Page 4
3.16 Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated) .... 124
3.17 Ensure that the daemon.json file ownership is set to root:root (Automated) ..................................... 126
3.18 Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated) ............... 128
3.19 Ensure that the /etc/default/docker file ownership is set to root:root (Automated) ............................ 130
3.20 Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated)
................................................................................................................................................................... 132
3.21 Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated)
................................................................................................................................................................... 134
3.22 Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated) ........................ 136
3.23 Ensure that the Containerd socket file ownership is set to root:root (Automated) ............................. 138
3.24 Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated)
................................................................................................................................................................... 140
4 Container Images and Build File Configuration ............................................................. 142
4.1 Ensure that a user for the container has been created (Automated) ................................................... 143
4.2 Ensure that containers use only trusted base images (Manual) .......................................................... 145
4.3 Ensure that unnecessary packages are not installed in the container (Manual) ................................. 147
4.4 Ensure images are scanned and rebuilt to include security patches (Manual) ................................... 149
4.5 Ensure Content trust for Docker is Enabled (Automated) ................................................................... 151
4.6 Ensure that HEALTHCHECK instructions have been added to container images (Automated) ......... 153
4.7 Ensure update instructions are not used alone in Dockerfiles (Manual) ............................................. 155
4.8 Ensure setuid and setgid permissions are removed (Manual) ............................................................ 157
4.9 Ensure that COPY is used instead of ADD in Dockerfiles (Manual) .................................................... 159
4.10 Ensure secrets are not stored in Dockerfiles (Manual) ...................................................................... 161
4.11 Ensure only verified packages are installed (Manual) ....................................................................... 163
4.12 Ensure all signed artifacts are validated (Manual) ............................................................................. 165
5 Container Runtime Configuration ................................................................................... 166
5.1 Ensure that, if applicable, an AppArmor Profile is enabled (Automated) ............................................. 167
5.2 Ensure that, if applicable, SELinux security options are set (Automated) ........................................... 169
5.3 Ensure that Linux kernel capabilities are restricted within containers (Automated) ............................ 171
5.4 Ensure that privileged containers are not used (Automated) .............................................................. 174
5.5 Ensure sensitive host system directories are not mounted on containers (Automated) ...................... 176
5.6 Ensure sshd is not run within containers (Automated) ........................................................................ 178
5.7 Ensure privileged ports are not mapped within containers (Automated) ............................................. 180
5.8 Ensure that only needed ports are open on the container (Manual) ................................................... 182
5.9 Ensure that the host's network namespace is not shared (Automated) .............................................. 184
5.10 Ensure that the memory usage for containers is limited (Automated) ............................................... 186
5.11 Ensure that CPU priority is set appropriately on containers (Automated) ......................................... 188
5.12 Ensure that the container's root filesystem is mounted as read only (Automated) ............................ 190
5.13 Ensure that incoming container traffic is bound to a specific host interface (Automated) ................. 193
5.14 Ensure that the 'on-failure' container restart policy is set to '5' (Automated) ..................................... 195
5.15 Ensure that the host's process namespace is not shared (Automated) ............................................ 197
5.16 Ensure that the host's IPC namespace is not shared (Automated) ................................................... 199
5.17 Ensure that host devices are not directly exposed to containers (Manual) ....................................... 201
5.18 Ensure that the default ulimit is overwritten at runtime if needed (Manual) ....................................... 203
5.19 Ensure mount propagation mode is not set to shared (Automated) .................................................. 205
5.20 Ensure that the host's UTS namespace is not shared (Automated) .................................................. 207
5.21 Ensure the default seccomp profile is not Disabled (Automated) ...................................................... 209
5.22 Ensure that docker exec commands are not used with the privileged option (Automated) ............... 211
5.23 Ensure that docker exec commands are not used with the user=root option (Manual) .................... 213
5.24 Ensure that cgroup usage is confirmed (Automated) ........................................................................ 215
5.25 Ensure that the container is restricted from acquiring additional privileges (Automated) .................. 217
5.26 Ensure that container health is checked at runtime (Automated) ...................................................... 219