Center for Internet Security (CIS) Benchmark for Docker
The Center for Internet Security (CIS) is a non-profit organization dedicated to boosting global cybersecurity. Through its prioritized CIS Controls, the organization engages a global community, offering benchmarks, frameworks, and training. Emphasizing continual improvement, CIS updates guidelines regularly, fostering practical solutions and promoting cyber hygiene for resilient digital environments.
Tanzu Application Catalog incorporates specific CIS controls defined in the CIS Benchmark for Docker that can be applied to the container image creation, configuration and deployment, aiding customers in safeguarding their mission-critical environments and facilitating compliance with industry regulations.
Controls
The table below shows the requirements needed to be CIS compliant. Tanzu Application Catalog follows CIS recommendations to meet those requirements when building and delivering applications.
| ID | Description |
|---|---|
| CIS Docker Benchmark Section 4: Container Images and Build File Configuration | |
| 4.4 | Ensure images are scanned and rebuilt to include security patches |
| 4.5 | Ensure Content trust for Docker is Enabled |
| 4.8 | Ensure setuid and setgid permissions are removed |
| 4.9 | Ensure that COPY is used instead of ADD in Dockerfiles |
| 4.10 | Ensure secrets are not stored in Dockerfiles |
| 4.11 | Ensure only verified packages are installed |
| 4.12 | Ensure all signed artifacts are validated |
| CIS Docker Benchmark Section 5: Container Runtime Configuration | |
| 5.4 | Ensure that Linux kernel capabilities are restricted within containers |
| 5.5 | Ensure that privileged containers are not used |
| 5.6 | Ensure sensitive host system directories are not mounted on containers |
| 5.7 | Ensure sshd is not run within containers |
| 5.8 | Ensure privileged ports are not mapped within containers |
| 5.9 | Ensure that only needed ports are open on the container |
| 5.10 | Ensure that the host’s network namespace is not shared |
| 5.11 | Ensure that the memory usage for containers is limited |
| 5.12 | Ensure that CPU priority is set appropriately on containers |
| 5.13 | Ensure that the container’s root filesystem is mounted as read only |
| 5.16 | Ensure that the host’s process namespace is not shared |
| 5.17 | Ensure that the host’s IPC namespace is not shared |
| 5.18 | Ensure that host devices are not directly exposed to containers |
| 5.20 | Ensure mount propagation mode is not set to shared |
| 5.21 | Ensure that the host’s UTS namespace is not shared |
| 5.22 | Ensure the default seccomp profile is not Disabled |
| 5.26 | Ensure that the container is restricted from acquiring additional privileges |
| 5.32 | Ensure that the Docker socket is not mounted inside any containers |
Exceptions
| Application | IDs | Reason |
|---|---|---|
| Concourse | 5.10 | Workers require privilege access to the system due to the necessary runtimes it needs to execute |
| Deepspeed | 5.7 | Application requires sshd for communication between nodes |
| Discourse | 5.13 | Application persistence logic is not compatible with read-only root filesystems |
| Fluentd | 5.6 | Nodes require accessing the host filesystem to obtain the container logs, this also requires root access |
| Joomla | 5.13 | Application persistence logic is not compatible with read-only root filesystems |
| Kiam | 5.10 | Application requires privileged access to modify the host networking system |
| Magento | 5.13 | Application persistence logic is not compatible with read-only root filesystems |
| MetalLB | 5.10 | Application requires privileged access to modify the host networking system |
| Moodle | 5.13, 5.10 | Application persistence logic is not compatible with read-only root filesystems. Additionally, it requires root access for certain operations like cron jobs |
| Multus CNI | 5.10 | Application requires privileged access to modify the host networking system |
| Node Exporter | 5.10, 5.16, 5.21 | Application requires hostNetwork access to obtain the Kubernetes node metrics |
| Odoo | 5.13, 5.10 | Application persistence logic is not compatible with read-only root filesystems. Additionally, it requires root access for certain operations |
| Prestashop | 5.13 | Application persistence logic is not compatible with read-only root filesystems |
| Redmine | 5.13 | Application persistence logic is not compatible with read-only root filesystems |
| Whereabouts | 5.10 | Application requires privileged access to modify the host networking system |
