- CIS - Ansible-Docker
This Ansible role is designed to install and configure Docker to comply with the CIS Docker Benchmark v1.4.0.
It automates the application of hardening recommendations to enhance system security.
While this role can help mitigate common security risks, it is essential to tailor the configurations to your specific environment.
Based on CIS Docker Benchmark v1.4.0.
Tested with:
- Ubuntu 22.04
- Ubuntu 23.04
- Ubuntu 24.04
| root | rootless |
|---|---|
 |
 |
This role was developed against a clean install of the Operating System.
If you are implementing to an existing system please review thoroughly this role for any site specific changes before applying them to production systems.
Strongly advise testing in a staging environment before applying in production.
Default all section are active and will performed
cis_docker_section1: true
cis_docker_section2: true
cis_docker_section3: true
cis_docker_section4: true
cis_docker_section5: true
cis_docker_section6: true
cis_docker_section7: true# Extend to install docker on system with
# dependencies, gpg, source and services
cis_docker_section_install: true# For install rootless set to 'true'
cis_docker_rule_2_1: false
# For disable containers communicate set to 'true'
cis_docker_rule_2_2: false
# They will remove content you should be aware you not need
cis_docker_rule_6_1: false
cis_docker_rule_6_2: false
# When Docker restarts, you must unlock the swarm first, using a key encryption key generated by Docker when the swarm was initialized
cis_docker_rule_7_6: false
cis_docker_rule_7_7: false
# Certificates are current not handled in this ansible, but command is implemented for this rule
cis_docker_rule_7_8: false
cis_docker_rule_7_9: false# if you want run docker in swarm mode, set it to 'true'
# will disable rule 'cis_docker_rule_2_15'
cis_docker_is_swarm_mode: false
# add user names which should be assigned to docker group to run without root/sudo
cis_docker_users_to_add_group: []cis_docker_rule_1_2_1: true
cis_docker_rule_1_2_2: true
cis_docker_rule_2_5: true
cis_docker_rule_2_6: true
cis_docker_rule_4_1: true
cis_docker_rule_4_2: true
cis_docker_rule_5_1: true
cis_docker_rule_7_3: true
cis_docker_rule_7_4: trueExample usage can be found also here.
- name: "Container | Docker installer"
remote_user: "{{ ansible_user }}"
hosts:
- docker
roles:
- role: ansible-docker
cis_docker_user_shell: /bin/bash
cis_docker_users_to_add_group:
- name: "{{ ansible_user }}"
cis_docker_rule_2_1: true # to run install in rootless mode
cis_docker_is_swarm_mode: true # allow run in swarm mode### DOCKER ###
alias docker='DOCKER_BUILDKIT=1 docker'
alias docker-compose='docker compose'
alias docker-swarm-compose='docker compose --compatibility config | sed '\''s|cpus: \([0-9]\+\(\.[0-9]\+\)*\)|cpus: "\1"|'\'' | sed '\''1{/^name:/d}'\'' | sed '\''s/published: "\(.*\)"/published: \1/'\'' | docker stack deploy --resolve-image=never --with-registry-auth --compose-file -'
alias docker-swarm='docker compose --compatibility config | sed '\''s|cpus: \([0-9]\+\(\.[0-9]\+\)*\)|cpus: "\1"|'\'' | sed '\''1{/^name:/d}'\'' | sed '\''s/published: "\(.*\)"/published: \1/'\'' | docker stack deploy --resolve-image=changed --with-registry-auth --compose-file -'| Key | Count |
|---|---|
| π’ Implemented | 52 |
| π‘ Partly Implemented or print info for manual check | 10 |
| π΄ Not Implemented | 57 |
| Total | 119 |
| Coverage (Implemented/Partly vs Total) | 52.10 |
| Index | Title | YES | Y/N | NO |
|---|---|---|---|---|
| 1 | Host Configuration | π‘ | ||
| 1.1 | Linux Hosts Specific Configuration | π‘ | ||
| 1.1.1 | Ensure a separate partition for containers has been created (Automated) | π΄ | ||
