Profile Applicability:

  • Level 2

Description:

The /etc/containerd/config.toml file contains important configuration parameters for containerd, which is used by Docker for container orchestration. Auditing this file ensures that any unauthorized changes to the containerd configuration are detected.

Rationale:

The Docker daemon interacts with containerd for container management, and containerd operates with root privileges. As such, auditing the /etc/containerd/config.toml file is important to detect potential malicious modifications to containerd's configuration, which could compromise the security and functionality of the container environment.

Impact:

Pros:

  • Auditing provides visibility into changes made to the containerd configuration.

  • Helps detect unauthorized access or modifications that could lead to security risks or misconfigurations.

Cons:

  • Auditing can generate large log files, requiring proper management like log rotation and archiving.

  • May require a separate partition for audit logs to avoid filling up critical system partitions.

Default Value:

By default, files such as /etc/containerd/config.toml are not audited unless configured explicitly.

Pre-requisites:

  • Administrative access to the host system.

  • Basic understanding of auditd and how to configure audit rules for system files.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker and containerd.
  2. Execute the following command to verify if there is an audit rule for /etc/containerd/config.toml:
  • auditctl -l | grep /etc/containerd/config.toml

Using AWS CLI:

  1. Connect to the EC2 instance.
  2. Run the following command to check if there is an audit rule applied to the /etc/containerd/config.toml file:
  • auditctl -l | grep /etc/containerd/config.toml

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.
  2. Add an audit rule for /etc/containerd/config.toml by editing the /etc/audit/rules.d/audit.rules file:
  • -w /etc/containerd/config.toml -k docker

      3. Restart the audit daemon to apply the changes:

  • sudo systemctl restart auditd

Using AWS CLI:

  1. Use SSM to remotely add the audit rule and restart the audit daemon:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'-w /etc/containerd/config.toml -k docker\' >> /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'


Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.
  2. Remove the audit rule by editing the /etc/audit/rules.d/audit.rules file and deleting the line:
  • -w /etc/containerd/config.toml -k docker

       3. Restart the audit daemon to apply the changes:

  • sudo systemctl restart auditd

Using AWS CLI:

  1. Use SSM to remotely remove the audit rule and restart the audit daemon:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \'/\-w \/etc\/containerd\/config.toml -k docker/d\' /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'


References: