iCompaas Support

Profile Applicability:

• Level 1
  

Description:

The Docker daemon currently requires access to the Docker socket, which is, by default, owned by the user root and the group docker. Access to this socket should be restricted to trusted users to avoid unauthorized control over the Docker daemon.

Rationale:

Docker allows users to share a directory between the host and a container without limiting access rights. If untrusted users have membership in the docker group, they can start containers that might map sensitive host directories (e.g., /) to the container, potentially gaining elevated privileges and compromising the system. Therefore, restricting access to the Docker daemon is essential.

Impact:

Pros:

• Restricts Docker daemon control to trusted users, minimizing the risk of privilege escalation.
  

• Prevents unauthorized users from running containers with high-level access to the system.
  

Cons:

• May require administrative management to regularly verify user memberships and remove untrusted users.
  

Default Value:

• Not applicable; the Docker socket file is accessible by the docker group by default, and membership of this group should be tightly controlled.
  

Pre-requisites:

• Access to the Docker host system with administrative privileges.
  

• Familiarity with user management commands and system security configurations.
  
  

Remediation:

Test Plan:

Using AWS Console:

1. Log in to the EC2 instance running Docker.
   
2. Execute the following command to ensure that only trusted users are members of the docker group:
   

getent group docker

      3. Verify that only trusted users appear in the docker group.

Using AWS CLI:

1. Connect to the EC2 instance running Docker.
   
2. Run the following command to verify the members of the docker group:
   

getent group docker

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   
2. Remove any untrusted users from the docker group using:
   

sudo gpasswd -d <username> docker

      3. Ensure that only trusted users have access to Docker by reviewing group memberships regularly.

      4. Avoid creating mappings of sensitive directories from the host to container volumes.

Using AWS CLI:

1. Use SSM to remotely remove untrusted users from the docker group:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo gpasswd -d <username> docker"]'

Backout Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   
2. Re-add users to the docker group if necessary using:
   

3. sudo gpasswd -a <username> docker
   

4. Revert any changes made to user group memberships.
   

Using AWS CLI:

1. Use SSM to re-add users to the docker group:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo gpasswd -a <username> docker"]'

References:

1. CIS Docker Benchmark v1.7
   
2. Docker Documentation: https://docs.docker.com/engine/security/#docker-daemon-attack-surface