{ "format_version": 3, "policy": { "external_id": "26250199667d4261c271c0447207c6f8", "name": "CIS Docker Benchmark v1.8.0 - Level 1", "version": "1.0.0", "description": "CIS Level 1 hardening profile for Docker on Linux hosts. Audit rules for dockerd and /etc/docker, no-insecure-registries, TLS-protected daemon socket, file/directory ownership and permissions for the systemd unit, /etc/docker, /var/run/docker.sock, and daemon.json, and runtime checks for non-root container users + no privileged containers. Assumes a host with auditd installed and the agent running with permission to query the Docker socket.", "author": "Center for Internet Security" }, "tests": [ { "external_id": "e53d063c6e7bd2e18ea543dbc5c5e901", "name": "1.1.3 — Ensure auditing is configured for the Docker daemon", "description": "auditd should track changes that affect the dockerd binary.", "rational": "Audit records of binary modifications are needed to detect tampering with the daemon.", "remediation": "Add `-w /usr/bin/dockerd -k docker` to /etc/audit/rules.d/audit.rules and reload auditd.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "auditctl -l 2>/dev/null | grep -E 'dockerd' | wc -l", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "0" } ], "applicability": [] }, { "external_id": "056f16545102c75859470181fbeff58f", "name": "1.1.6 — Ensure auditing is configured for the /etc/docker directory", "description": "Changes to /etc/docker must be audited.", "rational": "The /etc/docker directory holds daemon TLS material and registry credentials — tampering must leave a trail.", "remediation": "Add `-w /etc/docker -k docker` to /etc/audit/rules.d/audit.rules.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "auditctl -l 2>/dev/null | grep -E '/etc/docker' | wc -l", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "0" } ], "applicability": [] }, { "external_id": "9c7f2144130aa161cff58297bc8517a6", "name": "2.5 — Ensure insecure registries are not used", "description": "dockerd must not be configured with --insecure-registry flags.", "rational": "Insecure registries skip TLS verification and let an attacker substitute images during pulls.", "remediation": "Remove `insecure-registries` from /etc/docker/daemon.json and remove any --insecure-registry args from the systemd unit.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "docker info --format '{{len .RegistryConfig.InsecureRegistryCIDRs}}' 2>/dev/null", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "1" } ], "applicability": [] }, { "external_id": "d696e7539e0df0176e79ffcdf826666f", "name": "2.8 — Ensure TLS authentication for Docker daemon is configured", "description": "Remote daemon access must require mutual TLS.", "rational": "An unauthenticated Docker socket exposed over TCP is equivalent to remote root on the host.", "remediation": "Configure tlsverify=true, tlscacert/tlscert/tlskey in /etc/docker/daemon.json.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "pgrep -a dockerd 2>/dev/null | grep -E 'tlsverify|tlscacert' | wc -l", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "0" } ], "applicability": [] }, { "external_id": "e0f00696de2a90a9e4607a4bb84848f3", "name": "2.15 — Ensure containers are restricted from acquiring new privileges", "description": "Containers should run with no-new-privileges so setuid binaries cannot elevate.", "rational": "no-new-privileges blocks an entire class of in-container privilege-escalation primitives.", "remediation": "Set `\"no-new-privileges\": true` in /etc/docker/daemon.json.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "grep -E '\"no-new-privileges\"[[:space:]]*:[[:space:]]*true' /etc/docker/daemon.json 2>/dev/null", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [] }, { "external_id": "13197a37aae5d09df3ffcb6717aae9b3", "name": "3.1 — Ensure that docker.service file ownership is set to root:root", "description": "The systemd unit for the Docker daemon must be owned by root.", "rational": "Any other owner could modify the unit to launch dockerd with attacker-controlled flags.", "remediation": "Run: `chown root:root /lib/systemd/system/docker.service`.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -c '%U:%G' /lib/systemd/system/docker.service /usr/lib/systemd/system/docker.service 2>/dev/null | head -1", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "root:root" } ], "applicability": [] }, { "external_id": "2a47d25de33db7137321396a1dcccab2", "name": "3.2 — Ensure that docker.service file permissions are set to 644 or more restrictive", "description": "The Docker systemd unit must not be world- or group-writable.", "rational": "Writable unit files give any local user with that write access full control over the daemon flags.", "remediation": "Run: `chmod 644 /lib/systemd/system/docker.service`.