没有合适的资源?快使用搜索试试~ 我知道了~
首页CIS docker 安全标准
资源详情
资源评论
资源推荐
CIS Docker Community Edition Benchmark
v1.1.0 - 07-06-2017
1 | P a g e
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike
4.0 International Public License. The link to the license terms can be found at
https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode
To further clarify the Creative Commons license related to CIS Benchmark content, you are
authorized to copy and redistribute the content for use by you, within your organization
and outside your organization for non-commercial purposes only, provided that (i)
appropriate credit is given to CIS, (ii) a link to the license is provided. Additionally, if you
remix, transform or build upon the CIS Benchmark(s), you may only distribute the modified
materials if they are subject to the same license terms as the original Benchmark license
and your derivative will no longer be a CIS Benchmark. Commercial use of CIS Benchmarks
is subject to the prior approval of the Center for Internet Security.
2 | P a g e
Table of Contents
Overview .................................................................................................................................................................. 8
Intended Audience ........................................................................................................................................... 8
Consensus Guidance ........................................................................................................................................ 8
Typographical Conventions ......................................................................................................................... 9
Scoring Information ........................................................................................................................................ 9
Profile Definitions ......................................................................................................................................... 10
Acknowledgements ...................................................................................................................................... 11
Recommendations ............................................................................................................................................. 12
1 Host Configuration .................................................................................................................................... 12
1.1 Ensure a separate partition for containers has been created (Scored) .................. 12
1.2 Ensure the container host has been Hardened (Not Scored) ...................................... 14
1.3 Ensure Docker is up to date (Not Scored) .......................................................................... 16
1.4 Ensure only trusted users are allowed to control Docker daemon (Scored) ........ 18
1.5 Ensure auditing is configured for the docker daemon (Scored) ................................ 20
1.6 Ensure auditing is configured for Docker files and directories - /var/lib/docker
(Scored) ................................................................................................................................................... 22
1.7 Ensure auditing is configured for Docker files and directories - /etc/docker
(Scored) ................................................................................................................................................... 24
1.8 Ensure auditing is configured for Docker files and directories - docker.service
(Scored) ................................................................................................................................................... 26
1.9 Ensure auditing is configured for Docker files and directories - docker.socket
(Scored) ................................................................................................................................................... 28
1.10 Ensure auditing is configured for Docker files and directories -
/etc/default/docker (Scored) ......................................................................................................... 30
1.11 Ensure auditing is configured for Docker files and directories -
/etc/docker/daemon.json (Scored) ............................................................................................. 32
1.12 Ensure auditing is configured for Docker files and directories -
/usr/bin/docker-containerd (Scored) ........................................................................................ 34
3 | P a g e
1.13 Ensure auditing is configured for Docker files and directories -
/usr/bin/docker-runc (Scored) ..................................................................................................... 36
2 Docker daemon configuration .............................................................................................................. 38
2.1 Ensure network traffic is restricted between containers on the default bridge
(Scored) ................................................................................................................................................... 38
2.2 Ensure the logging level is set to 'info' (Scored) .............................................................. 40
2.3 Ensure Docker is allowed to make changes to iptables (Scored) .............................. 42
2.4 Ensure insecure registries are not used (Scored) ........................................................... 44
2.5 Ensure aufs storage driver is not used (Scored) .............................................................. 46
2.6 Ensure TLS authentication for Docker daemon is configured (Scored) ................. 48
2.7 Ensure the default ulimit is configured appropriately (Not Scored) ....................... 50
2.8 Enable user namespace support (Scored) .......................................................................... 52
2.9 Ensure the default cgroup usage has been confirmed (Scored) ................................ 54
2.10 Ensure base device size is not changed until needed (Scored) ............................... 56
