| 1.1.7 Ensure auditing is configured for Docker files and directories - docker.service | CIS Docker v1.7.0 L2 Docker - Linux | Unix | AUDIT AND ACCOUNTABILITY |
| 1.2 Use the updated Linux Kernel | CIS Docker 1.6 v1.0.0 L1 Linux | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 1.2.2 Ensure that the version of Docker is up to date | CIS Docker v1.7.0 L1 Docker - Linux | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 2.3 Allow Docker to make changes to iptables | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.3 Allow Docker to make changes to iptables | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.6 Ensure aufs storage driver is not used | CIS Docker v1.7.0 L1 Docker - Linux | Unix | SYSTEM AND SERVICES ACQUISITION |
| 2.6 Setup a local registry mirror | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 2.9 Confirm default cgroup usage | CIS Docker 1.12.0 v1.0.0 L2 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.9 Confirm default cgroup usage | CIS Docker 1.13.0 v1.0.0 L2 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.9 Ensure the default cgroup usage has been confirmed | CIS Docker Community Edition v1.1.0 L2 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.12 Configure centralized and remote logging | CIS Docker 1.13.0 v1.0.0 L2 Docker | Unix | AUDIT AND ACCOUNTABILITY |
| 2.17 Ensure experimental features are avoided in production | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 2.21 Avoid experimental features in production | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | SYSTEM AND COMMUNICATIONS PROTECTION |
| 3.3 Verify that docker.socket file ownership is set to root:root | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.3 Verify that docker.socket file ownership is set to root:root | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.4 Verify that docker.socket file permissions are set to 644 or more restrictive | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.4 Verify that docker.socket file permissions are set to 644 or more restrictive | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.5 Ensure that /etc/docker directory ownership is set to root:root | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | |
| 3.5 Verify that /etc/docker directory ownership is set to root:root | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | |
| 3.5 Verify that /etc/docker directory ownership is set to root:root | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | |
| 3.6 Verify that /etc/docker directory permissions are set to 755 or more restrictive | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | |
| 3.6 Verify that /etc/docker directory permissions are set to 755 or more restrictive | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | |
| 3.6 Verify that /etc/docker directory permissions are set to 755 or more restrictive | CIS Docker 1.12.0 v1.0.0 L1 Docker | Unix | |
| 3.9 Verify that docker-network environment file ownership is set to root:root | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.16 Verify that /etc/docker directory permissions are set to 755 or more restrictive | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | |
| 3.19 Verify that /etc/default/docker file ownership is set to root:root | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 3.19 Verify that /etc/default/docker file ownership is set to root:root | CIS Docker 1.11.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.2 Ensure that containers use only trusted base images | CIS Docker v1.7.0 L1 Docker - Linux | Unix | CONFIGURATION MANAGEMENT |
| 4.6 Add HEALTHCHECK instruction to the container image | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.6 Ensure HEALTHCHECK instructions have been added to the container image | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | CONFIGURATION MANAGEMENT |
| 4.11 Install verified packages only | CIS Docker 1.12.0 v1.0.0 L2 Docker | Unix | CONFIGURATION MANAGEMENT |
| 5.2 Ensure SELinux security options are set, if applicable | CIS Docker Community Edition v1.1.0 L2 Docker | Unix | ACCESS CONTROL |
| 5.2 Verify SELinux security options, if applicable | CIS Docker 1.11.0 v1.0.0 L2 Docker | Unix | ACCESS CONTROL |
| 5.2 Verify SELinux security options, if applicable | CIS Docker 1.13.0 v1.0.0 L2 Docker | Unix | ACCESS CONTROL |
| 5.2 Verify SELinux security options, if applicable | CIS Docker 1.12.0 v1.0.0 L2 Docker | Unix | ACCESS CONTROL |
| 5.3 Ensure Linux Kernel Capabilities are restricted within containers | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | ACCESS CONTROL |
| 5.3 Ensure that, if applicable, SELinux security options are set | CIS Docker v1.7.0 L2 Docker - Linux | Unix | SYSTEM AND INFORMATION INTEGRITY |
| 5.10 Ensure that the host's network namespace is not shared | CIS Docker v1.7.0 L1 Docker - Linux | Unix | CONFIGURATION MANAGEMENT, CONTINGENCY PLANNING, PLANNING, PROGRAM MANAGEMENT, SYSTEM AND SERVICES ACQUISITION, SYSTEM AND COMMUNICATIONS PROTECTION |
| 5.13 Ensure that the container's root filesystem is mounted as read only | CIS Docker v1.7.0 L1 Docker - Linux | Unix | ACCESS CONTROL, AUDIT AND ACCOUNTABILITY |
| 5.24 Ensure that docker exec commands are not used with the user=root option | CIS Docker v1.7.0 L2 Docker - Linux | Unix | ACCESS CONTROL |
| 5.27 Ensure docker commands always get the latest version of the image | CIS Docker Community Edition v1.1.0 L1 Docker | Unix | |
| 5.27 Ensure docker commands always get the latest version of the image | CIS Docker 1.13.0 v1.0.0 L1 Docker | Unix | |
| 5.28 Ensure that Docker commands always make use of the latest version of their image | CIS Docker v1.7.0 L1 Docker - Linux | Unix | CONFIGURATION MANAGEMENT |
| 6.5 Use a centralized and remote log collection service | CIS Docker 1.6 v1.0.0 L1 Docker | Unix | AUDIT AND ACCOUNTABILITY |
| 6.12 Set EEPROM Security Mode and Log Failed Access - SPARC only. Should *not* be 'security-mode=none'. | CIS Solaris 10 L1 v5.2 | Unix | ACCESS CONTROL |
| DKER-EE-001070 - FIPS mode must be enabled on all Docker Engine - Enterprise nodes - docker info .SecurityOptions | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, MAINTENANCE, SYSTEM AND COMMUNICATIONS PROTECTION |
| DKER-EE-001370 - log-opts on all Docker Engine - Enterprise nodes must be configured. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | AUDIT AND ACCOUNTABILITY |
| DKER-EE-001950 - Linux Kernel capabilities must be restricted within containers as defined in the System Security Plan (SSP) for Docker Enterprise. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | CONFIGURATION MANAGEMENT |
| DKER-EE-001960 - Privileged Linux containers must not be used for Docker Enterprise. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | CONFIGURATION MANAGEMENT |
| DKER-EE-002100 - cgroup usage must be confirmed in Docker Enterprise. | DISA STIG Docker Enterprise 2.x Linux/Unix v2r2 | Unix | CONFIGURATION MANAGEMENT |
