CIS_Docker_Community_Edition_Benchmark_v1.1.0.pdf

发布时间：2022-06-26 发布人：admin 分类：说明书资料大小：1.72M 资料格式：pdf 举报版权申诉

84ece810-47e2-4211-888f-be3537cae0bc.pdf-第1页.png

第1页 / 共230页

84ece810-47e2-4211-888f-be3537cae0bc.pdf-第2页.png

第2页 / 共230页

84ece810-47e2-4211-888f-be3537cae0bc.pdf-第3页.png

第3页 / 共230页

84ece810-47e2-4211-888f-be3537cae0bc.pdf-第4页.png

第4页 / 共230页

84ece810-47e2-4211-888f-be3537cae0bc.pdf-第5页.png

第5页 / 共230页

84ece810-47e2-4211-888f-be3537cae0bc.pdf-第6页.png

第6页 / 共230页

84ece810-47e2-4211-888f-be3537cae0bc.pdf-第7页.png

第7页 / 共230页

84ece810-47e2-4211-888f-be3537cae0bc.pdf-第8页.png

第8页 / 共230页

文本预览

CIS Docker Community Edition Benchmark v1.1.0 - 07-06-2017

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International Public License. The link to the license terms can be found at https://creativecommons.org/licenses/by-nc-sa/4.0/legalcode To further clarify the Creative Commons license related to CIS Benchmark content, you are authorized to copy and redistribute the content for use by you, within your organization and outside your organization for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, (ii) a link to the license is provided. Additionally, if you remix, transform or build upon the CIS Benchmark(s), you may only distribute the modified materials if they are subject to the same license terms as the original Benchmark license and your derivative will no longer be a CIS Benchmark. Commercial use of CIS Benchmarks is subject to the prior approval of the Center for Internet Security. 1 | P a g e

Table of Contents Overview .................................................................................................................................................................. 8 Intended Audience ........................................................................................................................................... 8 Consensus Guidance ........................................................................................................................................ 8 Typographical Conventions ......................................................................................................................... 9 Scoring Information ........................................................................................................................................ 9 Profile Definitions ......................................................................................................................................... 10 Acknowledgements ...................................................................................................................................... 11 Recommendations ............................................................................................................................................. 12 1 Host Configuration .................................................................................................................................... 12 1.1 Ensure a separate partition for containers has been created (Scored) .................. 12 1.2 Ensure the container host has been Hardened (Not Scored) ...................................... 14 1.3 Ensure Docker is up to date (Not Scored) .......................................................................... 16 1.4 Ensure only trusted users are allowed to control Docker daemon (Scored) ........ 18 1.5 Ensure auditing is configured for the docker daemon (Scored) ................................ 20 1.6 Ensure auditing is configured for Docker files and directories - /var/lib/docker (Scored) ................................................................................................................................................... 22 1.7 Ensure auditing is configured for Docker files and directories - /etc/docker (Scored) ................................................................................................................................................... 24 1.8 Ensure auditing is configured for Docker files and directories - docker.service (Scored) ................................................................................................................................................... 26 1.9 Ensure auditing is configured for Docker files and directories - docker.socket (Scored) ................................................................................................................................................... 28 1.10 Ensure auditing is configured for Docker files and directories - /etc/default/docker (Scored) ......................................................................................................... 30 1.11 Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json (Scored) ............................................................................................. 32 1.12 Ensure auditing is configured for Docker files and directories - /usr/bin/docker-containerd (Scored) ........................................................................................ 34 2 | P a g e

1.13 Ensure auditing is configured for Docker files and directories - /usr/bin/docker-runc (Scored) ..................................................................................................... 36 2 Docker daemon configuration .............................................................................................................. 38 2.1 Ensure network traffic is restricted between containers on the default bridge (Scored) ................................................................................................................................................... 38 2.2 Ensure the logging level is set to 'info' (Scored) .............................................................. 40 2.3 Ensure Docker is allowed to make changes to iptables (Scored) .............................. 42 2.4 Ensure insecure registries are not used (Scored) ........................................................... 44 2.5 Ensure aufs storage driver is not used (Scored) .............................................................. 46 2.6 Ensure TLS authentication for Docker daemon is configured (Scored) ................. 48 2.7 Ensure the default ulimit is configured appropriately (Not Scored) ....................... 50 2.8 Enable user namespace support (Scored) .......................................................................... 52 2.9 Ensure the default cgroup usage has been confirmed (Scored) ................................ 54 2.10 Ensure base device size is not changed until needed (Scored) ............................... 56 2.11 Ensure that authorization for Docker client commands is enabled (Scored) .... 58 2.12 Ensure centralized and remote logging is configured (Scored) .............................. 60 2.13 Ensure operations on legacy registry (v1) are Disabled (Scored) ......................... 62 2.14 Ensure live restore is Enabled (Scored) ........................................................................... 64 2.15 Ensure Userland Proxy is Disabled (Scored) .................................................................. 66 2.16 Ensure daemon-wide custom seccomp profile is applied, if needed (Not Scored) ..................................................................................................................................................................... 68 2.17 Ensure experimental features are avoided in production (Scored) ...................... 70 2.18 Ensure containers are restricted from acquiring new privileges (Scored) ........ 71 3 Docker daemon configuration files .................................................................................................... 73 3.1 Ensure that docker.service file ownership is set to root:root (Scored) .................. 73 3.2 Ensure that docker.service file permissions are set to 644 or more restrictive (Scored) ................................................................................................................................................... 75 3.3 Ensure that docker.socket file ownership is set to root:root (Scored).................... 77 3.4 Ensure that docker.socket file permissions are set to 644 or more restrictive (Scored) ................................................................................................................................................... 79 3.5 Ensure that /etc/docker directory ownership is set to root:root (Scored) .......... 81 3 | P a g e

3.6 Ensure that /etc/docker directory permissions are set to 755 or more restrictive (Scored) ................................................................................................................................................... 83 3.7 Ensure that registry certificate file ownership is set to root:root (Scored) .......... 85 3.8 Ensure that registry certificate file permissions are set to 444 or more restrictive (Scored) ................................................................................................................................................... 87 3.9 Ensure that TLS CA certificate file ownership is set to root:root (Scored) ............ 89 3.10 Ensure that TLS CA certificate file permissions are set to 444 or more restrictive (Scored) ............................................................................................................................. 91 3.11 Ensure that Docker server certificate file ownership is set to root:root (Scored) ..................................................................................................................................................................... 93 3.12 Ensure that Docker server certificate file permissions are set to 444 or more restrictive (Scored) ............................................................................................................................. 95 3.13 Ensure that Docker server certificate key file ownership is set to root:root (Scored) ................................................................................................................................................... 97 3.14 Ensure that Docker server certificate key file permissions are set to 400 (Scored) ................................................................................................................................................... 99 3.15 Ensure that Docker socket file ownership is set to root:docker (Scored) ......... 101 3.16 Ensure that Docker socket file permissions are set to 660 or more restrictive (Scored) ................................................................................................................................................. 103 3.17 Ensure that daemon.json file ownership is set to root:root (Scored) ................. 105 3.18 Ensure that daemon.json file permissions are set to 644 or more restrictive (Scored) ................................................................................................................................................. 107 3.19 Ensure that /etc/default/docker file ownership is set to root:root (Scored) .. 109 3.20 Ensure that /etc/default/docker file permissions are set to 644 or more restrictive (Scored) ........................................................................................................................... 111 4 Container Images and Build File ........................................................................................................ 113 4.1 Ensure a user for the container has been created (Scored) ...................................... 113 4.2 Ensure that containers use trusted base images (Not Scored) ................................ 115 4.3 Ensure unnecessary packages are not installed in the container (Not Scored). 117 4.4 Ensure images are scanned and rebuilt to include security patches (Not Scored) ................................................................................................................................................................... 119 4.5 Ensure Content trust for Docker is Enabled (Scored) .................................................. 121 4 | P a g e

