Docker CE CIS Hardening

This guide helps you set up the Docker CE software to meet the CIS benchmarks. It will automatically fix the Level 1 and 2 issues.

Note: This tool changes your system, and it might cause problems. It's meant to fix issues after you've done an audit, not just to check for problems.

Important Installation Step

To install this using the ansible-galaxy command, run it like this:

ansible-galaxy install -p roles -r requirements.yml

Make sure your requirements.yml file includes this line:

- src: https://github.com/florianutz/DockerCE-CIS.git

Requirements

Carefully check the tasks before running this playbook to ensure they won't break your system.

Role Variables

You can find many variables in defaults/main.yml. Here are some key ones:

• 1.1 | Create a separate partition for containers:
  cis_rule_1_1: false

• 2.1 | Restrict network traffic between containers on the default bridge:
  cis_rule_2_1: "false"

• 2.2 | Set the logging level to 'info':
  cis_rule_2_2: "info"

• 2.3 | Allow Docker to change iptables:
  cis_rule_2_3: "true"

• 2.8 | Enable user namespace support:
  cis_rule_2_8: "default"

• 2.13 | Disable operations on legacy registry (v1):
  (Note: Not supported by Docker CE)

• 2.14 | Enable live restore:
  cis_rule_2_14: "true"

• 2.15 | Disable Userland Proxy:
  cis_rule_2_15: "false"

• 2.17 | Avoid experimental features in production:
  cis_rule_2_17: !unsafe docker version --format '{{ .Server.Experimental }}'

• 2.18 | Prevent containers from gaining new privileges:
  cis_rule_2_18: "true"

Dependencies

You need Ansible version 2.2 or higher.

Example Playbook

Here's how to use it in a playbook:

- name: Harden Docker CE engine
  hosts: servers
  become: yes

  roles:
     - DockerCE-CIS

License

MIT