Enable live restore
Details The ‘–live-restore’ enables full support of daemon-less containers in docker. It ensures that docker does not stop containers on...
- Home
- Security Hardening
- CIS Docker 1.13.0 V1.0.0 L1 Docker
CIS Docker 1.13.0 V1.0.0 L1 Docker
Encrypt data exchanged between containers on different nodes on the overlay network
Details Encrypt data exchanged between containers on different nodes on the overlay network. Rationale: By default, data exchanged between containers...Restrict network traffic between containers
Details By default, all network traffic is allowed between containers on the same host. If not desired, restrict all the...Rotate swarm manager auto-lock key periodically
Details Rotate swarm manager auto-lock key periodically. Rationale: Swarm manager auto-lock key is not automatically rotated. You should rotate them...Run swarm manager in auto-lock mode
Details Run Docker swarm manager in auto-lock mode. Rationale: When Docker restarts, both the TLS key used to encrypt communication...Scan and rebuild the images to include security patches
Details Images should be scanned “frequently” for any vulnerabilities. Rebuild the images to include patches and then instantiate new containers...Set default ulimit as appropriate
Details Set the default ulimit options as appropriate in your environment. Rationale: ulimit provides control over the resources available to...Set the logging level
Details Set Docker daemon log level to ‘info’. Rationale: Setting up an appropriate log level, configures the Docker daemon to...Use COPY instead of ADD in Dockerfile
Details Use COPY instruction instead of ADD instruction in the Dockerfile. Rationale: COPY instruction just copies the files from the...Use trusted base images for containers
Details Ensure that the container image is written either from scratch or is based on another established and trusted base...