Ensure Linux Kernel Capabilities are restricted within containers
Details By default, Docker starts containers with a restricted set of Linux Kernel Capabilities. It means that any process may...
- Home
- Security Hardening
- CIS Docker Community Edition V1.1.0 L1 Docker
CIS Docker Community Edition V1.1.0 L1 Docker
Ensure live restore is Enabled
Details The –live-restore enables full support of daemon-less containers in docker. It ensures that docker does not stop containers on...Ensure network traffic is restricted between containers on the default bridge
Details By default, all network traffic is allowed between containers on the same host on the default network bridge. If...Ensure only needed ports are open on the container
Details Dockerfile for a container image defines the ports to be opened by default on a container instance. The list...Ensure operations on legacy registry (v1) are Disabled
Details The latest Docker registry is v2. All operations on the legacy registry version (v1) should be restricted. Rationale: Docker...Ensure privileged containers are not used
Details Using the –privileged flag gives all Linux Kernel Capabilities to the container thus overwriting the –cap-add and –cap-drop flags....Ensure privileged ports are not mapped within containers
Details The TCP/IP port numbers below 1024are considered privileged ports. Normal users and processes are not allowed to use them...Ensure secrets are not stored in Dockerfiles
Details Do not store any secrets in Dockerfiles. Rationale: Dockerfiles could be backtracked easily by using native Docker commands such...Ensure sensitive host system directories are not mounted on containers
Details Sensitive host system directories such as below should not be allowed to be mounted as container volumes especially in...Ensure ssh is not run within containers
Details SSH server should not be running within the container. You should SSH into the Docker host, and use nsenter...