We should at least build and run the go unit tests (even if there aren't many) automatically in this project

Seems we only check the first folder and not the whole deep path.
For example, I might have:
/etc/docker/cert.d/cdn.redhat.com/redhat-entitlement-authority.crt
So we only check the permissions on /etc/docker/cert.d/* and thus we see the permission on the subfolder but not on the file under that subfolder.

./docker-bench --version 1.13.0
error converting 5.36870912e+08: strconv.Atoi: parsing "5.36870912e+08": invalid syntax

Can you suggest ?

Create a profile to Docker 1.13. The profile should be based on the Docker 17.06 profile, with the following changes:

Changes from docker 17.06

Remove
2.18

Change:
2.1 - change name to "Restrict network traffic between containers (Scored) "
Move 2.15 -> 2.18
Move 2.16 -> 2.20
Move 2.17 -> 2.21

Move 6.1 to 6.4 and change name to "Avoid image sprawl (Not Scored)"
Move 6.2 to 6.5 and change name to "Avoid container sprawl (Not Scored) "

Add from the attached docker 1.13 cis benchmark:
2.15- Do not enable swarm mode, if not needed (Scored)
2.19 - Encrypt data exchanged between containers on different nodes on the overlay network (Scored)
6.1 - Perform regular security audits of your host system and containers (Not Scored)
6.2 - Monitor Docker containers usage, performance and metering (Not Scored)
6.3 - Backup container data (Not Scored)

Can we have docker bench for the newer version of docker and does aquasec has any slack or gitter channel for discussions on various aquasec open source projects.

As requested in aquasecurity/kube-bench#320

This is the container information when I mounted the/etc directory, but this detection passed. When I set the - flag: Source:/etc Destination in the rule
Set: false to - flag: Source:/etc
Set: false If you mount/etc again, it will be detected as not passing. I think there is a problem with the rule

./docker-bench --help prints the Cobra boilerplate. It should describe docker-bench!

When running ./docker-bench you should show under [INFO] section the following information:

• Host name
• Host IP
• Docker Version

Needs to update go mod and go sum in order to use new version of bench-common which will solve some issue.

Would be nice to see regular releases for this application. Maybe matching with the upstream docker version or CIS benchmark releases?

Can we check that docker version is latest by doing the following:

1. Run "docker version" and getting the version under the "server" section.
2. Parse the version number into year and month
3. Check if current date is within same year and quarter of the installed version - if not then this version is not up to date.

See following post for Docker version naming convention:
https://medium.com/@nagarwal/dockers-new-versioning-scheme-introduced-9bf594a278cf

Currently there is only a check for "grep /var/lib/docker /etc/fstab"
Another option if this check fails is to check for "mountpoint -q -- /var/lib/docker".

// getDockerVersion returns the docker server engine version.
func getDockerVersion() (string, error) {
cmd := exec.Command("docker", "version", "-f", "{{.Server.Version}}")
out, err := cmd.Output()
return string(out), err //out is 18.09\n
}

modify:
// getDockerVersion returns the docker server engine version.
func getDockerVersion() (string, error) {
cmd := exec.Command("docker", "version", "-f", "{{.Server.Version}}")
out, err := cmd.Output()
return strings.Replace(string(out), "\n", -1), err
}

Hello, I have two questions here.

1. When I click on the Docker Benchmark v1.2.0 of README.md, it will link to the CIS Kubernetes Benchmark v1.4.1 web page. I think he should link to this web page: https://workbench.cisecurity.org/benchmarks/601
2. README.md wrote the correspondence between the docker version and CIS Benchmark, but cis-1.3.1 is missing here. Is it CIS Docker Benchmark v1.3.1 ?And CIS Docker Benchmark v1.3.1 describe that incorporate Docker Engine 20.10 or later technology on Linux based platforms, while docker-bench defines docker version ≥ 20.04

Hi,

It is no more possible to get and install the project as one of the library is retracted (k8s.io)

➔ go get github.com/aquasecurity/docker-bench
go: warning: k8s.io/[email protected]+incompatible: retracted by module author: pre-module versions are obsolete
go: to switch to the latest unretracted version, run:
        go get k8s.io/client-go@latest

Best regards,
hutchYy

Configuring docker to be on a separate folder other than default failed to be detected.

