Configure centralized and remote logging
Details Docker now supports various log drivers. A preferable way to store logs is the one that supports centralized and...
- Home
- Security Hardening
- CIS Docker 1.13.0 V1.0.0 L2 Docker
CIS Docker 1.13.0 V1.0.0 L2 Docker
Confirm default cgroup usage
Details The –cgroup-parent option allows you to set the default cgroup parent to use for all the containers. If there...Do not change base device size until needed
Details In certain circumstances, you might need containers bigger than 10G in size. In these cases, carefully choose the base...Do not docker exec commands with privileged option
Details Do not docker exec with –privileged option. Rationale: Using –privileged option in docker exec gives extended Linux capabilities to...Do not docker exec commands with user option
Details Do not docker exec with –user option. Rationale: Using –user option in docker exec executes the command within the...Do not use Docker’s default bridge docker0
Details Do not use Docker’s default bridge docker0. Use docker’s user-defined networks for container networking. Rationale: Docker connects virtual interfaces...Enable Content trust for Docker
Details Content trust is disabled by default. You should enable it. Rationale: Content trust provides the ability to use digital...Enable user namespace support
Details Enable user namespace support in Docker daemon to utilize container user to host user re-mapping. This recommendation is beneficial...Install verified packages only
Details Verify authenticity of the packages before installing them in the image. Rationale: Verifying authenticity of the packages is essential...Remove setuid and setgid permissions in the images
Details Removing setuidandsetgid permissions in the images would prevent privilege escalation attacks in the containers. Rationale: setuidandsetgid permissions could be...