Docker yesterday released Version 1.13 and today, we are announcing the release of CIS Docker 1.13 Benchmark, with Cavirin as a key contributor. The CIS Docker community has worked extremely hard to ensure that the time lag between the software availability and security recommendations is almost zero, a leading example of the concurrent availability of security guidance with implementations.
The changelog between CIS Docker 1.12 benchmark and CIS Docker 1.13 benchmark is as follows:
Rules added with the Docker 1.13 benchmark
- 2.19 Encrypt data exchanged between containers on different nodes on the overlay network
- 2.20 Apply a daemon-wide custom seccomp profile, if needed
- 2.21 Avoid experimental features in production
- 2.22 Use Docker's secret management commands for managing secrets in a Swarm cluster
- 2.23 Run swarm manager in auto-lock mode
- 2.24 Rotate swarm manager auto-lock key periodically
Rules modified from Docker 1.12 benchmark
- 2.8 Enable user namespace support - Updated Audit Procedure
- 2.5 Avoid container sprawl - Updated Remediation and Audit Procedure
- 2.3 Keep Docker up to date - Re-worded
Rules deleted in the Docker 1.13 benchmark
- 1.2 Use the updated Linux Kernel
- 1.3 Remove all non-essential services from the host
It is easy to understand new additions to the benchmark given the pace of innovation at Docker and the energetic community behind it. But, you might be curious to know why we deleted a couple of rules above?
CIS benchmark development is community-consensus driven. Every change to the benchmark is vetted for consistency, technical accuracy and alignment with current requirements in production.
Rule 1.2 has become obsolete given that most of the Linux distributions are now shipped with the updated kernel that fulfils Docker install kernel requirements. When Docker began, that was really an important thing to check for to run production workloads to ensure reliability.
Rule 1.3 is typically addressed in their respective CIS Linux benchmarks. Hence, this was a duplicate from other benchmarks and got deleted as well. CIS Docker benchmark provides core security guidance for Docker deployments and eliminates obsolete recommendations.
Cavirin Systems automatically scans container workloads against the CIS benchmark. Its agentless discovery mechanism quickly builds inventory of your Docker host instances and containers and runs a deep inspection against the entire CIS benchmark.
Check us out!