Anthropic-Cybersecurity-Skills/skills/hardening-docker-daemon-configuration/assets/template.md

Docker Daemon Hardening Checklist

Pre-Hardening

• Document current daemon.json configuration
• Run Docker Bench Security baseline
• Identify running containers that may be affected
• Schedule maintenance window
• Backup existing /etc/docker/daemon.json

CIS Docker Benchmark v1.6 - Daemon Checks

Critical

• 2.2 - Disable inter-container communication ("icc": false)
• 2.9 - Enable user namespace remapping ("userns-remap": "default")
• 2.14 - Restrict new privileges ("no-new-privileges": true)
• 2.7 - Configure TLS authentication (if remote access needed)

High

• 2.6 - Use overlay2 storage driver
• 2.16 - Disable userland proxy
• 2.13 - Configure centralized logging
• 2.8 - Set default ulimits
• 2.17 - Apply custom seccomp profile

Medium

• 2.15 - Enable live restore
• 2.1 - Consider rootless mode
• Docker socket permissions set to 660

Post-Hardening Verification

• Docker daemon restarts successfully
• All containers start correctly
• Docker Bench shows improved score
• TLS connection works (if configured)
• Monitoring endpoints accessible
• Log rotation working

Recommended daemon.json

{
  "icc": false,
  "userns-remap": "default",
  "no-new-privileges": true,
  "log-driver": "json-file",
  "log-opts": { "max-size": "10m", "max-file": "5" },
  "storage-driver": "overlay2",
  "live-restore": true,
  "userland-proxy": false,
  "experimental": false
}

Rollback Plan

1. Stop Docker daemon: sudo systemctl stop docker
2. Restore backup: sudo cp /etc/docker/daemon.json.bak /etc/docker/daemon.json
3. Start Docker daemon: sudo systemctl start docker
4. Verify containers: docker ps