read only. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | CONFIGURATION MANAGEMENT |
| DKER-EE-002110 - All Docker Enterprise containers must be restricted from acquiring additional privileges. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | CONFIGURATION MANAGEMENT |
| DKER-EE-003310 - The Docker Enterprise max-size and max-file json-file drivers logging options in the daemon.json configuration file must be configured to allocate audit record storage capacity for Universal Control Plane (UCP) and Docker Trusted Registry (DTR) per the requirements set forth by the System Security Plan (SSP) - max-file | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | AUDIT AND ACCOUNTABILITY |
| DKER-EE-003310 - The Docker Enterprise max-size and max-file json-file drivers logging options in the daemon.json configuration file must be configured to allocate audit record storage capacity for Universal Control Plane (UCP) and Docker Trusted Registry (DTR) per the requirements set forth by the System Security Plan (SSP) - max-size | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | AUDIT AND ACCOUNTABILITY |
| DKER-EE-005230 - Docker Enterprise registry certificate file ownership must be set to root:root. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | CONFIGURATION MANAGEMENT |
| DKER-EE-005240 - Docker Enterprise registry certificate file permissions must be set to 444 or more restrictive. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | CONFIGURATION MANAGEMENT |
| DKER-EE-005350 - Docker Enterprise /etc/default/docker file ownership must be set to root:root. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | CONFIGURATION MANAGEMENT |
