iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Rootless Docker allows running both the Docker daemon and containers inside a user namespace, eliminating the need for root privileges. This mitigates the risk of privilege escalation attacks and improves overall security.

Rationale:

Running Docker in rootless mode reduces the attack surface by ensuring that Docker and its containers do not require root privileges, preventing unauthorized access to sensitive system resources.

Impact:

Pros:

• Enhanced security by running Docker without root privileges.
  

• Reduces the risk of container runtime vulnerabilities leading to a host system compromise.
  

Cons:

• Rootless Docker requires specific configuration and may have limitations, particularly with networking and certain system resources.
  

Default Value:

Docker daemon runs as the root user by default.

Pre-requisites:

• Administrative access to the Docker host system.
  

• Understanding the configuration steps for enabling rootless Docker.
  

Remediation:

Test Plan:

Using AWS Console:

1. Log in to the EC2 instance running Docker.
   
2. Check for the dockerd process and verify which user is running it:
   

• ps -fe | grep 'dockerd'

Using AWS CLI:

1. Connect to the EC2 instance.
   
2. Run the command to check the user running the Docker daemon:
   

ps -fe | grep 'dockerd'

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   
2. Follow Docker's rootless installation guide:
   

• Install dependencies: sudo apt install -y uidmap
  

• Set up Docker in rootless mode by following the steps in Docker's rootless mode documentation.
  

Using AWS CLI:

1. Use SSM to install and configure Docker in rootless mode:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo apt install -y uidmap && sudo dockerd-rootless-setuptool.sh install"]'

Backout Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   
2. Revert to rootful Docker by following Docker's uninstallation guide for rootless mode and reinstalling Docker in rootful mode:
   

sudo apt remove docker-ce-rootless-extras
sudo apt install docker-ce

Using AWS CLI:

1. Use SSM to revert Docker to its rootful configuration:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sudo apt remove docker-ce-rootless-extras && sudo apt install docker-ce"]'

References:

• Docker Rootless Mode Documentation
  

• Docker Engine Security Overview