>myctrl.tools
Preferences
Under active development Content is continuously updated and improved

Docker

by Docker Inc.

Container runtime platform using Linux namespaces, cgroups, and kernel capabilities for application isolation

Official Docs

Under Construction: This guidance is being actively developed and verified. Content may change.

Authoritative Sources

Key guidance documents from authoritative organizations. Click to view the original source.

NIST
NIST SP 800-190: Application Container Security Guide

NIST SP 800-190 §4.4.3: "Containers should be run with their root filesystems in read-only mode... and run as a non-root user." §4.4.1: "Organizations should use security tools that can detect when images are run in production that do not meet the organization's standards." §3.3: "Container runtimes are susceptible to software vulnerabilities like any other software... an attacker exploiting a runtime vulnerability would potentially be able to access or modify data and workloads on any container on the host."

Configuration Examples(2)

·
View source
CIS
CIS Docker Benchmark

Security configuration baseline for Docker deployments. Covers host configuration, daemon settings, container runtime, images, and Docker Swarm.

Configuration Examples(3)

·
View source
Vendor
Docker Security Documentation

Official Docker security guidance covering kernel namespaces, control groups, daemon attack surface, Linux capabilities, and content trust.

Configuration Examples(4)

·
View source
SOC 2
SOC 2 Trust Services Criteria: Container Security (CC6.1)

SOC 2 CC6.1: "The entity implements logical access security software, infrastructure, and architectures over protected information assets." Docker security configurations including user namespaces, capabilities, and seccomp profiles implement logical access controls required for SOC 2 compliance. Source: AICPA Trust Services Criteria.

View source

Verification Commands

Commands and queries for testing and verifying security configurations.

List all containers with their security options CLI 
docker ps -a --format 'table {{.Names}}	{{.Image}}	{{.Status}}'
Inspect container security settings CLI 
docker inspect --format '{{json .HostConfig.SecurityOpt}}' <container>
Check if containers running as root CLI 
docker ps -q | xargs -I {} docker exec {} id
List container capabilities CLI 
docker inspect --format '{{.HostConfig.CapAdd}} {{.HostConfig.CapDrop}}' <container>
Check for privileged containers CLI 
docker ps -q | xargs docker inspect --format '{{.Name}}: Privileged={{.HostConfig.Privileged}}'
Scan image for vulnerabilities with Trivy CLI 
trivy image --severity HIGH,CRITICAL myimage:tag
Run Docker Bench Security audit CLI 
docker run --rm --net host --pid host --userns host --cap-add audit_control -v /var/lib:/var/lib -v /var/run/docker.sock:/var/run/docker.sock -v /etc:/etc:ro docker/docker-bench-security
Check Docker daemon configuration CLI 
docker system info --format "{{json .SecurityOptions}}"
Verify content trust is enabled CLI 
echo $DOCKER_CONTENT_TRUST
List images with their digests for verification CLI 
docker images --digests --format "{{.Repository}}:{{.Tag}} {{.Digest}}"
Check for containers with host mounts CLI 
docker ps -q | xargs docker inspect --format '{{.Name}}: {{range .Mounts}}{{if eq .Type "bind"}}{{.Source}}->{{.Destination}} {{end}}{{end}}'
Audit container resource limits CLI 
docker stats --no-stream --format 'table {{.Name}}	{{.MemUsage}}	{{.MemPerc}}	{{.CPUPerc}}'

Related Controls

Security controls from various frameworks that relate to Docker.

NIST SP 800-53 7 controls
CM-2 CM-6 CM-7 SC-7 AC-3 AC-6 SI-3
CIS Controls 6 controls
4.1 4.2 4.6 4.7 16.1 16.7
PCI DSS 4 controls
2.2 6.4 6.5 11.5

Related Technologies

Istio AWS Microsoft Azure Google Cloud Platform