Customer set /mnt/sscp/data/docker partition instead of /var/lib/docker as the docker storage - yet the utility failed to detect this and failed the test.

Test 4.5 is just:

You should execute the following command:
echo $DOCKER_CONTENT_TRUST
This should return a value of 1.

By just adding test to output it will be more intuitive and user friendly,
Something like this:
echo DOCKER_CONTENT_TRUST=$DOCKER_CONTENT_TRUST

Enviroment

$ docker version
Client: Docker Engine - Community
 Version:           23.0.5
 API version:       1.42
 Go version:        go1.19.8
 Git commit:        bc4487a
 Built:             Wed Apr 26 16:18:56 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          23.0.5
  API version:      1.42 (minimum version 1.12)
  Go version:       go1.19.8
  Git commit:       94d3ad6
  Built:            Wed Apr 26 16:16:35 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.20
  GitCommit:        2806fc1057397dbaeefbea0e4e17bddfbd388f38
 runc:
  Version:          1.1.5
  GitCommit:        v1.1.5-0-gf19387a
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

$ cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"

Check Item

  - id: 5.30
    description: "Ensure that the host's user namespaces is not shared (Automated)"
    audit: docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}:UsernsMode={{ .HostConfig.UsernsMode }}'
    tests:
      test_items:
      - flag: "UsernsMode"
        compare:
          op: eq
          value: ""
        set: true
    remediation: |
      You should not share user namespaces between host and containers.
      For example, you should not run the command below:
      docker run --rm -it --userns=host ubuntu bash
    scored: true

Step

1. We run a centos image and share the user namespace of the host.

$ docker run -itd --userns=host centos bash

2. Then I run the audit command to see if there is a container that shares the user namespace.

$ docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}:UsernsMode={{ .HostConfig.UsernsMode }}'
25bb4ff9b617445860b2db256789b6fc6974b563ec3fd162b4b5a2030b2a6dc3:UsernsMode=
c7536667b00fcd4e258ade2e7cea8412e838093b644905b60770e0557e8379a9:UsernsMode=host

Actual value

return PASS

Expectations

The c7536667b0 container shares the user namespace of the host, and should be FAIL.

The CIS Benchmark audit tests assume that the parameters are passed in on the command line, but in practice they could also be read from a JSON config file (/etc/docker/daemon.json by default).

You should show the list of users that are members of "docker" group.

It would be better suited to include container name than ID - makes it much easier to pickup which containers/apps are running as privileged

So for 5.4 Change audit command from:
"docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}:Privileged={{ .HostConfig.Privileged }}'",

to:
"docker ps --quiet --all | xargs docker inspect --format '{{ .Name }}:Privileged={{ .HostConfig.Privileged }}'",

The current cis-1.3.1 audit is giving me a false positive with docker-ce-20.10.21-3. This check 1.1.8:

      test_file=$(grep 'containerd.sock' /etc/containerd/config.toml | awk -F "\"" '{print $2}')
      if test -S "$test_file"; then
        auditctl -l | grep $test_file
      fi

I manually updated it to:

      test_file=$(grep 'containerd.sock' /etc/containerd/config.toml | awk -F "=" '{print $2}' | sed -e 's/"//g')
      if test -S $test_file; then
        auditctl -l | grep $test_file
      fi

And it passes now.
I can create a PR but before I'd like to confirm this is not caused by my environment/version.

I'm running docker-ce-20.10.21-3 on rocky8

Seems we do not check the value in /etc/docker/daemon.json file.

So if we configured there
"no-new-privileges": true

This is not checked during the compliance check and provides a fail result.

Some test has two ways to test them in CIS, for example test 2.12:

Run docker info and ensure that the Logging Driverproperty set as appropriate.
docker info --format '{{ .LoggingDriver }}'
Alternatively, the below command would give you the --log-driver setting. If configured you should ensure that it is set appropriately.
ps -ef | grep dockerd
The contents of /etc/docker/daemon.json should also be reviewed for this setting.

