Profile Applicability:

  • Level 1

Description:

Docker containers should be restricted from acquiring new privileges (such as root privileges) during runtime. This can be configured by setting the --no-new-privileges flag, which prevents containers from escalating their privileges during execution.

Rationale:

Allowing containers to acquire new privileges could lead to privilege escalation, especially if the container is compromised. By restricting privilege escalation, you can ensure that even if a container is breached, the attacker cannot gain root-level access to the host system.

Impact:

Pros:

  • Improves security by preventing privilege escalation inside containers.

  • Helps mitigate attacks where an attacker gains access to a container and tries to exploit the container to escalate privileges.

Cons:

  • May require additional configuration to ensure all containers are properly restricted.

  • Some containers may require elevated privileges, so testing is required to ensure compatibility.

Default Value:

By default, Docker containers are not restricted from acquiring new privileges unless explicitly configured.

Pre-requisites:

  • Docker installed and running.

  • Administrative privileges to modify Docker daemon or container configurations.

Remediation:

Test Plan:

Using AWS Console:

  1. Log in to the EC2 instance running Docker.

  2. Check if the --no-new-privileges flag is applied by inspecting a running container:

    docker inspect --format '{{.HostConfig.NoNewPrivileges}}' <container_id>


Using AWS CLI:

  1. Connect to the EC2 instance where Docker is running.

  2. Run the following command to verify if the --no-new-privileges flag is set for the container:

    docker inspect --format '{{.HostConfig.NoNewPrivileges}}' <container_id>


Implementation Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Ensure that the --no-new-privileges flag is applied to all containers either by default or during container runtime. To add it to container execution:

    docker run --no-new-privileges <other-options> <image-name>
  3. Alternatively, you can configure it in Docker's default settings for all containers by modifying the /etc/docker/daemon.json file to include:
  4. {
      "security-opt": ["no-new-privileges"]
    
    }
  5. Restart Docker to apply the configuration:
    sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to ensure the --no-new-privileges flag is added to all containers by modifying the default Docker daemon settings:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"security-opt\": [\"no-new-privileges\"]}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'


Backout Plan:

Using AWS Console:

  1. Log in to the EC2 instance.

  2. Remove the --no-new-privileges flag from the container or Docker configuration by modifying the /etc/docker/daemon.json file:

    {
      "security-opt": []
    }
  3. Restart Docker:
sudo systemctl restart docker

Using AWS CLI:

  1. Use SSM to remove the --no-new-privileges flag and restart Docker:

    aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"security-opt\": []}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'


References: