iCompaas Support

Profile Applicability:

• Level 1

Description:

The default bridge network in Docker is a local network that allows containers to communicate with each other. Restricting traffic between containers on the default bridge ensures that containers only communicate when explicitly configured to do so, which enhances security.

Rationale:

By default, containers on the default bridge network can communicate freely with each other. Restricting this traffic ensures that containers are isolated and reduces the risk of lateral movement in case one container is compromised.

Impact:

Pros:

• Enhances container isolation, limiting communication to only those containers that need it.
  

• Reduces the attack surface by preventing unnecessary network communication between containers.
  

Cons:

• May require additional configuration to ensure that containers needing to communicate are properly connected, which could complicate network setups.
  

Default Value:

By default, containers on the default bridge network can communicate with each other.

Pre-requisites:

• Administrative privileges on the Docker host.
  

• Familiarity with Docker networking and bridge configurations.
  

Remediation:

Test Plan:

Using AWS Console:

• Log in to the EC2 instance running Docker.
  

• Verify that containers on the default bridge network are isolated using the following command:
  

  • docker network inspect bridge
    
    

• Confirm that the com.docker.network.bridge.enable_icc setting is disabled.
  

Using AWS CLI:

• Connect to the EC2 instance where Docker is running.
  

• Run the following command to inspect the bridge network:
  

  docker network inspect bridge

• Ensure the com.docker.network.bridge.enable_icc setting is not enabled.
  

Implementation Plan:

Using AWS Console:

• Log in to the EC2 instance.
  

Edit the Docker daemon configuration file (/etc/docker/daemon.json) to include the following setting:

{
  "icc": "false"
}

• Restart the Docker daemon to apply the changes:
  

  sudo systemctl restart docker

  
  

Using AWS CLI:

• Use SSM to remotely update the Docker configuration and restart the Docker daemon:
  

  aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \"{ \\\"icc\\\": \\\"false\\\" }\" > /etc/docker/daemon.json && sudo systemctl restart docker"]'

  
  

Backout Plan:

Using AWS Console:

• Log in to the EC2 instance.
  

• Remove the "icc": "false" setting from the /etc/docker/daemon.json file.
  

• Restart the Docker daemon to apply the changes:
  
  

Using AWS CLI:

• Use SSM to remove the "icc": "false" setting and restart the Docker daemon:
  

  aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["sed -i \'/icc/d\' /etc/docker/daemon.json && sudo systemctl restart docker"]'

  
  

References:

• CIS Docker Benchmark v1.7
  

• Docker Networking Documentation