When using the second way we can encounter some false negative, when test was remediated but not shown on ps dockerd.
Other test we should change are:
2.12
2.13
Possibly 2.17

test 1.2.1 test for:
https://github.com/aquasecurity/docker-bench/blob/main/cfg/cis-1.2/definitions.yaml#L39
grep '/var/lib/docker' /proc/mounts
when it should be
grep '/var/lib/docker\s' /proc/mounts
The current audit is also getting false positive as

And after changing:

In some system the first audit could cause multiple line output which is spamming the results.

Enviroment

uname -a
Linux ubuntu 6.2.0-27-generic #28-Ubuntu SMP PREEMPT_DYNAMIC Thu Jul 13 00:41:18 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux

docker version
Client: Docker Engine - Community
 Version:           24.0.5
 API version:       1.43
 Go version:        go1.20.6
 Git commit:        ced0996
 Built:             Fri Jul 21 20:36:04 2023
 OS/Arch:           linux/arm64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          24.0.5
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.6
  Git commit:       a61e2b4
  Built:            Fri Jul 21 20:36:04 2023
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.6.22
  GitCommit:        8165feabfdfe38c65b599c4993d227328c231fca
 runc:
  Version:          1.1.8
  GitCommit:        v1.1.8-0-g82f18fe
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Check Item

  - id: 1.1.9
    description: "Ensure auditing is configured for Docker files and directories - docker.socket (Automated)"
    audit: |
      test_file=$(systemctl show -p FragmentPath docker.socket | awk -F "=" '{print $2}')
      socket_file=$(grep ListenStream $testfile)
      if test -f "$socket_file"; then
        auditctl -l | grep $socket_file
      fi
    tests:
      test_items:
      - flag: "docker.sockest"
        set: true
    remediation: |
      If the file exists, you should add a rule for it. 
      For example: 
      Add the line below to the /etc/audit/audit.rules file:
      -w /var/run/docker.sock -k docker
      Then restart the audit daemon. 
      For example:
      systemctl restart auditd
    scored: true

Step

Auditing for docker.socket according to the remediation

1. Add rule for audit

## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 60000

## Set failure mode to syslog
-f 1

## docker-bench 1.1.9
-w /var/run/docker.sock -k docker

2. restart audit

systemctl restart auditd

3. ran docker-bench again and the result was FAIL

./docker-bench --check="1.1.9"
[INFO] 20.04 CIS Docker Community Edition Benchmark
[INFO] 1.1 Linux Hosts Specific Configuration
[FAIL] 1.1.9 Ensure auditing is configured for Docker files and directories - docker.socket (Automated)

== Remediations ==
1.1.9 If the file exists, you should add a rule for it.
For example:
Add the line below to the /etc/audit/audit.rules file:
-w /var/run/docker.sock -k docker
Then restart the audit daemon.
For example:
systemctl restart auditd


== Summary ==
0 checks PASS
1 checks FAIL
0 checks WARN
0 checks INFO

Expect

PASS

eg. the configuration can be set via command line args or daemon.json, can it be one items while check.
[FAIL] 2.14.a Ensure Userland Proxy is Disabled (Scored)
[PASS] 2.14.b Disable Userland Proxy (Scored)

maybe in the config file should support operators like OR

In the new Bench-common release there is a op: bitmask which is used for permissions comparison. aquasecurity/bench-common#88
Should change the cfg files to use it

In case a test that is "not scored" is failing, then we need to mark the result as "warning".
Currently there are cases where result is not warning for tests that are not scored.

Seems we do not verify values configured in /etc/docker/daemon.json

For example, if we have set there:

"userland-proxy": false

This is not found and fail the test.

If we are using Kubernetes, do we still need to run this tool to check if our Docker is compliant?
Thanks!

