CISDockerBenchmarkv1.5.0PDF2022资源-CSDN文库

需积分: 5 59 浏览量 2023-01-30 15:41:27 上传评论收藏 2.23MB PDF 举报

《CIS Docker Benchmark v1.5.0》是2022年发布的一份针对Docker容器安全的重要指南，旨在提供一套详尽的、基于业界共识的安全配置标准，以帮助组织确保Docker环境的安全性。这份文档对于IT专业人士，尤其是那些在云基础设施、DevOps团队以及负责容器安全的人员来说，具有极高的参考价值。文档的“Overview”部分介绍了基准的总体目标，它强调了Docker容器在现代软件开发和部署中的关键作用，同时也指出由于其轻量级和快速部署的特性，容器可能成为攻击者的目标。因此，遵循CIS Docker Benchmark的指导原则，可以有效降低潜在的安全风险。 “Intended Audience”明确了这份文档的主要读者群体，包括系统管理员、安全专业人员、开发人员以及任何使用或管理Docker环境的人。这些用户可以从基准中获取关于如何保护Docker主机和容器的最佳实践。 “Consensus Guidance”部分解释了该基准是基于广泛的行业专家意见和经验总结而成，体现了社区的共识，确保了推荐措施的有效性和广泛适用性。这种共识指导为Docker安全提供了权威的标准。文档的“Typographical Conventions”部分定义了在文本中使用的各种符号和格式，以区分不同类型的建议和指令。这有助于读者更清晰地理解每个建议的性质和执行方式。 “Recommendation Definitions”则详细阐述了推荐分类，如“Title”是每个安全控制的标题，用于概括控制的主要目的；“Assessment Status”表明了推荐的评估状态，分为“Automated”和“Manual”，前者表示可以通过自动化工具检查，后者则需要人工审核；“Automated”和“Manual”分别代表了可以通过自动化工具实施和需要手动操作的控制；“Profile”则指定了特定的配置集，适用于不同的使用场景；“Description”是对每个控制的详细解释，包括为什么需要这个控制，以及如果不实施会有什么风险。文档的主体部分包含了具体的控制措施和建议，涵盖了Docker的配置、网络、日志、安全更新等多个方面。每个控制都有详细的步骤和解释，帮助用户理解和实施。这些控制旨在防止未授权访问、保护数据完整性、确保容器隔离，并加强整体的安全策略。《CIS Docker Benchmark v1.5.0》是一份全面的Docker安全指南，它提供的标准和建议可以帮助组织建立和维护一个安全、合规的Docker环境。通过遵循这份基准，用户可以确保他们的Docker部署符合业界最佳实践，从而减少潜在的安全威胁。

资源推荐

资源详情

资源评论

CIS Docker Benchmark

v1.5.0 - 12-28-2022

Page 2

Table of Contents

Terms of Use .................................................................................................................. 1

Table of Contents ........................................................................................................... 2

Overview ......................................................................................................................... 6

Intended Audience ................................................................................................................... 6

Consensus Guidance .............................................................................................................. 7

Typographical Conventions .................................................................................................... 8

Recommendation Definitions ....................................................................................... 9

Title ............................................................................................................................................ 9

Assessment Status .................................................................................................................. 9

Automated ............................................................................................................................................. 9

Manual .................................................................................................................................................... 9

Profile ........................................................................................................................................ 9

Description ............................................................................................................................... 9

Rationale Statement ................................................................................................................. 9

Impact Statement ................................................................................................................... 10

Audit Procedure ..................................................................................................................... 10

Remediation Procedure ......................................................................................................... 10

Default Value .......................................................................................................................... 10

References .............................................................................................................................. 10

CIS Critical Security Controls

(CIS Controls

) .................................................................. 10

Additional Information ........................................................................................................... 10

Profile Definitions .................................................................................................................. 11

Acknowledgements ............................................................................................................... 12

Recommendations ....................................................................................................... 13

1 Host Configuration .............................................................................................................. 13

1.1 Linux Hosts Specific Configuration ............................................................................................ 14

1.1.1 Ensure a separate partition for containers has been created (Automated) ........................................ 15

1.1.2 Ensure only trusted users are allowed to control Docker daemon (Automated) ................................ 17

1.1.3 Ensure auditing is configured for the Docker daemon (Automated) ................................................... 19

1.1.4 Ensure auditing is configured for Docker files and directories - /run/containerd (Automated) ............ 21

1.1.5 Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated) ............. 23

1.1.6 Ensure auditing is configured for Docker files and directories - /etc/docker (Automated) .................. 25

1.1.7 Ensure auditing is configured for Docker files and directories - docker.service (Automated) ............ 27

1.1.8 Ensure auditing is configured for Docker files and directories - containerd.sock (Automated) .......... 29

1.1.9 Ensure auditing is configured for Docker files and directories - docker.socket (Automated) ............. 31

1.1.10 Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated) .... 33

Page 3

1.1.11 Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json

(Automated) ................................................................................................................................................. 35

1.1.12 Ensure auditing is configured for Docker files and directories - /etc/containerd/config.toml

(Automated) ................................................................................................................................................. 37

1.1.13 Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated) 39

1.1.14 Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated) .... 41

1.1.15 Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated)

..................................................................................................................................................................... 43

1.1.16 Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1

(Automated) ................................................................................................................................................. 45

1.1.17 Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2

(Automated) ................................................................................................................................................. 47

1.1.18 Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated) .............. 49

1.2 General Configuration .................................................................................................................. 51

1.2.1 Ensure the container host has been Hardened (Manual) ................................................................... 52

1.2.2 Ensure that the version of Docker is up to date (Manual) .................................................................. 54

2 Docker daemon configuration ........................................................................................... 56

2.1 Run the Docker daemon as a non-root user, if possible (Manual) ........................................................ 57

2.2 Ensure network traffic is restricted between containers on the default bridge (Automated) .................. 59

2.3 Ensure the logging level is set to 'info' (Automated) .............................................................................. 61

2.4 Ensure Docker is allowed to make changes to iptables (Automated) ................................................... 63

2.5 Ensure insecure registries are not used (Automated) ........................................................................... 65

2.6 Ensure aufs storage driver is not used (Automated) ............................................................................. 67

2.7 Ensure TLS authentication for Docker daemon is configured (Automated) .......................................... 69

2.8 Ensure the default ulimit is configured appropriately (Manual) .............................................................. 71

2.9 Enable user namespace support (Automated) ...................................................................................... 73

2.10 Ensure the default cgroup usage has been confirmed (Automated) ................................................... 75

2.11 Ensure base device size is not changed until needed (Automated) .................................................... 77

2.12 Ensure that authorization for Docker client commands is enabled (Automated) ................................. 79

2.13 Ensure centralized and remote logging is configured (Automated) ..................................................... 81

2.14 Ensure containers are restricted from acquiring new privileges (Automated) ..................................... 83

2.15 Ensure live restore is enabled (Automated) ........................................................................................ 85

2.16 Ensure Userland Proxy is Disabled (Automated) ................................................................................ 87

2.17 Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual) .................... 89

2.18 Ensure that experimental features are not implemented in production (Automated) .......................... 91

3 Docker daemon configuration files ................................................................................... 93

3.1 Ensure that the docker.service file ownership is set to root:root (Automated) ...................................... 94

3.2 Ensure that docker.service file permissions are appropriately set (Automated) .................................... 96

3.3 Ensure that docker.socket file ownership is set to root:root (Automated) ............................................. 98

3.4 Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated) ................ 100

3.5 Ensure that the /etc/docker directory ownership is set to root:root (Automated) ................................. 102

3.6 Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated) ........ 104

3.7 Ensure that registry certificate file ownership is set to root:root (Automated) ..................................... 106

3.8 Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated) ....... 108

3.9 Ensure that TLS CA certificate file ownership is set to root:root (Automated) ..................................... 110

3.10 Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated) .... 112

3.11 Ensure that Docker server certificate file ownership is set to root:root (Automated) ......................... 114

3.12 Ensure that the Docker server certificate file permissions are set to 444 or more restrictively

(Automated) ............................................................................................................................................... 116

3.13 Ensure that the Docker server certificate key file ownership is set to root:root (Automated) ............ 118

3.14 Ensure that the Docker server certificate key file permissions are set to 400 (Automated) .............. 120

3.15 Ensure that the Docker socket file ownership is set to root:docker (Automated) .............................. 122

Page 4

3.16 Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated) .... 124

3.17 Ensure that the daemon.json file ownership is set to root:root (Automated) ..................................... 126

3.18 Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated) ............... 128

3.19 Ensure that the /etc/default/docker file ownership is set to root:root (Automated) ............................ 130

3.20 Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated)

................................................................................................................................................................... 132

3.21 Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated)

................................................................................................................................................................... 134

3.22 Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated) ........................ 136

3.23 Ensure that the Containerd socket file ownership is set to root:root (Automated) ............................. 138

3.24 Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated)

................................................................................................................................................................... 140

4 Container Images and Build File Configuration ............................................................. 142

4.1 Ensure that a user for the container has been created (Automated) ................................................... 143

4.2 Ensure that containers use only trusted base images (Manual) .......................................................... 145

4.3 Ensure that unnecessary packages are not installed in the container (Manual) ................................. 147

4.4 Ensure images are scanned and rebuilt to include security patches (Manual) ................................... 149

4.5 Ensure Content trust for Docker is Enabled (Automated) ................................................................... 151