| 1.1.2 | Ensure only trusted users are allowed to control Docker daemon (Automated) | π’ | ||
| 1.1.3 | Ensure auditing is configured for the Docker daemon (Automated) | π’ | ||
| 1.1.4 | Ensure auditing is configured for Docker files and directories - /run/containerd (Automated) | π’ | ||
| 1.1.5 | Ensure auditing is configured for Docker files and directories - /var/lib/docker (Automated) | π’ | ||
| 1.1.6 | Ensure auditing is configured for Docker files and directories - /etc/docker (Automated) | π’ | ||
| 1.1.7 | Ensure auditing is configured for Docker files and directories - docker.service (Automated) | π’ | ||
| 1.1.8 | Ensure auditing is configured for Docker files and directories - containerd.sock (Automated) | π’ | ||
| 1.1.9 | Ensure auditing is configured for Docker files and directories - docker.socket (Automated) | π’ | ||
| 1.1.10 | Ensure auditing is configured for Docker files and directories - /etc/default/docker (Automated) | π’ | ||
| 1.1.11 | Ensure auditing is configured for Docker files and directories - /etc/docker/daemon.json (Automated) | π’ | ||
| 1.1.12 | Ensure auditing is configured for Docker files and directories - /etc/containerd/config.toml (Automated) | π’ | ||
| 1.1.13 | Ensure auditing is configured for Docker files and directories - /etc/sysconfig/docker (Automated) | π’ | ||
| 1.1.14 | Ensure auditing is configured for Docker files and directories - /usr/bin/containerd (Automated) | π’ | ||
| 1.1.15 | Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim (Automated) | π’ | ||
| 1.1.16 | Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v1 (Automated) | π’ | ||
| 1.1.17 | Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim-runc-v2 (Automated) | π’ | ||
| 1.1.18 | Ensure auditing is configured for Docker files and directories - /usr/bin/runc (Automated) | π’ | ||
| 1.2 | General Configuration | π‘ | ||
| 1.2.1 | Ensure the container host has been Hardened (Manual) | π‘ | ||
| 1.2.2 | Ensure that the version of Docker is up to date (Manual) | π‘ | ||
| 2 | Docker daemon configuration | π‘ | ||
| 2.1 | Run the Docker daemon as a non-root user, if possible (Manual) | π’ | ||
| 2.2 | Ensure network traffic is restricted between containers on the default bridge (Automated) | π’ | ||
| 2.3 | Ensure the logging level is set to 'info' (Automated) | π’ | ||
| 2.4 | Ensure Docker is allowed to make changes to iptables (Automated) | π’ | ||
| 2.5 | Ensure insecure registries are not used (Automated) | π‘ | ||
| 2.6 | Ensure aufs storage driver is not used (Automated) | π‘ | ||
| 2.7 | Ensure TLS authentication for Docker daemon is configured (Automated) | π΄ | ||
| 2.8 | Ensure the default ulimit is configured appropriately (Manual) | π’ | ||
| 2.9 | Enable user namespace support (Automated) | π’ | ||
| 2.10 | Ensure the default cgroup usage has been confirmed (Automated) | π’ | ||
| 2.11 | Ensure base device size is not changed until needed (Automated) | π΄ | ||
| 2.12 | Ensure that authorization for Docker client commands is enabled (Automated) | π΄ | ||
| 2.13 | Ensure centralized and remote logging is configured (Automated) | π’ | ||
| 2.14 | Ensure containers are restricted from acquiring new privileges (Automated) | π’ | ||
| 2.15 | Ensure live restore is enabled (Automated) | π’ | ||
| 2.16 | Ensure Userland Proxy is Disabled (Automated) | π’ | ||
| 2.17 | Ensure that a daemon-wide custom seccomp profile is applied if appropriate (Manual) | π‘ | ||
| 2.18 | Ensure that experimental features are not implemented in production (Automated) | π’ | ||
| 3 | Docker daemon configuration files | π‘ | ||
| 3.1 | Ensure that the docker.service file ownership is set to root:root (Automated) | π’ | ||
| 3.2 | Ensure that docker.service file permissions are appropriately set (Automated) | π’ | ||
