iCompaas Support

Profile Applicability:

• Level 1
  

Description:

By default, Docker allows all network traffic between containers on the same host using the default bridge network (docker0). This check ensures that network traffic between containers on the default bridge network is restricted, minimizing the exposure of sensitive data between containers.

Rationale:

Docker’s default network bridge allows all containers to communicate with each other. In a multi-tenant environment, this unrestricted communication can lead to potential security risks, such as unauthorized data access. Restricting network traffic between containers ensures that only the containers that need to communicate can do so, reducing the risk of information leaks.

Impact:

Pros:

• Reduces the attack surface by limiting the scope of inter-container communication.
  

• Enhances privacy and security between containers running on the same host.
  

Cons:

• If containers require inter-container communication, additional configuration is needed to explicitly link them or create custom networks.
  

Default Value:

• By default, inter-container communication is allowed on the default docker0 bridge network.
  

Pre-requisites:

• Administrative access to the Docker host.
  

• Knowledge of Docker’s networking model and the ability to configure Docker networks.
  

Remediation:

Test Plan:

Using AWS Console:

1. Log in to the EC2 instance running Docker.
   
2. Verify the configuration of the default network bridge by running the following command:
   

docker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}'

     3. Ensure that the output contains com.docker.network.bridge.enable_icc:false for the default network bridge.

Using AWS CLI:

1. Connect to the EC2 instance running Docker.
   
2. Run the following command to check the network settings:
   

docker network ls --quiet | xargs docker network inspect --format '{{ .Name }}: {{ .Options }}'

     3. Ensure that the output indicates that inter-container communication is disabled:

com.docker.network.bridge.enable_icc:false

Implementation Plan:

Using AWS Console:

1. Edit the Docker daemon configuration file to disable inter-container communication on the default bridge
   
2. Restart the Docker daemon
   

Using AWS CLI:

1. Use SSM to remotely update the Docker configuration file and restart the Docker daemon:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \"{\\\"icc\\\": false}\" > /etc/docker/daemon.json && sudo systemctl restart docker"]'

Backout Plan:

Using AWS Console:

1. Log in to the EC2 instance running Docker.
   
2. Remove the "icc": false line from the /etc/docker/daemon.json file.
   
3. Restart Docker
   
   

Using AWS CLI:

1. Use SSM to remotely remove the configuration and restart Docker:
   

aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \'/icc/d\' /etc/docker/daemon.json && sudo systemctl restart docker"]'

References:

• CIS Docker Benchmark v1.7
  

• Docker Networking Documentation