Skip to main content
McAfee Enterprise MVISION Cloud

Essential Policy Templates for Container Security

Container Security - Essential

MVISION Cloud provides Essential and Advanced preconfigured templates for Container Security. 

On the Policy > Policy Templates page, select Recommendation/Benchmark filters for Container Security - Essential and Container Security - Advanced policy templates. 

  • Container Security - Essential. These are 18 policy templates with the minimum requirements for container security resource discovery and On-Demand Scans. 
  • Container Security - Advanced. This is the list of all available container security policy templates. 

The Container Security - Essential policy templates are listed in the following table. 

You can also download an XLSX file

Policy Name Resource Benchmark PCI DSS HIPAA NIST 800-53 Policy Description
ACR: Repositories should not be exposed to everyone/ publicly for push actions ACR   Yes   SI-7, Software, Firmware, and Information Integrity.  Repository policy push actions should be avoided
AKS: Argument anonymous-auth should be set to false for Kubelet Server AKS CIS Level 1 2.2, 2.2.3, 2.2.4, 2.3 6.5.8 7.2 164.312(a)(1),164.308(a)(3)(i),164.308(b)(1), 164.312(c)(1), 164.312(e)(1) CM-3 When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests.
AKS: Argument basic-auth-file should not be set for API Server AKS CIS Level 1 2.2, 2.2.3, 2.2.4, 2.3 6.5.3   CM-3 Basic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used.
ECS Fargate: Default seccomp profile should not be disabled in ECS Fargate cluster ECS FARGATE CIS Level 1     CM-3 Seccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on whitelist basis and allows 311 system calls blocking all others. It should not be disabled unless it hinders your container application usage. 
ECR: Repositories should not be exposed to everyone/ publicly for push actions ECR   Yes   SI-7, Software, Firmware, and Information Integrity.  Repository policy push actions should be avoided
ECS Docker Host: Docker Default seccomp profile should not be disabled ECS CIS Level 1   164.308(a)(3)(i), 164.308(b)(1), 164.312(a)(1), 164.312(c)(1), 164.312(e)(1) CM-3, SC-39 Seccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on a whitelist basis and allows for a large number of common system calls, whilst blocking all others. This filtering should not be disabled unless it causes a problem with your container application usage.
ECS Docker Host: Docker's default bridge docker0 should not be used ECS CIS Level 1   164.308(a)(3)(i), 164.308(b)(1), 164.312(a)(1), 164.312(c)(1), 164.312(e)(1) CM-3, SC-39 You should not use Docker's default bridge docker0. Instead you should use Docker's user-defined networks for container networking. 
ECS: Default seccomp profile should not be disabled ECS CIS Level 1     CM-3 Seccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on whitelist basis and allows 311 system calls blocking all others. It should not be disabled unless it hinders your container application usage. 
ECS: Docker's default bridge networking mode should not be used ECS CIS Level 1     CM-3 Do not use Docker's default bridge docker0. Use docker's user-defined networks for container networking
EKS Docker Host: Docker Default seccomp profile should not be disabled in AWS EKS cluster hosts EKS     164.308(a)(3)(i), 164.308(b)(1), 164.312(a)(1), 164.312(c)(1), 164.312(e)(1) CM-3, SC-39 Seccomp filtering provides a means for a process to specify a filter for incoming system calls. The default Docker seccomp profile works on a whitelist basis and allows for a large number of common system calls, whilst blocking all others. This filtering should not be disabled unless it causes a problem with your container application usage.
EKS Docker Host: Docker's default bridge docker0 should not be used in AWS EKS cluster hosts EKS     164.308(a)(3)(i), 164.308(b)(1), 164.312(a)(1), 164.312(c)(1), 164.312(e)(1) CM-3, SC-39 You should not use Docker's default bridge docker0. Instead you should use Docker's user-defined networks for container networking.
EKS FARGATE: Argument anonymous-auth should be set to false for Kubelet Server EKS CIS Level 1 2.2, 2.2.3, 2.2.4, 2.3 6.5.8 7.2 164.312(a)(1),164.308(a)(3)(i),164.308(b)(1), 164.312(c)(1), 164.312(e)(1) CM-3 When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests.
EKS: Argument anonymous-auth should be set to false for Kubelet Server EKS CIS Level 1 2.2, 2.2.3, 2.2.4, 2.3 6.5.8 7.2 164.312(a)(1),164.308(a)(3)(i),164.308(b)(1), 164.312(c)(1), 164.312(e)(1) CM-3 When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests.
EKS: Argument basic-auth-file should not be set for API Server EKS CIS Level 1 2.2, 2.2.3, 2.2.4, 2.3 6.5.3   CM-3 Basic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used.
EKS: Enable control plane logging during EKS cluster creation EKS   10.1 10.2.2, 10.2.4, 10.2.5, 10.2.7 10.3.1, 10.3.2, 10.3.3, 10.3.4, 10.3.5, 10.3.6   CM-3  
GCR: Registries should not be exposed to everyone/ publicly for push actions           Registry push actions should not be allowed to everyone
GKE: Argument anonymous-auth should be set to false for Kubelet Server GKE CIS Level 1 2.2, 2.2.3, 2.2.4, 2.3 6.5.8 7.2 164.312(a)(1),164.308(a)(3)(i),164.308(b)(1), 164.312(c)(1), 164.312(e)(1) CM-3 When enabled, requests that are not rejected by other configured authentication methods are treated as anonymous requests. These requests are then served by the Kubelet server. You should rely on authentication to authorize access and disallow anonymous requests.
GKE: Argument basic-auth-file should not be set for API Server GKE CIS Level 1 2.2, 2.2.3, 2.2.4, 2.3 6.5.3   CM-3 Basic authentication uses plaintext credentials for authentication. Currently, the basic authentication credentials last indefinitely, and the password cannot be changed without restarting API server. The basic authentication is currently supported for convenience. Hence, basic authentication should not be used.
  • Was this article helpful?