CIS Docker Benchmark Compliance

Audience: Security teams, DevOps engineers, auditors

WHAT

Implementation status of the CIS Docker Benchmark v1.6.0 security configuration guidelines across DockerKit.

WHY

CIS benchmarks are the industry standard for Docker security posture. Tracking implementation status ensures audit readiness.

HOW

Implementation Status

1. Host Configuration ⚠️

These are runtime/host-level configurations outside Dockerfile scope

ID	Control	Status	Implementation
1.1	Ensure Docker installation from official sources	⚠️	Host responsibility
1.2	Ensure Docker daemon audit	⚠️	Requires auditd configuration

2. Docker Daemon Configuration ⚠️

Runtime configurations set when starting Docker daemon

ID	Control	Status	Implementation
2.1	Restrict network traffic between containers	⚠️	Use --icc=false
2.2	Set logging level to info	⚠️	--log-level=info
2.3	Enable Docker Content Trust	⚠️	DOCKER_CONTENT_TRUST=1

3. Docker Daemon Configuration Files ✅

File permissions and ownership

ID	Control	Status	Implementation
3.1	Verify Docker config permissions	✅	Set in Dockerfile
3.2	Verify registry certificates	✅	CA certificates included

4. Container Images and Build Files ✅

ID	Control	Status	Implementation
4.1	Create user for container	✅	USER dck in all Dockerfiles
4.2	Use trusted base images	✅	Official Alpine images
4.3	No unnecessary packages	✅	Minimal installations
4.4	Scan images for vulnerabilities	✅	Trivy, Docker Scout in CI/CD
4.5	Enable Content Trust	⚠️	Runtime configuration
4.6	Add HEALTHCHECK	✅	Present in production images
4.7	No update in single layer	✅	Combined RUN commands
4.8	Remove setuid/setgid permissions	✅	Non-root user
4.9	Use COPY not ADD	✅	COPY used exclusively
4.10	No secrets in images	✅	No hardcoded credentials
4.11	Verified packages only	✅	Official Alpine repos

5. Container Runtime ⚠️

Runtime security controls

ID	Control	Status	Implementation
5.1	No AppArmor disable	⚠️	Runtime: --security-opt
5.2	No SELinux disable	⚠️	Runtime: --security-opt
5.3	Restrict kernel capabilities	⚠️	Runtime: --cap-drop=ALL
5.4	No privileged containers	✅	No privileged operations
5.5	No sensitive host directories	✅	No host mounts in image
5.6	No sshd in containers	✅	No SSH daemon
5.7	No privileged ports	✅	No ports < 1024
5.8	Open ports only when needed	✅	No EXPOSE in base images
5.9	No host network mode	✅	Standard bridge network
5.10	Memory limits	⚠️	Runtime: --memory
5.11	CPU priority set	⚠️	Runtime: --cpu-shares
5.12	Read-only root filesystem	⚠️	Runtime: --read-only
5.13	Bind specific interface	⚠️	Runtime: -p 127.0.0.1:
5.14	Restart policy on-failure	⚠️	Runtime: --restart=on-failure:5
5.15	No host PID namespace	✅	Container PID namespace
5.16	No host IPC namespace	✅	Container IPC namespace
5.17	No host devices	✅	No device mounts
5.18	Default ulimit override	⚠️	Runtime: --ulimit
5.19	No mount propagation shared	✅	Default private
5.20	No host UTS namespace	✅	Container UTS namespace
5.21	Default seccomp profile	⚠️	Runtime configuration
5.22	No docker exec privileged	✅	Non-root user
5.23	No user namespace disable	⚠️	Runtime: --userns
5.24	Confirm cgroup usage	✅	Default cgroups
5.25	No additional privileges	✅	No setuid binaries
5.26	Check container health	✅	HEALTHCHECK implemented
5.27	Ensure commands with sudo	❌	Removed sudo from production
5.28	PIDs limit set	⚠️	Runtime: --pids-limit
5.29	No Docker socket in container	✅	No socket mounting
5.30	No new privileges	⚠️	Runtime: --security-opt=no-new-privileges

6. Docker Security Operations ✅

ID	Control	Status	Implementation
6.1	Perform security audits	✅	GitHub Actions CI/CD
6.2	Monitor Docker security	✅	Trivy, Scout scanning

Compliance Summary

Fully Implemented (Build-time)

• 23 controls implemented in Dockerfiles
• Non-root user, health checks, minimal packages
• No secrets, trusted base images, vulnerability scanning

Runtime Configuration Required

• 28 controls require runtime flags
• Security options, resource limits, network restrictions
• Must be configured when running containers

Not Applicable/Excluded

• 1 control (sudo) intentionally excluded for security

Usage Examples

Secure Container Execution

# CIS-compliant container run
docker run \
  --rm \
  --read-only \
  --security-opt=no-new-privileges:true \
  --cap-drop=ALL \
  --cap-add=NET_BIND_SERVICE \
  --memory=512m \
  --cpus=1 \
  --pids-limit=100 \
  --user=1000:1000 \
  --restart=on-failure:5 \
  dck:minimal

Docker Daemon Configuration

{
  "icc": false,
  "log-level": "info",
  "userland-proxy": false,
  "no-new-privileges": true,
  "live-restore": true,
  "userns-remap": "default"
}

Validation Script

# Check CIS compliance
docker run --rm \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v /etc/docker:/etc/docker:ro \
  docker/docker-bench-security

References

• CIS Docker Benchmark v1.6.0
• Docker Security Documentation
• Docker Bench Security Tool