The 2.15 test that evaluates whether userland proxy is disabled will fail and return false positive when userland proxy is successfully disabled but the docker daemon is still passed an unused --userland-proxy-path variable.

On Red Hat systems, this --userland-proxy-path parameter is added to systemd config in /etc/systemd/system/multi-user.target.wants/docker.service by default after docker-current package is installed:

--userland-proxy-path=/usr/libexec/docker/docker-proxy-current \

This path parameter does not take effect when userland proxy is diabled via edit to /etc/sysconfig/docker file OPTIONS value to add --userland-proxy=false, but the parameter still exists in the process list.

Based upon behavior of docker daemon, the 2.15 test should succeed despite existence of this parameter.

We can validate userland proxy is enabled or disabled independently of --userland-proxy=false parameter check by creating container with published port and looking at process list.

We will see docker-proxy-current process listed (as own process and not as value to dockerd parameter) if userland proxy is enabled. We won't see the docker-proxy-current process if it is disabled:

This allows us to confirm userland proxy is still disabled despite existence of --userland-proxy-path parameter.

with --userland-proxy=false there's no docker-proxy-current process:

# docker run --name test -d -p 8111:8111 alpine:latest sleep 100
84b607f157393e1fc2c7a3d50664627be65e725b8c8e46106f83a080151e1e6a
# ps -ef | grep proxy
root      23932      1  0 16:17 ?        00:00:06 /usr/bin/dockerd-current --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current --default-runtime=docker-runc --authorization-plugin=rhel-push-plugin --exec-opt native.cgroupdriver=systemd --init-path=/usr/libexec/docker/docker-init-current **--userland-proxy-path=/usr/libexec/docker/docker-proxy-current** --seccomp-profile=/etc/docker/seccomp.json --selinux-enabled --log-driver=journald --signature-verification=false --userland-proxy=false --add-registry registry.access.redhat.com
root      27418  21811  0 16:56 pts/1    00:00:00 grep --color=auto proxy

with userland proxy enabled (no --userland-proxy parameter passed, or with true value passed, eg, --userland-proxy=true), the docker-proxy-current process exists (PID 29148 below):

# docker run --name test -d -p 8111:8111 alpine:latest sleep 100
7032fb47a74c2769d3290fac704e232b8f9abca73b3d1d19aaa7871da2430744
# ps -ef | grep proxy
root      27974      1  3 16:57 ?        00:00:02 /usr/bin/dockerd-current --add-runtime docker-runc=/usr/libexec/docker/docker-runc-current --default-runtime=docker-runc --authorization-plugin=rhel-push-plugin --exec-opt native.cgroupdriver=systemd --init-path=/usr/libexec/docker/docker-init-current --userland-proxy-path=/usr/libexec/docker/docker-proxy-current --seccomp-profile=/etc/docker/seccomp.json --selinux-enabled --log-driver=journald --signature-verification=false --add-registry registry.access.redhat.com
root      29148  27974  0 16:58 ?        00:00:00 /usr/libexec/docker/docker-proxy-current -proto tcp -host-ip 0.0.0.0 -host-port 8111 -container-ip 172.17.0.3 -container-port 8111
root      29289  21811  0 16:58 pts/1    00:00:00 grep --color=auto proxy

Maybe it should look for whole parameter instead of looking for any parameter beginning with --userland-proxy. Or perhaps check against --userland-proxy= instead of --userland-proxy if that won't interfere with the 'op: eq' specified in the yaml:

  - id: 2.15
    description: "Ensure Userland Proxy is Disabled (Scored)"
    audit: ps -ef | grep dockerd
    tests:
      test_items:
      - flag: "--userland-proxy"
        compare:
          op: eq
          value: "false"
        set: true
    remediation: |
      Run the Docker daemon as below:
      dockerd --userland-proxy=false
    scored: true

While there is no purpose for --userland-proxy-path parameter to exist if it cannot take effect, the test should pass if userland proxy is successfully disabled on the host, and userland proxy is successfully disabled on the host even when this extra parameter exists.

I think runCheck() in app.go could be common between the Docker & Kube commands.

We can probably make a lot of the CLI flags common too.

