Ensure AppArmor Profile is Enabled
Details AppArmor is an effective and easy-to-use Linux application security system. It is available on quite a few Linux distributions...
- Home
- Security Hardening
- CIS Docker Community Edition V1.1.0 L1 Docker
CIS Docker Community Edition V1.1.0 L1 Docker
Ensure aufs storage driver is not used
Details Do not use aufs as storage driver for your Docker instance. Rationale: The aufs storage driver is the oldest...Ensure a user for the container has been created
Details Create a non-root user for the container in the Dockerfile for the container image. Rationale: It is a good...Ensure containers are restricted from acquiring new privileges
Details Restrict containers from acquiring additional privileges via suid or sgid bits, by default. Rationale: A process can set the...Ensure COPY is used instead of ADD in Dockerfile
Details Use COPY instruction instead of ADD instruction in the Dockerfile. Rationale: COPY instruction just copies the files from the...Ensure Docker is allowed to make changes to iptables
Details Iptables are used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux...Ensure experimental features are avoided in production
Details Avoid experimental features in production. Rationale: Experimental is now a runtime docker daemon flag instead of a separate build....Ensure HEALTHCHECK instructions have been added to the container image
Details Add HEALTHCHECK instruction in your docker container images to perform the health check on running containers. Rationale: One of...Ensure images are scanned and rebuilt to include security patches
Details Images should be scanned “frequently” for any vulnerabilities. Rebuild the images to include patches and then instantiate new containers...Ensure insecure registries are not used
Details Docker considers a private registry either secure or insecure. By default, registries are considered secure. Rationale: A secure registry...