CIS_Docker_Community_Edition_Benchmark_v1.1.0.pdf资源-CSDN文库

需积分: 33 66 浏览量 2019-09-20 19:55:50 上传评论收藏 1.72MB PDF 举报

Docker 通用安全配置指南。 Conventions ......................................................................................................................... 9 Scoring Information ........................................................................................................................................ 9 Profile Definitions ......................................................................................................................................... 10 Acknowledgements ...................................................................................................................................... 11 Recommendations ............................................................................................................................................. 12 1 Host Configuration .................................................................................................................................... 12 1.1 Ensure a separate partition for containers has been created (Scored) .................. 12 1.2 Ensure the container host has been Hardened (Not Scored) ...................................... 14 1.3 Ensure Docker is up to date (Not Scored) .......................................................................... 16 1.4 Ensure only trusted users are allowed to control Docker daemon (Scored) ........ 18 1.5 Ensure auditing is configured for the docker daemon (Scored) ................................ 20 1.6 Ensure auditing is configured for Docker files and directories - /var/lib/docker (Scored) ................................................................................................................................................... 22 1.7 Ensure auditing is configured for Docker files and directories - /etc/docker (Scored) ................................................................................................................................................... 24 1.8 Ensure auditing is configured for Docker files and directories - docker.service (Scored) ................................................................................................................................................... 26 1.9 Ensure auditing is configured for Docker files and directories - docker.socket (Scored) ................................................................................................................................................... 28 1.10 Ensure auditing is configured for Docker files and directories - /etc/default/docker (Scored) ......................................................................................................... 30 1.11 Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json (Scored) ............................................................................................. 32 1.12 Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd (Scored) ........................................................................................ 34

资源推荐

资源详情

资源评论

CIS Docker Community Edition Benchmark

v1.1.0 - 07-06-2017

2 | P a g e  
 
 
Table of Contents 
Overview .................................................................................................................................................................. 8 
Intended Audience ........................................................................................................................................... 8 
Consensus Guidance ........................................................................................................................................ 8 
Typographical Conventions ......................................................................................................................... 9 
Scoring Information ........................................................................................................................................ 9 
Profile Definitions ......................................................................................................................................... 10 
Acknowledgements ...................................................................................................................................... 11 
Recommendations ............................................................................................................................................. 12 
1 Host Configuration .................................................................................................................................... 12 
1.1 Ensure a separate partition for containers has been created (Scored) .................. 12 
1.2 Ensure the container host has been Hardened (Not Scored) ...................................... 14 
1.3 Ensure Docker is up to date (Not Scored) .......................................................................... 16 
1.4 Ensure only trusted users are allowed to control Docker daemon (Scored) ........ 18 
1.5 Ensure auditing is configured for the docker daemon (Scored) ................................ 20 
1.6 Ensure auditing is configured for Docker files and directories - /var/lib/docker 
(Scored) ................................................................................................................................................... 22 
1.7 Ensure auditing is configured for Docker files and directories - /etc/docker 
(Scored) ................................................................................................................................................... 24 
1.8 Ensure auditing is configured for Docker files and directories - docker.service 
(Scored) ................................................................................................................................................... 26 
1.9 Ensure auditing is configured for Docker files and directories - docker.socket 
(Scored) ................................................................................................................................................... 28 
1.10 Ensure auditing is configured for Docker files and directories - 
/etc/default/docker (Scored) ......................................................................................................... 30 
1.11 Ensure auditing is configured for Docker files and directories - 
/etc/docker/daemon.json (Scored) ............................................................................................. 32 
1.12 Ensure auditing is configured for Docker files and directories - 
/usr/bin/docker-containerd (Scored) ........................................................................................ 34 