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -c '%a' /lib/systemd/system/docker.service /usr/lib/systemd/system/docker.service 2>/dev/null | head -1", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "644" } ], "applicability": [] }, { "external_id": "cb162e6efaf1310b75628cc825935ad1", "name": "3.5 — Ensure that the /etc/docker directory ownership is set to root:root", "description": "/etc/docker must be owned by root.", "rational": "/etc/docker contains TLS keys and daemon configuration — non-root ownership allows tampering.", "remediation": "Run: `chown root:root /etc/docker`.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -c '%U:%G' /etc/docker 2>/dev/null", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "root:root" } ], "applicability": [] }, { "external_id": "01321b1aff19173338a41ac719e0de02", "name": "3.6 — Ensure that /etc/docker directory permissions are set to 755 or more restrictively", "description": "/etc/docker should not be writable by group or world.", "rational": "Loose permissions on /etc/docker invite tampering with daemon configuration.", "remediation": "Run: `chmod 755 /etc/docker`.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -c '%a' /etc/docker 2>/dev/null", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "755" } ], "applicability": [] }, { "external_id": "a20fa153524d7494f7d7f8d938f1d243", "name": "3.15 — Ensure that the Docker socket file ownership is set to root:docker", "description": "/var/run/docker.sock should be owned by root and the docker group only.", "rational": "Any user in the docker group has root-equivalent access; ownership must be explicit.", "remediation": "Run: `chown root:docker /var/run/docker.sock`.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -c '%U:%G' /var/run/docker.sock 2>/dev/null", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "root:docker" } ], "applicability": [] }, { "external_id": "a983ae87b9724264c6d96123f7d6a6c4", "name": "3.16 — Ensure that the Docker socket file permissions are set to 660 or more restrictively", "description": "/var/run/docker.sock must not be world-readable or writable.", "rational": "World access to the socket grants root on the host to every unprivileged user.", "remediation": "Run: `chmod 660 /var/run/docker.sock`.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "stat -c '%a' /var/run/docker.sock 2>/dev/null", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "660" } ], "applicability": [] }, { "external_id": "144c7ee0082110b9c795d4bbdb332027", "name": "3.17 — Ensure that the daemon.json file ownership is set to root:root", "description": "/etc/docker/daemon.json must be owned by root.", "rational": "daemon.json controls runtime, registry, and TLS settings — non-root ownership invites supply-chain tampering.", "remediation": "Run: `chown root:root /etc/docker/daemon.json`.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "[ -f /etc/docker/daemon.json ] && stat -c '%U:%G' /etc/docker/daemon.json || echo ABSENT", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [] }, { "external_id": "fd0f30c61af9ec6c20b4a5ca5958a023", "name": "3.18 — Ensure that daemon.json file permissions are set to 644 or more restrictive", "description": "/etc/docker/daemon.json must not be world- or group-writable.", "rational": "Writable daemon.json effectively grants root via the same supply-chain risk as a writable systemd unit.", "remediation": "Run: `chmod 644 /etc/docker/daemon.json`.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "[ -f /etc/docker/daemon.json ] && stat -c '%a' /etc/docker/daemon.json || echo ABSENT", "selement": "OUTPUT", "condition": "NOT EQUALS", "sinput": "" } ], "applicability": [] }, { "external_id": "fee4186f1ed5ac4a154722d9bb387f54", "name": "4.1 — Ensure that a user for the container has been created", "description": "Container images should declare a non-root USER in the Dockerfile.", "rational": "Root inside a container is one container-escape away from root on the host.", "remediation": "Add `USER ` (>0) to every Dockerfile and rebuild.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "docker ps --format '{{.ID}}' 2>/dev/null | xargs -I{} -r docker inspect --format '{{.Config.User}}' {} 2>/dev/null | grep -cxE '|0|root'", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [] }, { "external_id": "eeab45ffdec3e366fa2353272eaa454a", "name": "5.5 — Ensure that privileged containers are not used", "description": "No running containers should be in --privileged mode.", "rational": "Privileged containers bypass nearly every kernel-level isolation and effectively run as root on the host.", "remediation": "Remove --privileged from `docker run` invocations or `privileged: true` from compose files.", "severity": "Medium", "filter": null, "app_filter": null, "conditions": [ { "type": "condition", "element": "CMD", "input": "docker ps -q 2>/dev/null | xargs -I{} -r docker inspect --format '{{.HostConfig.Privileged}}' {} 2>/dev/null | grep -c true", "selement": "OUTPUT", "condition": "EQUALS", "sinput": "0" } ], "applicability": [] } ] }