Profile Applicability:

  • Level 2

Description:

The /usr/bin/containerd-shim-runc-v2 file is part of the containerd runtime used by Docker to manage containers. Auditing this file ensures that any unauthorized access or changes to the container runtime are detected.

Rationale:

Docker runs with root privileges, and its behavior depends on several critical files and directories, including /usr/bin/containerd-shim-runc-v2. This file is essential for container management, and its audit ensures that malicious activities or misconfigurations are detected early

Impact:

Pros:

  • Auditing provides visibility into potential unauthorized modifications of critical container management files.

  • Enhances system security by ensuring that Docker-related files and processes are being monitored.

Cons:

  • Auditing can produce large log files, which may require effective log management such as rotation and archiving.

  • Requires a separate partition for audit logs to avoid consuming critical system resources.

Default Value:

By default, files like /usr/bin/containerd-shim-runc-v2 are not audited unless explicitly configured.

Pre-requisites:

  • Administrative access to the Docker host system.

  • Basic knowledge of how to configure audit rules and use auditd.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker and containerd.
  2. Run the following command to verify if there is an audit rule for /usr/bin/containerd-shim-runc-v2:
  • auditctl -l | grep /usr/bin/containerd-shim-runc-v2

Using AWS CLI:

  1. Connect to the EC2 instance.
  2. Run the following command to check if an audit rule exists for /usr/bin/containerd-shim-runc-v2:
  • auditctl -l | grep /usr/bin/containerd-shim-runc-v2

Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.
  2. Add an audit rule for /usr/bin/containerd-shim-runc-v2 by editing the /etc/audit/rules.d/audit.rules file:
  • -w /usr/bin/containerd-shim-runc-v2 -k docker

     3. Restart the audit daemon to apply the changes:

  • sudo systemctl restart auditd

Using AWS CLI:

  1. Use SSM to remotely add the audit rule and restart the audit daemon:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'-w /usr/bin/containerd-shim-runc-v2 -k docker\' >> /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'


Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.
  2. Remove the audit rule by editing the /etc/audit/rules.d/audit.rules file and deleting the line:
  • -w /usr/bin/containerd-shim-runc-v2 -k docker

      3. Restart the audit daemon to apply the changes:

  • sudo systemctl restart auditd

Using AWS CLI:

  1. Use SSM to remotely remove the audit rule and restart the audit daemon:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \'/\-w \/usr\/bin\/containerd-shim-runc-v2 -k docker/d\' /etc/audit/rules.d/audit.rules && sudo systemctl restart auditd"]'


References: