Profile Applicability:

  • Level 2 

Description:

The /usr/bin/containerd file is a critical component of Docker's container runtime. Auditing this file ensures that any unauthorized access or modification to the container runtime is detected.

Rationale:

The containerd binary runs with elevated privileges, and changes to this file could significantly impact Docker's security and functionality. Auditing this file ensures that unauthorized changes to the runtime are detected, enhancing system security.

Impact:

Pros:

  • Provides visibility into potential threats that could exploit vulnerabilities within the container runtime.

  • Detects unauthorized changes, which could help prevent security incidents.

Cons:

  • Auditing can generate large log files, which may require regular management like log rotation and archiving.

  • A separate partition for audit logs may be needed to avoid consuming critical system storage.

Default Value:

  • By default, Docker-related files, including /usr/bin/containerd, are not audited.

Pre-requisites:

  • Administrative access to the host system.

  • Basic knowledge of configuring audit rules for system files.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.
  2. Execute the following command to check if there is an audit rule for /usr/bin/containerd:
  • auditctl -l | grep /usr/bin/containerd

Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.
  2. Run the following command to verify if there is an audit rule applied to /usr/bin/containerd:
  • auditctl -l | grep /usr/bin/containerd

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.
  2. Add an audit rule for /usr/bin/containerd by editing the /etc/audit/rules.d/audit.rules file:
  • -w /usr/bin/containerd -k docker

     3. Restart the audit daemon to apply the changes:

  • sudo systemctl restart auditd

Using AWS CLI:

  1. Use SSM to remotely add the audit rule and restart the audit daemon:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'-w /usr/bin/containerd -k docker\' >> /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'

Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.
  2. Remove the audit rule by editing the /etc/audit/rules.d/audit.rules file and deleting the line:
  • -w /usr/bin/containerd -k docker

      3. Restart the audit daemon to apply the changes:

  • sudo systemctl restart auditd

Using AWS CLI:

  1. Use SSM to remotely remove the audit rule and restart the audit daemon:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \'/\-w \/usr\/bin\/containerd -k docker/d\' /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'


References: