Center for Internet Security (CIS) Benchmark for Docker

The Center for Internet Security (CIS) is a non-profit organization dedicated to boosting global cybersecurity. Through its prioritized CIS Controls, the organization engages a global community, offering benchmarks, frameworks, and training. Emphasizing continual improvement, CIS updates guidelines regularly, fostering practical solutions and promoting cyber hygiene for resilient digital environments.

Tanzu Application Catalog incorporates specific CIS controls defined in the CIS Benchmark for Docker that can be applied to the container image creation, configuration and deployment, aiding customers in safeguarding their mission-critical environments and facilitating compliance with industry regulations.

Controls

The table below shows the requirements needed to be CIS compliant. Tanzu Application Catalog follows CIS recommendations to meet those requirements when building and delivering applications.

ID Description
CIS Docker Benchmark Section 4: Container Images and Build File Configuration
4.4 Ensure images are scanned and rebuilt to include security patches
4.5 Ensure Content trust for Docker is Enabled
4.8 Ensure setuid and setgid permissions are removed
4.9 Ensure that COPY is used instead of ADD in Dockerfiles
4.10 Ensure secrets are not stored in Dockerfiles
4.11 Ensure only verified packages are installed
4.12 Ensure all signed artifacts are validated
CIS Docker Benchmark Section 5: Container Runtime Configuration
5.4 Ensure that Linux kernel capabilities are restricted within containers
5.5 Ensure that privileged containers are not used
5.6 Ensure sensitive host system directories are not mounted on containers
5.7 Ensure sshd is not run within containers
5.8 Ensure privileged ports are not mapped within containers
5.9 Ensure that only needed ports are open on the container
5.10 Ensure that the host’s network namespace is not shared
5.11 Ensure that the memory usage for containers is limited
5.12 Ensure that CPU priority is set appropriately on containers
5.13 Ensure that the container’s root filesystem is mounted as read only
5.16 Ensure that the host’s process namespace is not shared
5.17 Ensure that the host’s IPC namespace is not shared
5.18 Ensure that host devices are not directly exposed to containers
5.20 Ensure mount propagation mode is not set to shared
5.21 Ensure that the host’s UTS namespace is not shared
5.22 Ensure the default seccomp profile is not Disabled
5.26 Ensure that the container is restricted from acquiring additional privileges
5.32 Ensure that the Docker socket is not mounted inside any containers

Exceptions

Application IDs Reason
Concourse 5.10 Workers require privilege access to the system due to the necessary runtimes it needs to execute
Deepspeed 5.7 Application requires sshd for communication between nodes
Discourse 5.13 Application persistence logic is not compatible with read-only root filesystems
Fluentd 5.6 Nodes require accessing the host filesystem to obtain the container logs, this also requires root access
Joomla 5.13 Application persistence logic is not compatible with read-only root filesystems
Kiam 5.10 Application requires privileged access to modify the host networking system
Magento 5.13 Application persistence logic is not compatible with read-only root filesystems
MetalLB 5.10 Application requires privileged access to modify the host networking system
Moodle 5.13, 5.10 Application persistence logic is not compatible with read-only root filesystems. Additionally, it requires root access for certain operations like cron jobs
Multus CNI 5.10 Application requires privileged access to modify the host networking system
Node Exporter 5.10, 5.16, 5.21 Application requires hostNetwork access to obtain the Kubernetes node metrics
Odoo 5.13, 5.10 Application persistence logic is not compatible with read-only root filesystems. Additionally, it requires root access for certain operations
Prestashop 5.13 Application persistence logic is not compatible with read-only root filesystems
Redmine 5.13 Application persistence logic is not compatible with read-only root filesystems
Whereabouts 5.10 Application requires privileged access to modify the host networking system
check-circle-line exclamation-circle-line close-line
Scroll to top icon