iCompaas Support

Profile Applicability:

• Level 2
  

Description:

The /usr/bin/containerd-shim-runc-v1 file is part of the containerd runtime, which is used by Docker to manage containers. Auditing this file ensures that any unauthorized changes to the container runtime are detected, thus enhancing the security of the system.

Rationale:

The Docker daemon relies on containerd for container management, and containerd-shim-runc-v1 is responsible for managing the lifecycle of individual containers. Given the elevated privileges required by Docker and containerd, auditing this file helps detect potential attacks or unauthorized access.

Impact:

Pros:

• Auditing provides visibility into potential threats targeting the container runtime.
  

• Allows early detection of unauthorized changes, which could lead to vulnerabilities.
  

Cons:

• Auditing can generate large log files, which require effective log management such as rotation and archiving.
  

• Requires additional storage or partitioning to avoid consuming critical system resources.
  

Default Value:

By default, Docker-related files such as /usr/bin/containerd-shim-runc-v1 are not audited.

Pre-requisites:

• Administrative access to the Docker host system.
  

• Familiarity with configuring audit rules using auditd.
  

Remediation:

Test Plan:

Using AWS Console:

1. Log in to the EC2 instance running Docker and containerd.
   
2. Run the following command to check if an audit rule is applied to /usr/bin/containerd-shim-runc-v1:
   

• auditctl -l | grep /usr/bin/containerd-shim-runc-v1

Using AWS CLI:

1. Connect to the EC2 instance where Docker is running.
   
2. Execute the following command to verify if an audit rule exists for /usr/bin/containerd-shim-runc-v1:
   

auditctl -l | grep /usr/bin/containerd-shim-runc-v1

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   
2. Add an audit rule for /usr/bin/containerd-shim-runc-v1 by editing the /etc/audit/rules.d/audit.rules file:
   

• -w /usr/bin/containerd-shim-runc-v1 -k docker

      3. Restart the audit daemon to apply the changes:

• sudo systemctl restart auditd

Using AWS CLI:

1. Use SSM to remotely add the audit rule and restart the audit daemon:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'-w /usr/bin/containerd-shim-runc-v1 -k docker\' >> /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'

Backout Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   
2. Remove the audit rule by editing the /etc/audit/rules.d/audit.rules file and deleting the line:
   

• -w /usr/bin/containerd-shim-runc-v1 -k docker

         3. Restart the audit daemon to apply the changes:

• sudo systemctl restart auditd

Using AWS CLI:

1. Use SSM to remotely remove the audit rule and restart the audit daemon:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \'/\-w \/usr\/bin\/containerd-shim-runc-v1 -k docker/d\' /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'

References:

• CIS Docker Benchmark v1.7
  

• Containerd Documentation