| 3.3 | Ensure that docker.socket file ownership is set to root:root (Automated) | π’ | ||
| 3.4 | Ensure that docker.socket file permissions are set to 644 or more restrictive (Automated) | π’ | ||
| 3.5 | Ensure that the /etc/docker directory ownership is set to root:root (Automated) | π’ | ||
| 3.6 | Ensure that /etc/docker directory permissions are set to 755 or more restrictively (Automated) | π’ | ||
| 3.7 | Ensure that registry certificate file ownership is set to root:root (Automated) | π΄ | ||
| 3.8 | Ensure that registry certificate file permissions are set to 444 or more restrictively (Automated) | π΄ | ||
| 3.9 | Ensure that TLS CA certificate file ownership is set to root:root (Automated) | π΄ | ||
| 3.10 | Ensure that TLS CA certificate file permissions are set to 444 or more restrictively (Automated) | π΄ | ||
| 3.11 | Ensure that Docker server certificate file ownership is set to root:root (Automated) | π΄ | ||
| 3.12 | Ensure that the Docker server certificate file permissions are set to 444 or more restrictively (Automated) | π΄ | ||
| 3.13 | Ensure that the Docker server certificate key file ownership is set to root:root (Automated) | π΄ | ||
| 3.14 | Ensure that the Docker server certificate key file permissions are set to 400 (Automated) | π΄ | ||
| 3.15 | Ensure that the Docker socket file ownership is set to root:docker (Automated) | π’ | ||
| 3.16 | Ensure that the Docker socket file permissions are set to 660 or more restrictively (Automated) | π’ | ||
| 3.17 | Ensure that the daemon.json file ownership is set to root:root (Automated) | π’ | ||
| 3.18 | Ensure that daemon.json file permissions are set to 644 or more restrictive (Automated) | π’ | ||
| 3.19 | Ensure that the /etc/default/docker file ownership is set to root:root (Automated) | π’ | ||
| 3.20 | Ensure that the /etc/sysconfig/docker file permissions are set to 644 or more restrictively (Automated) | π΄ | ||
| 3.21 | Ensure that the /etc/sysconfig/docker file ownership is set to root:root (Automated) | π΄ | ||
| 3.22 | Ensure that the /etc/default/docker file permissions are set to 644 or more restrictively (Automated) | π’ | ||
| 3.23 | Ensure that the Containerd socket file ownership is set to root:root (Automated) | π’ | ||
| 3.24 | Ensure that the Containerd socket file permissions are set to 660 or more restrictively (Automated) | π’ | ||
| 4 | Container Images and Build File Configuration | π‘ | ||
| 4.1 | Ensure that a user for the container has been created (Automated) | π‘ | ||
| 4.2 | Ensure that containers use only trusted base images (Manual) | π‘ | ||
| 4.3 | Ensure that unnecessary packages are not installed in the container (Manual) | π΄ | ||
| 4.4 | Ensure images are scanned and rebuilt to include security patches (Manual) | π΄ | ||
| 4.5 | Ensure Content trust for Docker is Enabled (Automated) | π΄ | ||
| 4.6 | Ensure that HEALTHCHECK instructions have been added to container images (Automated) | π΄ | ||
| 4.7 | Ensure update instructions are not used alone in Dockerfiles (Manual) | π΄ | ||
| 4.8 | Ensure setuid and setgid permissions are removed (Manual) | π΄ | ||
| 4.9 | Ensure that COPY is used instead of ADD in Dockerfiles (Manual) | π΄ | ||
| 4.10 | Ensure secrets are not stored in Dockerfiles (Manual) | π΄ | ||
| 4.11 | Ensure only verified packages are installed (Manual) | π΄ | ||
| 4.12 | Ensure all signed artifacts are validated (Manual) | π΄ | ||
| 5 | Container Runtime Configuration | π‘ | ||
| 5.1 | Ensure that, if applicable, an AppArmor Profile is enabled (Automated) | π‘ | ||
| 5.2 | Ensure that, if applicable, SELinux security options are set (Automated) | π΄ | ||