4.6 Ensure HEALTHCHECK instructions have been added to the container image (Scored) ................................................................................................................................................. 123 4.7 Ensure update instructions are not use alone in the Dockerfile (Not Scored) ... 125 4.8 Ensure setuid and setgid permissions are removed in the images (Not Scored) ................................................................................................................................................................... 127 4.9 Ensure COPY is used instead of ADD in Dockerfile (Not Scored) ............................ 129 4.10 Ensure secrets are not stored in Dockerfiles (Not Scored) ..................................... 131 4.11 Ensure verified packages are only Installed (Not Scored)....................................... 133 5 Container Runtime .................................................................................................................................. 135 5.1 Ensure AppArmor Profile is Enabled (Scored) ............................................................... 135 5.2 Ensure SELinux security options are set, if applicable (Scored).............................. 137 5.3 Ensure Linux Kernel Capabilities are restricted within containers (Scored) ..... 139 5.4 Ensure privileged containers are not used (Scored) .................................................... 142 5.5 Ensure sensitive host system directories are not mounted on containers (Scored) ................................................................................................................................................. 144 5.6 Ensure ssh is not run within containers (Scored) ......................................................... 146 5.7 Ensure privileged ports are not mapped within containers (Scored) ................... 148 5.8 Ensure only needed ports are open on the container (Scored) ............................... 150 5.9 Ensure the host's network namespace is not shared (Scored) ................................ 152 5.10 Ensure memory usage for container is limited (Scored) ......................................... 154 5.11 Ensure CPU priority is set appropriately on the container (Scored)................... 156 5.12 Ensure the container's root filesystem is mounted as read only (Scored) ....... 158 5.13 Ensure incoming container traffic is binded to a specific host interface (Scored) ................................................................................................................................................................... 161 5.14 Ensure 'on-failure' container restart policy is set to '5' (Scored) ......................... 163 5.15 Ensure the host's process namespace is not shared (Scored) ............................... 165 5.16 Ensure the host's IPC namespace is not shared (Scored) ........................................ 167 5.17 Ensure host devices are not directly exposed to containers (Not Scored) ....... 169 5.18 Ensure the default ulimit is overwritten at runtime, only if needed (Not Scored) ................................................................................................................................................................... 171 5.19 Ensure mount propagation mode is not set to shared (Scored) ........................... 173 5.20 Ensure the host's UTS namespace is not shared (Scored) ....................................... 175 5 | P a g e

5.21 Ensure the default seccomp profile is not Disabled (Scored) ................................ 177 5.22 Ensure docker exec commands are not used with privileged option (Scored) ................................................................................................................................................................... 179 5.23 Ensure docker exec commands are not used with user option (Scored) .......... 181 5.24 Ensure cgroup usage is confirmed (Scored) ................................................................. 183 5.25 Ensure the container is restricted from acquiring additional privileges (Scored) ................................................................................................................................................................... 185 5.26 Ensure container health is checked at runtime (Scored) ......................................... 187 5.27 Ensure docker commands always get the latest version of the image (Not Scored) ................................................................................................................................................... 189 5.28 Ensure PIDs cgroup limit is used (Scored) .................................................................... 191 5.29 Ensure Docker's default bridge docker0 is not used (Not Scored) ...................... 193 5.30 Ensure the host's user namespaces is not shared (Scored) .................................... 195 5.31 Ensure the Docker socket is not mounted inside any containers (Scored) ...... 197 6 Docker Security Operations ................................................................................................................. 199 6.1 Ensure image sprawl is avoided (Not Scored) ................................................................ 199 6.2 Ensure container sprawl is avoided (Not Scored) ......................................................... 202 7 Docker Swarm Configuration.............................................................................................................. 204 7.1 Ensure swarm mode is not Enabled, if not needed (Scored) .................................... 204 7.2 Ensure the minimum number of manager nodes have been created in a swarm (Scored) ................................................................................................................................................. 206 7.3 Ensure swarm services are binded to a specific host interface (Scored) ............. 208 7.4 Ensure data exchanged between containers are encrypted on different nodes on the overlay network (Scored) ....................................................................................................... 210 7.5 Ensure Docker's secret management commands are used for managing secrets in a Swarm cluster (Not Scored) .................................................................................................. 212 7.6 Ensure swarm manager is run in auto-lock mode (Scored) ...................................... 213 7.7 Ensure swarm manager auto-lock key is rotated periodically (Not Scored) ...... 215 7.8 Ensure node certificates are rotated as appropriate (Not Scored) ......................... 217 7.9 Ensure CA certificates are rotated as appropriate (Not Scored) ............................. 219 7.10 Ensure management plane traffic has been separated from data plane traffic (Not Scored) ......................................................................................................................................... 221 6 | P a g e

Appendix: Summary Table ........................................................................................................................... 223 Appendix: Change History ............................................................................................................................ 228 7 | P a g e

分享到：

赞收藏

资料库

CIS_Docker_Community_Edition_Benchmark_v1.1.0.pdf

相关推荐

安全技术

热门标签

最新资料