2.11 Ensure that authorization for Docker client commands is enabled (Scored) .... 58
2.12 Ensure centralized and remote logging is configured (Scored) .............................. 60
2.13 Ensure operations on legacy registry (v1) are Disabled (Scored) ......................... 62
2.14 Ensure live restore is Enabled (Scored) ........................................................................... 64
2.15 Ensure Userland Proxy is Disabled (Scored) .................................................................. 66
2.16 Ensure daemon-wide custom seccomp profile is applied, if needed (Not Scored)
..................................................................................................................................................................... 68
2.17 Ensure experimental features are avoided in production (Scored) ...................... 70
2.18 Ensure containers are restricted from acquiring new privileges (Scored) ........ 71
3 Docker daemon configuration files .................................................................................................... 73
3.1 Ensure that docker.service file ownership is set to root:root (Scored) .................. 73
3.2 Ensure that docker.service file permissions are set to 644 or more restrictive
(Scored) ................................................................................................................................................... 75
3.3 Ensure that docker.socket file ownership is set to root:root (Scored).................... 77
3.4 Ensure that docker.socket file permissions are set to 644 or more restrictive
(Scored) ................................................................................................................................................... 79
3.5 Ensure that /etc/docker directory ownership is set to root:root (Scored) .......... 81
4 | P a g e
3.6 Ensure that /etc/docker directory permissions are set to 755 or more restrictive
(Scored) ................................................................................................................................................... 83
3.7 Ensure that registry certificate file ownership is set to root:root (Scored) .......... 85
3.8 Ensure that registry certificate file permissions are set to 444 or more restrictive
(Scored) ................................................................................................................................................... 87
3.9 Ensure that TLS CA certificate file ownership is set to root:root (Scored) ............ 89
3.10 Ensure that TLS CA certificate file permissions are set to 444 or more
restrictive (Scored) ............................................................................................................................. 91
3.11 Ensure that Docker server certificate file ownership is set to root:root (Scored)
..................................................................................................................................................................... 93
3.12 Ensure that Docker server certificate file permissions are set to 444 or more
restrictive (Scored) ............................................................................................................................. 95
3.13 Ensure that Docker server certificate key file ownership is set to root:root
(Scored) ................................................................................................................................................... 97
3.14 Ensure that Docker server certificate key file permissions are set to 400
(Scored) ................................................................................................................................................... 99
3.15 Ensure that Docker socket file ownership is set to root:docker (Scored) ......... 101
3.16 Ensure that Docker socket file permissions are set to 660 or more restrictive
(Scored) ................................................................................................................................................. 103
3.17 Ensure that daemon.json file ownership is set to root:root (Scored) ................. 105
3.18 Ensure that daemon.json file permissions are set to 644 or more restrictive
(Scored) ................................................................................................................................................. 107
3.19 Ensure that /etc/default/docker file ownership is set to root:root (Scored) .. 109
3.20 Ensure that /etc/default/docker file permissions are set to 644 or more
restrictive (Scored) ........................................................................................................................... 111
4 Container Images and Build File ........................................................................................................ 113
4.1 Ensure a user for the container has been created (Scored) ...................................... 113
4.2 Ensure that containers use trusted base images (Not Scored) ................................ 115
4.3 Ensure unnecessary packages are not installed in the container (Not Scored). 117
4.4 Ensure images are scanned and rebuilt to include security patches (Not Scored)
................................................................................................................................................................... 119
4.5 Ensure Content trust for Docker is Enabled (Scored) .................................................. 121
剩余229页未读,继续阅读
nicedabin
- 粉丝: 0
- 资源: 3
上传资源 快速赚钱
- 我的内容管理 收起
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
会员权益专享
最新资源
- ExcelVBA中的Range和Cells用法说明.pdf
- 基于单片机的电梯控制模型设计.doc
- 主成分分析和因子分析.pptx
- 共享笔记服务系统论文.doc
- 基于数据治理体系的数据中台实践分享.pptx
- 变压器的铭牌和额定值.pptx
- 计算机网络课程设计报告--用winsock设计Ping应用程序.doc
- 高电压技术课件:第03章 液体和固体介质的电气特性.pdf
- Oracle商务智能精华介绍.pptx
- 基于单片机的输液滴速控制系统设计文档.doc
- dw考试题 5套.pdf
- 学生档案管理系统详细设计说明书.doc
- 操作系统PPT课件.pptx
- 智慧路边停车管理系统方案.pptx
- 【企业内控系列】企业内部控制之人力资源管理控制(17页).doc
- 温度传感器分类与特点.pptx
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论0