| 5.3 | Ensure that Linux kernel capabilities are restricted within containers (Automated) | π΄ | ||
| 5.4 | Ensure that privileged containers are not used (Automated) | π΄ | ||
| 5.5 | Ensure sensitive host system directories are not mounted on containers (Automated) | π΄ | ||
| 5.6 | Ensure sshd is not run within containers (Automated) | π΄ | ||
| 5.7 | Ensure privileged ports are not mapped within containers (Automated) | π΄ | ||
| 5.8 | Ensure that only needed ports are open on the container (Manual) | π΄ | ||
| 5.9 | Ensure that the host's network namespace is not shared (Automated) | π΄ | ||
| 5.10 | Ensure that the memory usage for containers is limited (Automated) | π΄ | ||
| 5.11 | Ensure that CPU priority is set appropriately on containers (Automated) | π΄ | ||
| 5.12 | Ensure that the container's root filesystem is mounted as read only (Automated) | π΄ | ||
| 5.13 | Ensure that incoming container traffic is bound to a specific host interface (Automated) | π΄ | ||
| 5.14 | Ensure that the 'on-failure' container restart policy is set to '5' (Automated) | π΄ | ||
| 5.15 | Ensure that the host's process namespace is not shared (Automated) | π΄ | ||
| 5.16 | Ensure that the host's IPC namespace is not shared (Automated) | π΄ | ||
| 5.17 | Ensure that host devices are not directly exposed to containers (Manual) | π΄ | ||
| 5.18 | Ensure that the default ulimit is overwritten at runtime if needed (Manual) | π΄ | ||
| 5.19 | Ensure mount propagation mode is not set to shared (Automated) | π΄ | ||
| 5.20 | Ensure that the host's UTS namespace is not shared (Automated) | π΄ | ||
| 5.21 | Ensure the default seccomp profile is not Disabled (Automated) | π΄ | ||
| 5.22 | Ensure that docker exec commands are not used with the privileged option (Automated) | π΄ | ||
| 5.23 | Ensure that docker exec commands are not used with the user=root option (Manual) | π΄ | ||
| 5.24 | Ensure that cgroup usage is confirmed (Automated) | π΄ | ||
| 5.25 | Ensure that the container is restricted from acquiring additional privileges (Automated) | π΄ | ||
| 5.26 | Ensure that container health is checked at runtime (Automated) | π΄ | ||
| 5.27 | Ensure that Docker commands always make use of the latest version of their image (Manual) | π΄ | ||
| 5.28 | Ensure that the PIDs cgroup limit is used (Automated) | π΄ | ||
| 5.29 | Ensure that Docker's default bridge "docker0" is not used (Manual) | π΄ | ||
| 5.30 | Ensure that the host's user namespaces are not shared (Automated) | π΄ | ||
| 5.31 | Ensure that the Docker socket is not mounted inside any containers (Automated) | π΄ | ||
| 6 | Docker Security Operations | π’ | ||
| 6.1 | Ensure that image sprawl is avoided (Manual) | π’ | ||
| 6.2 | Ensure that container sprawl is avoided (Manual) | π’ | ||
| 7 | Docker Swarm Configuration | π‘ | ||
| 7.1 | Ensure swarm mode is not Enabled, if not needed (Automated) | π’ | ||
| 7.2 | Ensure that the minimum number of manager nodes have been created in a swarm (Automated) | π΄ | ||
| 7.3 | Ensure that swarm services are bound to a specific host interface (Automated) | π‘ | ||
| 7.4 | Ensure that all Docker swarm overlay networks are encrypted (Automated) | π‘ | ||
| 7.5 | Ensure that Docker's secret management commands are used for managing secrets in a swarm cluster (Manual) | π΄ | ||
| 7.6 | Ensure that swarm manager is run in auto-lock mode (Automated) | π’ | ||
| 7.7 | Ensure that the swarm manager auto-lock key is rotated periodically (Manual) | π’ | ||
| 7.8 | Ensure that node certificates are rotated as appropriate (Manual) | π’ | ||
| 7.9 | Ensure that CA certificates are rotated as appropriate (Manual) | π’ | ||
| 7.10 | Ensure that management plane traffic is separated from data plane traffic (Manual) | π’ |
MIT