| P a g e  
 
13 Ensure auditing is configured for Docker files and directories - 
/usr/bin/docker-runc (Scored) ..................................................................................................... 36 
Docker daemon configuration .............................................................................................................. 38 
1 Ensure network traffic is restricted between containers on the default bridge 
(Scored) ................................................................................................................................................... 38 
2 Ensure the logging level is set to 'info' (Scored) .............................................................. 40 
3 Ensure Docker is allowed to make changes to iptables (Scored) .............................. 42 
4 Ensure insecure registries are not used (Scored) ........................................................... 44 
5 Ensure aufs storage driver is not used (Scored) .............................................................. 46 
6 Ensure TLS authentication for Docker daemon is configured (Scored) ................. 48 
7 Ensure the default ulimit is configured appropriately (Not Scored) ....................... 50 
8 Enable user namespace support (Scored) .......................................................................... 52 
9 Ensure the default cgroup usage has been confirmed (Scored) ................................ 54 
10 Ensure base device size is not changed until needed (Scored) ............................... 56 
11 Ensure that authorization for Docker client commands is enabled (Scored) .... 58 
12 Ensure centralized and remote logging is configured (Scored) .............................. 60 
13 Ensure operations on legacy registry (v1) are Disabled (Scored) ......................... 62 
14 Ensure live restore is Enabled (Scored) ........................................................................... 64 
15 Ensure Userland Proxy is Disabled (Scored) .................................................................. 66 
16 Ensure daemon-wide custom seccomp profile is applied, if needed (Not Scored)
 ..................................................................................................................................................................... 68 
17 Ensure experimental features are avoided in production (Scored) ...................... 70 
18 Ensure containers are restricted from acquiring new privileges (Scored) ........ 71 
Docker daemon configuration files .................................................................................................... 73 
1 Ensure that docker.service file ownership is set to root:root (Scored) .................. 73 
2 Ensure that docker.service file permissions are set to 644 or more restrictive 
(Scored) ................................................................................................................................................... 75 
3 Ensure that docker.socket file ownership is set to root:root (Scored).................... 77 
4 Ensure that docker.socket file permissions are set to 644 or more restrictive 
(Scored) ................................................................................................................................................... 79 
5 Ensure that /etc/docker directory ownership is set to root:root (Scored) .......... 81 

4 | P a g e  
 
3.6 Ensure that /etc/docker directory permissions are set to 755 or more restrictive 
(Scored) ................................................................................................................................................... 83 
3.7 Ensure that registry certificate file ownership is set to root:root (Scored) .......... 85 
3.8 Ensure that registry certificate file permissions are set to 444 or more restrictive 
(Scored) ................................................................................................................................................... 87 
3.9 Ensure that TLS CA certificate file ownership is set to root:root (Scored) ............ 89 
3.10 Ensure that TLS CA certificate file permissions are set to 444 or more 
restrictive (Scored) ............................................................................................................................. 91 
3.11 Ensure that Docker server certificate file ownership is set to root:root (Scored)
 ..................................................................................................................................................................... 93 
3.12 Ensure that Docker server certificate file permissions are set to 444 or more 
restrictive (Scored) ............................................................................................................................. 95 
3.13 Ensure that Docker server certificate key file ownership is set to root:root 
(Scored) ................................................................................................................................................... 97 
3.14 Ensure that Docker server certificate key file permissions are set to 400 
(Scored) ................................................................................................................................................... 99 
3.15 Ensure that Docker socket file ownership is set to root:docker (Scored) ......... 101 
3.16 Ensure that Docker socket file permissions are set to 660 or more restrictive 
(Scored) ................................................................................................................................................. 103 
3.17 Ensure that daemon.json file ownership is set to root:root (Scored) ................. 105 
3.18 Ensure that daemon.json file permissions are set to 644 or more restrictive 
(Scored) ................................................................................................................................................. 107 
3.19 Ensure that /etc/default/docker file ownership is set to root:root (Scored) .. 109 
3.20 Ensure that /etc/default/docker file permissions are set to 644 or more 
restrictive (Scored) ........................................................................................................................... 111 
4 Container Images and Build File ........................................................................................................ 113 
4.1 Ensure a user for the container has been created (Scored) ...................................... 113 
4.2 Ensure that containers use trusted base images (Not Scored) ................................ 115 
4.3 Ensure unnecessary packages are not installed in the container (Not Scored). 117 
4.4 Ensure images are scanned and rebuilt to include security patches (Not Scored)
 ................................................................................................................................................................... 119 
4.5 Ensure Content trust for Docker is Enabled (Scored) .................................................. 121 