While I'm thinking about CLI flags, this has "dbdir" for the directory where files are defined - that name screams "database directory" to me! I think we should have the same name for both kube & docker tests.

Hi Team,
When docker-bench runs - it will try and detect if Docker Swarm exists and if not it will print an error such as:

dockerd-current: time="2020-04-02T18:19:01.654114156+11:00" level=error msg="Error retrieving swarm unlock key" error="This node is not a swarm ma
nager. Use "docker swarm init" or "docker swarm join" to connect this node to swarm and try again."

This is printed into /var/log/messages and can confuse the users who might think they have an issue with Docker.

Maybe if 'Docker Swarm' does not exists - simply skip that test or at least skip that message being printed?

• If I execute the remediation in 1.1.8 of cis-1.3.1 which is auditing containerd.sock ,the check 1.1.4 will also pass. Because the path of containerd.sock contains the /run/containerd

-w /run/containerd/containerd.sock -k docker

• As for check 1.1.4, if audit rule contains the directory /run/containerd,It will PASS

auditctl -l | grep /run/containerd

• But in fact, I did not audit the directory /run/containerd

Because of https://github.com/aquasecurity/docker-bench/blob/master/root.go#L75 default value for dockerVersion is always 17.06 and getDockerVersion will never run, https://github.com/aquasecurity/docker-bench/blob/master/app.go#L22

Seems we do not check the values we have in the /etc/docker/daemon.json and if we have set there:

"live-restore": true

This is not found and fails the test.

Recently we changed the directories name from the docker version to CIS versions name 760dc61
Which means currently --version expect cis version input (eg cis-1.2)
But we didn't change to --version help massage which is:
--version string Specify Docker version, automatically detected if unset
that lead me to think about that we should still support docker version input and not only cis version input

Observation

The problem seems to be due to the format of the output returned by the audit command, which contains the container Id.
For example

docker ps --quiet --all | xargs docker inspect --format '{{ .Id }}:Memory={{ .HostConfig.Memory }}'
87d3272a4a42fdeb534935bccb9b934f13761fc7e8ba82e233de581213d05359:Memory=268435456

is considered a FAIL by

docker run --memory=256m hello-world:latest
sudo docker-bench --benchmark cis-1.3.1 --include-test-output --config-dir /etc/docker-bench/cfg | grep "] 5.10" -A 1

[FAIL] 5.10 Ensure that the memory usage for container is limited (Automated)
         87d3272a4a42fdeb534935bccb9b934f13761fc7e8ba82e233de581213d05359:Memory=268435456

Possible solution

It seems like the problem can be resolved by using a regex

    tests:
      test_items:
      - flag: ".*Memory"

instead of

Other affected checks

System details

cat /etc/*release
NAME="openSUSE Leap"
VERSION="15.3"
ID="opensuse-leap"
ID_LIKE="suse opensuse"
VERSION_ID="15.3"
PRETTY_NAME="openSUSE Leap 15.3"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:opensuse:leap:15.3"
BUG_REPORT_URL="https://bugs.opensuse.org"
HOME_URL="https://www.opensuse.org/"

docker version
Client:
 Version:           20.10.6-ce
 API version:       1.41
 Go version:        go1.13.15
 Git commit:        8728dd246c3a
 Built:             Thu Apr 15 12:00:00 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server:
 Engine:
  Version:          20.10.6-ce
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       8728dd246c3a
  Built:            Thu Apr 15 12:00:00 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          v1.4.4
  GitCommit:        05f951a3781f4f2c1911b05e61c160e9c30eaa8e
 runc:
  Version:          1.0.0-rc93
  GitCommit:        12644e614e25b05da6fd08a38ffa0cfe1903fdec
 docker-init:
  Version:          0.1.5_catatonit
  GitCommit:        

docker-bench https://github.com/aquasecurity/docker-bench/releases/tag/v0.5.0 docker-bench_0.5.0_linux_amd64.rpm

