Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim : iCompaas Support

Profile Applicability:

Level 2

Description:

The /usr/bin/containerd-shim file is part of the containerd runtime and is critical for managing containers in the Docker ecosystem. Auditing this file ensures that any unauthorized modifications or accesses to this file are detected.

Rationale:

The Docker daemon relies on containerd for managing containers, and containerd-shim is used to manage the lifecycle of individual containers. Given the elevated privileges that Docker operates under, it is important to track the use of this file to prevent unauthorized manipulation or exploitation.

Impact:

Pros:

Provides visibility into the use of containerd-shim, enhancing security by monitoring for unauthorized access or changes.
Helps with auditing and detecting suspicious activity within the container runtime environment.

Cons:

Auditing this file can generate large log files, which require proper management (rotation and archiving).
May require a dedicated partition for audit logs to avoid filling up critical system storage.

Default Value:

By default, the /usr/bin/containerd-shim file is not audited unless explicitly configured.

Pre-requisites:

Administrative access to the Docker host system.
Basic knowledge of how to configure auditd and audit rules.

Remediation:

Test Plan:

Using AWS Console:

Log in to the EC2 instance running Docker and containerd.
Run the following command to verify if an audit rule exists for the /usr/bin/containerd-shim file:

auditctl -l | grep /usr/bin/containerd-shim

Using AWS CLI:

Connect to the EC2 instance.
Execute the following command to check if an audit rule has been applied to the /usr/bin/containerd-shim file:

auditctl -l | grep /usr/bin/containerd-shim

Implementation Plan:

Using AWS Console:

Log in to the EC2 instance.
Add an audit rule for /usr/bin/containerd-shim by editing the /etc/audit/rules.d/audit.rules file:

```
-w /usr/bin/containerd-shim -k docker
```

3. Restart the audit daemon to apply the changes:

```
sudo systemctl restart auditd
```

Using AWS CLI:

Use SSM to remotely add the audit rule and restart the audit daemon:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'-w /usr/bin/containerd-shim -k docker\' >> /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'

Backout Plan:

Using AWS Console:

Log in to the EC2 instance.
Remove the audit rule by editing the /etc/audit/rules.d/audit.rules file and deleting the line:

```
-w /usr/bin/containerd-shim -k docker
```

3. Restart the audit daemon to apply the changes:

```
sudo systemctl restart auditd
```

Using AWS CLI:

Use SSM to remotely remove the audit rule and restart the audit daemon:

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \'/\-w \/usr\/bin\/containerd-shim -k docker/d\' /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'

References:

CIS Docker Benchmark v1.7
Containerd Documentation

Ensure auditing is configured for Docker files and directories - /usr/bin/containerd-shim Print

Related Articles