Profile Applicability:
Level 1
Description:
A container host should be hardened to secure the underlying operating system and prevent potential attack vectors. This involves applying security best practices to the host system to minimize vulnerabilities and ensure the containerized environment is secure.
Rationale:
Hardening the host system helps minimize the attack surface. The container host must be configured with appropriate security controls to ensure that it is not vulnerable to attacks. This includes configuring security settings such as firewalls, user permissions, and network isolation.
Impact:
Pros:
Reduces the risk of security breaches by mitigating known vulnerabilities.
Improves the overall security posture of the containerized environment.
Cons:
May require additional time and effort to implement and maintain.
Misconfigurations could result in service disruptions.
Default Value:
The default state of a container host is not hardened, meaning it may have open ports, default user permissions, and unnecessary services running.
Pre-requisites:
Administrative privileges on the container host.
Knowledge of security best practices for hardening Linux-based systems (e.g., CIS benchmarks).
Remediation:
Test Plan:
Using AWS Console:
- Log in to the EC2 instance running Docker.
- Verify that unnecessary services (e.g., FTP, Telnet) are disabled.
- Confirm that firewalls are configured properly to restrict access to the container host.
- Check user permissions and verify that only authorized users have administrative privileges.
Using AWS CLI:
- Connect to the EC2 instance via SSH or Systems Manager (SSM).
- Run the following command to check for unnecessary services:
systemctl list-units --type=service
3. Run the following command to verify firewall settings:
sudo ufw status
4. Check user permissions:
cat /etc/passwd
Implementation Plan:
Using AWS Console:
- Log in to the EC2 instance.
- Apply system updates and patches using:
sudo apt-get update && sudo apt-get upgrade
(for Debian-based systems)
sudo yum update
(for RHEL/CentOS-based systems)
3. Disable unnecessary services:
sudo systemctl disable <service-name>
4. Configure firewalls using ufw or iptables:
sudo ufw enable sudo ufw allow <port-number>
5. Review user permissions and adjust as necessary:
sudo userdel <user-name>
Using AWS CLI:
- Use SSM to apply system updates and patching:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo apt-get update && sudo apt-get upgrade"]'
2. Use SSM to disable unnecessary services:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo systemctl disable <service-name>"]'
3. Use SSM to configure firewall rules:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo ufw enable && sudo ufw allow <port-number>"]'
Backout Plan:
Using AWS Console:
- Log in to the EC2 instance.
- Re-enable any disabled services if required:
sudo systemctl enable <service-name>
3. Revert firewall changes to the previous state:
sudo ufw disable
4. Restore previous user permissions using:
sudo useradd <user-name>
Using AWS CLI:
- Use SSM to re-enable any services:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo systemctl enable <service-name>"]'
2. Use SSM to revert firewall settings:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo ufw disable"]'
3Use SSM to restore user permissions:
aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo useradd <user-name>"]'
References:
CIS Docker Benchmark