Container Rulesets Compliance Matrix

F5 Distributed Cloud App Infrastructure Protection (AIP) includes CIS Docker and Kubernetes rulesets to increase configuration visibility. The CIS Docker ruleset assists with safe and secure configuration of Docker containers by alerting on known configuration issues and misconfigurations. The Kubernetes ruleset assists with file integrity monitoring (FIM) by alerting on changes to configuration files associated with the Kubernetes API server, Scheduler, etcd, Control Manager, Cluster Administration, and Kublet Service.

Distributed Cloud AIP also uses rules in the base ruletset to mitigate risky activity recognized by the MITRE ATT&CK Matrices.

Important

File Integrity Monitoring (FIM) rules for containers provide visibility to files that are accessible from the host file system. For containers, this includes container volumes mounted by the host, but no other files.

If these rulesets provide value for your organization, then please reach out to your customer success manager to add them to your environment.

Docker CIS Docker Kubernetes

Docker	MITRE Criteria
Docker: kinsing malware	T1496, T1610
Docker: Container File Change	T1485
Docker: Data Encoding Observed	T1560, T1140, T1132, T1048
Docker: Data Encryption Observed	T1486, T1140
Docker: EC2 Instance Metadata Communication	T1552
Docker: Exploit: Process Activity from /tmp	T1203
Docker: File: Docker Configuration Change	T1485
Docker: Kubectl Commands	T1610, T1609
Docker: Network: Outbound Connection (Connects)	N/A
Docker: Possible Data Download	T1204
Docker: Possible Data Exfiltration	T1567, T1074, T1048, T1041, T1020
Docker: Privileged Commands	T1609
Docker: Suspicious User Commands	T1609
Docker: System Time Change Attempt	N/A
Docker: User Commands	T1609
Docker: User: Push or Pull Commands	T1610

CIS Docker	Supports Criteria
Docker: Ability to Make Changes to IPtables Disabled	CIS Docker 1.13.0 (2.3)
Docker: Base Device Size Changed	CIS Docker 1.13.0 (2.10)
Docker: cgroup Usage Observed	CIS Docker 1.13.0 (5.24)
Docker: Container Started with Privileged Flag	CIS Docker 1.13.0 (5.4)
Docker: Container's root Filesystem Not Mounted as Read-Only	CIS Docker 1.13.0 (5.12)
Docker: Default Secure Computing Mode Disabled	CIS Docker 1.13.0 (5.21)
Docker: Default ulimit Override Observed	CIS Docker 1.13.0 (2.7)
Docker: Do Not Set Mount Propegation Mode to Shared	CIS Docker 1.13.0 (5.19)
Docker: Do Not Share the Host's UTS Namespace	CIS Docker 1.13.0 (5.20)
Docker: Excessive Open Ports on Container	CIS Docker 1.13.0 (5.8)
Docker: Exec Command with Privileged Flag	CIS Docker 1.13.0 (5.22)
Docker: Exec Command with User Flag	CIS Docker 1.13.0 (5.23)
Docker: Experimental Feature Enabled in Production	CIS Docker 1.13.0 (2.21)
Docker: Host Devices Directly Exposed	CIS Docker 1.13.0 (5.17)
Docker: Host's IPC Namespace Shared	CIS Docker 1.13.0 (5.16)
Docker: Host's Network Namespace Shared	CIS Docker 1.13.0 (5.9)
Docker: Host's Process Namespace Shared	CIS Docker 1.13.0 (5.15)
Docker: Insecure Registry Usage	CIS Docker 1.13.0 (2.4)
Docker: Legacy Storage Driver Usage	CIS Docker 1.13.0 (2.5)
Docker: Logging Level Not Set to "info"	CIS Docker 1.13.0 (2.2)
Docker: Mounted Sensitive Host System Directories	CIS Docker 1.13.0 (5.5)
Docker: No Memory Usage Limit Set	CIS Docker 1.13.0 (5.10)
Docker: Node Promoted to Manager in Swarm	CIS Docker 1.13.0 (2.16)
Docker: Non-Default Secure Computing Mode Profile Applied	CIS Docker 1.13.0 (5.21)
Docker: SSH Server Running in Container	CIS Docker 1.13.0 (5.6)
Docker: Swarm Manager Running with Auto-Lock Disabled	CIS Docker 1.13.0 (2.23)
Docker: Swarm Mode Enabled	CIS Docker 1.13.0 (2.15)
Docker: Swarm Services Not Bound to Specific Host Interface	CIS Docker 1.13.0 (2.17)
Docker: Authorization Plugin Not Used	CIS Docker 1.13.0 (2.11)
Docker: Centralized and Remote Logging Disabled	CIS Docker 1.13.0 (2.12)
Docker: Confirm Default cgroup Usage	CIS Docker 1.13.0 (2.9)
Docker: Container Restart Policy Not Restricted	CIS Docker 1.13.0 (5.14)
Docker: Default ulimit Not Set	CIS Docker 1.13.0 (2.7)
Docker: Health Check Not Executed at Runtime	CIS Docker 1.13.0 (4.6)
Docker: Live Restore Disabled	CIS Docker 1.13.0 (5.8)
Docker: Restrict Container from Acquiring Additional Privileges	CIS Docker 1.13.0 (5.25)
Docker: Set Container CPU Priority Appropriately	CIS Docker 1.13.0 (5.11)
Docker: Use PIDS cgroup Limit	CIS Docker 1.13.0 (5.28)
Docker: Userland Proxy is Enabled	CIS Docker 1.13.0 (2.18)

Kubernetes Ruleset
Kubernetes: API Server Specification File Modified
Kubernetes: Audit Policy Specification File Modified
Kubernetes: Cluster Administration Configuration File Modified
Kubernetes: Controller Manager Configuration File Modified
Kubernetes: Controller Manager Specification File Modified
Kubernetes: etcd Specification File Modified
Kubernetes: Kubelet Configuration File Modified
Kubernetes: Kubelet Service Configuration File Modified
Kubernetes: Scheduler Configuration File Modified
Kubernetes: Scheduler Specification File Modified

Container Rulesets Compliance Matrix

Important

Related Articles

Table of Contents

Important

Related Articles

Table of Contents

Related articles