Create a user for the container
Details Create a non-root user for the container in the Dockerfile for the container image. Rationale: It is a good...
- Home
- Security Hardening
- CIS Docker 1.13.0 V1.0.0 L1 Docker
CIS Docker 1.13.0 V1.0.0 L1 Docker
Disable operations on legacy registry (v1)
Details The latest Docker registry is v2. All operations on the legacy registry version (v1) should be restricted. Rationale: Docker...Disable Userland Proxy
Details The docker daemon starts a userland proxy service for port forwarding whenever a port is exposed. Where hairpin NAT...Do not disable AppArmor Profile
Details AppArmor is an effective and easy-to-use Linux application security system. It is available on quite a few Linux distributions...Do not enable swarm mode, if not needed
Details Do not enable swarm mode on a docker engine instance unless needed. Rationale: By default, a Docker engine instance...Do not install unnecessary packages in the container
Details Containers tend to be minimal and slim down versions of the Operating System. Do not install anything that does...Do not store secrets in Dockerfiles
Details Do not store any secrets in Dockerfiles. Rationale: Dockerfiles could be backtracked easily by using native Docker commands such...Do not use insecure registries
Details Docker considers a private registry either secure or insecure. By default, registries are considered secure. Rationale: A secure registry...Do not use the aufs storage driver
Details Do not use ‘aufs’ as storage driver for your Docker instance. Rationale: The ‘aufs’ storage driver is the oldest...Do not use update instructions alone in the Dockerfile
Details Do not use update instructions such as apt-get updatealone or in a single line in the Dockerfile. Rationale: Adding...