4.6 Ensure that HEALTHCHECK instructions have been added to container images (Automated) ......... 153

4.7 Ensure update instructions are not used alone in Dockerfiles (Manual) ............................................. 155

4.8 Ensure setuid and setgid permissions are removed (Manual) ............................................................ 157

4.9 Ensure that COPY is used instead of ADD in Dockerfiles (Manual) .................................................... 159

4.10 Ensure secrets are not stored in Dockerfiles (Manual) ...................................................................... 161

4.11 Ensure only verified packages are installed (Manual) ....................................................................... 163

4.12 Ensure all signed artifacts are validated (Manual) ............................................................................. 165

5 Container Runtime Configuration ................................................................................... 166

5.1 Ensure that, if applicable, an AppArmor Profile is enabled (Automated) ............................................. 167

5.2 Ensure that, if applicable, SELinux security options are set (Automated) ........................................... 169

5.3 Ensure that Linux kernel capabilities are restricted within containers (Automated) ............................ 171

5.4 Ensure that privileged containers are not used (Automated) .............................................................. 174

5.5 Ensure sensitive host system directories are not mounted on containers (Automated) ...................... 176

5.6 Ensure sshd is not run within containers (Automated) ........................................................................ 178

5.7 Ensure privileged ports are not mapped within containers (Automated) ............................................. 180

5.8 Ensure that only needed ports are open on the container (Manual) ................................................... 182

5.9 Ensure that the host's network namespace is not shared (Automated) .............................................. 184

5.10 Ensure that the memory usage for containers is limited (Automated) ............................................... 186

5.11 Ensure that CPU priority is set appropriately on containers (Automated) ......................................... 188

5.12 Ensure that the container's root filesystem is mounted as read only (Automated) ............................ 190

5.13 Ensure that incoming container traffic is bound to a specific host interface (Automated) ................. 193

5.14 Ensure that the 'on-failure' container restart policy is set to '5' (Automated) ..................................... 195

5.15 Ensure that the host's process namespace is not shared (Automated) ............................................ 197

5.16 Ensure that the host's IPC namespace is not shared (Automated) ................................................... 199

5.17 Ensure that host devices are not directly exposed to containers (Manual) ....................................... 201

5.18 Ensure that the default ulimit is overwritten at runtime if needed (Manual) ....................................... 203

5.19 Ensure mount propagation mode is not set to shared (Automated) .................................................. 205

5.20 Ensure that the host's UTS namespace is not shared (Automated) .................................................. 207

5.21 Ensure the default seccomp profile is not Disabled (Automated) ...................................................... 209

5.22 Ensure that docker exec commands are not used with the privileged option (Automated) ............... 211

5.23 Ensure that docker exec commands are not used with the user=root option (Manual) .................... 213

5.24 Ensure that cgroup usage is confirmed (Automated) ........................................................................ 215

5.25 Ensure that the container is restricted from acquiring additional privileges (Automated) .................. 217

5.26 Ensure that container health is checked at runtime (Automated) ...................................................... 219

剩余291页未读，继续阅读

评论收藏

内容反馈

cfy_xuqiang76

粉丝: 0
资源: 3

CIS Docker Benchmark v1.5.0 PDF 2022

最新资源

CIS Docker Benchmark v1.5.0 PDF 2022

CIS_Docker_Benchmark_v1.3.1_PDF.pdf

CIS_Docker_1.13.0_Benchmark_v1.0.0.pdf

cis-docker-benchmark：CIS Docker基准-InSpec配置文件

CIS_Docker_Benchmark_v1.2.0.pdf

docker-bench:检查是否根据CIS Docker Benchmark中定义的安全最佳实践部署了Docker

CIS benchmarks.rar

CIS_Docker_1.12.0_Benchmark_v1.0.0.pdf

CIS docker 安全标准

每天5分钟玩转Docker容器技术.pdf

CIS_Kubernetes_Benchmark_v1.6.0.pdf

Docker全攻略.pdf

docker_practice.pdf

Docker入门实战手册 PDF版

docker简明教程.pdf

使用SpringCloud和Docker实战微服务.pdf

docker文档中文.pdf

第一本DOCKER书_13696428.pdf

雷蛇PUBG鼠标宏-雷蛇鼠标驱动

Synaptics病毒专杀工具

WishRecy数据恢复软件

软件测试实战项目(Web项目)

双闭环直流调速系统仿真

Windows 10系统连接共享打印机报错0x00000709、0x0000007c、0x0000011b.zip

DLL文件修复软件（强力修复）Repair.exe

S7-1200全系列最新固件V4.6

ISO26262-2018 全套标准

X64dbg(20240603)添加中文字符串补丁并附官网原版

华为RH2288H V3，V100R003C00SPC733更新包

最新资源