Enviroment

uname -a
Linux ubuntu 6.2.0-27-generic #28-Ubuntu SMP PREEMPT_DYNAMIC Thu Jul 13 00:41:18 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux

docker version
Client: Docker Engine - Community
 Version:           24.0.5
 API version:       1.43
 Go version:        go1.20.6
 Git commit:        ced0996
 Built:             Fri Jul 21 20:36:04 2023
 OS/Arch:           linux/arm64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          24.0.5
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.6
  Git commit:       a61e2b4
  Built:            Fri Jul 21 20:36:04 2023
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.6.22
  GitCommit:        8165feabfdfe38c65b599c4993d227328c231fca
 runc:
  Version:          1.1.8
  GitCommit:        v1.1.8-0-g82f18fe
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

Check Item

  - id: 1.1.8
    description: "Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)"
    audit: |
      test_file=$(grep 'containerd.sock' /etc/containerd/config.toml | awk -F "=" '{print $2}')
      if test -f "$test_file"; then
        auditctl -l | grep $test_file
      fi
    tests:
      test_items:
      - flag: "containerd.sock"
        set: true
    remediation: |
      If the file exists, you should add a rule for it. 
      For example: 
      Add the line below to the /etc/audit/audit.rules file:
      -w /run/containerd/containerd.sock -k docker
      Then restart the audit daemon. 
      For example:
      systemctl restart auditd
    scored: true

Step

Add audit for containerd.sock according to the remediation

1. Add rule for audit

vi /etc/audit/rules.d/audit.rules
## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 60000

## Set failure mode to syslog
-f 1

## docker-bench 1.1.8
-w /run/containerd/containerd.sock -k docker

2. restart audit

systemctl restart auditd

3. ran docker-bench again and the result was FAIL

./docker-bench --check="./docker-bench --check="1.1.8"
[INFO] 20.04 CIS Docker Community Edition Benchmark
[INFO] 1.1 Linux Hosts Specific Configuration
[FAIL] 1.1.8 Ensure auditing is configured for Docker files and directories - containerd.sock (Automated)

== Remediations ==
1.1.8 If the file exists, you should add a rule for it.
For example:
Add the line below to the /etc/audit/audit.rules file:
-w /run/containerd/containerd.sock -k docker
Then restart the audit daemon.
For example:
systemctl restart auditd


== Summary ==
0 checks PASS
1 checks FAIL
0 checks WARN
0 checks INFO

Expect

PASS

Seems we do not verify the values in the /etc/docker/daemon.json and thus fail the test.

So disable-legacy-registry configuration option has been removed base on below link (but in daemon.json file)
https://docs.docker.com/engine/reference/commandline/dockerd/

But the utility fails to find this and fails the test.

Running ./docker-bench --version ocp-3.9 we see

[WARN] 4.10 Ensure secrets are not stored in Dockerfiles (Not Scored)
[WARN] 4.11 Ensure verified packages are only Installed (Not Scored)
[FAIL] 4.
[INFO] 5 Container Runtime
[WARN] 5.2 Ensure SELinux security options are set, if applicable (Scored)

Test 4 is empty and should be removed altogether.

ÎThis CIS 1.3.1 was tested against Docker Engine 20.10 on RHEL 7 and Ubuntu 20.04.

Description of the following checks should be changed to-

2.2 Set the logging level (Scored)
2.3 Allow Docker to make changes to iptables (Scored)
2.4 Do not use insecure registries (Scored)
2.5 Do not use the aufs storage driver (Scored)
2.6 Configure TLS authentication for Docker daemon (Scored)
2.7 Set default ulimit as appropriate (Not Scored)
2.9 Confirm default cgroup usage (Scored)
2.10 Do not change base device size until needed (Scored)
2.11 Use authorization plugin (Scored)
2.12 Configure centralized and remote logging (Scored)
2.13 Disable operations on legacy registry (v1) (Scored)
2.14 Enable live restore (Scored)
2.18 Disable Userland Proxy (Scored)
2.20 Apply a daemon-wide custom seccomp profile, if needed (Not Scored)
2.21 Avoid experimental features in production (Scored)