Contact Us

CIS Docker 17.06 Security Benchmark Released


Docker 17.06 CE was announced a few days back. We, at CIS Docker community, have been busy to give you an updated benchmark quickly.

Download your copy from the CIS website.

This version of the benchmark has undergone significant changes. Below is a quick summary and later I explain a few of these.

New Recommendations

  • 18 Restrict containers from acquiring new privileges
  • 8 Rotate node certificates as appropriate
  • 9 Rotate root CA certificates as appropriate
  • 10 Separate management plane traffic from data plane traffic

Modified Recommendations

  • 1 Restrict network traffic between containers on the default bridge - clarified the intent of the recommendation
  • 12 Mount container's root filesystem as read only - clarified the intent of the recommendation

Deleted Recommendations

  • 1 Perform regular security audits of your host system and containers
  • 2 Monitor Docker containers usage, performance and metering
  • 3 Backup container data

Miscellaneous Changes

  • Formatting the entire benchmark
  • Updated several reference URLs
  • New Section - "7 Docker Swarm Configuration"
  • All Swarm related recommendations moved to the Swarm section
  • All recommendation titles have been renamed to follow CIS standard pattern
  • Docker version will not be part of the benchmark document name anymore

Looking at the changes in more detail....

New Recommendations

Docker project has a great community support. Its rapid pace of innovation brings constant security improvements to the platform. In this release, there are 4 new recommendations added to the benchmark. 3 of them are for Docker Swarm and 1 is for Docker engine.

Modified Recommendations

These were modified as per the community feedback process for the benchmark. CIS’s open benchmark development program makes it easy to join the benchmark projects and provide feedback or contribute directly to the benchmark.

Deleted Recommendations

This change is interesting. We have been maintaining the benchmark for about 3 years now. During the initial few releases, Docker methodology was new and was being rapidly tried and adopted. These operational recommendations were added to the benchmark to constantly remind the deployment admins and developers to consider Docker’s operational security such as Security Audits, Monitoring and Backup. Now that the Docker ecosystem is matured and there is plenty of awareness and solutions around, we no longer require that operational guidance (knowing the focus of benchmark recommendations is usually automation and not people or process related guidance). Docker deployments are now considered in several infrastructure risk planning and for regular security operations.

Miscellaneous Changes

This is a complete overhaul. Each recommendation was touched.

  • Formatting errors – CIS moved to a new site from previous benchmark development site. The new site has several new formatting options. Community members have been extremely patient to carefully pick and re-format 100 recommendations and do some formatting clean-ups from previous site.
  • Updated reference URLs – As I said earlier, we have been maintaining the benchmark for around 3 years now. There were quite a few broken URLs, new discussions and great security articles that made sense to refer to. Again, we literally clicked on each URL, ensured that it is not broken and updated it where necessary.
  • New Swarm Section – The difference between Docker Swarm and Docker Engine is now dispensable. There are quite a few settings in the benchmark that are Swarm related. Container ecosystem uses several orchestration mechanisms such as Kubernetes, OpenShift, Mesos. Hence, it made sense to move Swarm settings to a different section. That way, it will be easier to consume the benchmark. If you are not using Swarm, you could just ignore those settings.
  • New titles – CIS now religiously follows a standard title pattern - “Ensure foo is set to bar”. We could not address this requirement for last few benchmark releases. We covered it up in this benchmark release. Each recommendation now has a new title according to the standard CIS format.
  • Benchmark versioning – Previously, each Docker version had its own 1.0 benchmark release version. With quarterly updates from Docker, it was becoming increasingly difficult to track changes between the prior and new benchmark versions. Hence, we dropped the Docker version from the CIS Benchmark title. Now, it will be the standard CIS Docker Benchmark and the versioning information and the change logs would be maintained. Benchmark will include information on the Docker version against which the benchmark version was tested. For example, the current benchmark is named “CIS Docker Community Edition Benchmark v1.1.0”. The overview section in the benchmark would have information that this benchmark version is applicable on Docker 17.06 Community Edition.

I would like to thank CIS Docker community members for their contribution and CIS for providing such a wonderful platform for security benchmark development.

We at Cavirin address three use cases around Docker:

  • CIS Docker benchmark support (host hardening and Docker deployment security)
  • Docker Image Hardening (security best practices for Docker Images)
  • Docker Image Patch and Vulnerability assessment (ensure that the Docker images has security patches installed)



© 2019 Cavirin Systems, Inc. All rights reserved.