iCompaas Support

Profile Applicability:

• Level 2 

Description:

User namespace support should be enabled in the Docker daemon to utilize container user-to-host user remapping. This configuration provides an additional security layer by isolating container users from host system users.

Rationale:

Enabling user namespaces in Docker allows containers to have their own range of user and group IDs (UID/GID), separate from those used by the host system. This enhances security by ensuring that the root user inside the container is mapped to a non-privileged user on the host system.

Impact:

Pros:

• Provides better security by mapping the container's root user to a non-root user on the host.
  

• Limits the potential for privilege escalation attacks between containers and the host system.
  

Cons:

• User namespace remapping is still in its early stages and may cause issues or difficulty in configuring some container images, especially if they rely on specific user IDs.
  

Default Value:

• By default, user namespaces are not enabled in Docker. Docker containers typically share the user namespaces with the host unless configured otherwise.
  

Pre-requisites:

• Administrative access to the Docker host system.
  

• Docker daemon must be restarted to apply changes.
  

Remediation

Test Plan:

Using AWS Console:

1. Log in to the EC2 instance running Docker.
   

2. Check if user namespace support is enabled by running the following command:
   

   docker info --format '{{ .SecurityOptions }}'

   
   

3. Using AWS CLI:

4. Connect to the EC2 instance where Docker is running.
   

5. Run the following command to check for user namespace support:
   

   docker info --format '{{ .SecurityOptions }}'

   
   

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   

2. Ensure that the /etc/subuid and /etc/subgid files exist. If they do not, create them:
   

   touch /etc/subuid /etc/subgid

3. Modify the Docker daemon configuration file /etc/docker/daemon.json to enable user namespace remapping:
   

   {
     "userns-remap": "default"
   }

4. Restart Docker to apply the configuration:
   

   sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to ensure the /etc/subuid and /etc/subgid files exist and apply the user namespace remapping:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["touch /etc/subuid /etc/subgid && echo \'{\"userns-remap\": \"default\"}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'

   
   

Backout Plan:

1. Using AWS Console:

2. Log in to the EC2 instance.
   

3. Revert the Docker configuration by disabling user namespace remapping in /etc/docker/daemon.json:
   

4. {
     "userns-remap": "default"
   }

5. Restart Docker:
   

   sudo systemctl restart docker

   
   

Using AWS CLI:

1. Use SSM to disable user namespace remapping and restart Docker:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"userns-remap\": \"default\"}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'

   
   

References:

• CIS Docker Benchmark v1.7

• Docker Documentation on User Namespace: https://docs.docker.com/engine/security/userns-remap/