iCompaas Support

Profile Applicability:

• Level 1
  

Description:

Docker containers should be restricted from acquiring new privileges (such as root privileges) during runtime. This can be configured by setting the --no-new-privileges flag, which prevents containers from escalating their privileges during execution.

Rationale:

Allowing containers to acquire new privileges could lead to privilege escalation, especially if the container is compromised. By restricting privilege escalation, you can ensure that even if a container is breached, the attacker cannot gain root-level access to the host system.

Impact:

Pros:

• Improves security by preventing privilege escalation inside containers.
  

• Helps mitigate attacks where an attacker gains access to a container and tries to exploit the container to escalate privileges.
  

Cons:

• May require additional configuration to ensure all containers are properly restricted.
  

• Some containers may require elevated privileges, so testing is required to ensure compatibility.
  

Default Value:

By default, Docker containers are not restricted from acquiring new privileges unless explicitly configured.

Pre-requisites:

• Docker installed and running.
  

• Administrative privileges to modify Docker daemon or container configurations.
  

Remediation:

Test Plan:

Using AWS Console:

1. Log in to the EC2 instance running Docker.
   

2. Check if the --no-new-privileges flag is applied by inspecting a running container:
   

   docker inspect --format '{{.HostConfig.NoNewPrivileges}}' <container_id>

   
   

Using AWS CLI:

1. Connect to the EC2 instance where Docker is running.
   

2. Run the following command to verify if the --no-new-privileges flag is set for the container:
   

   docker inspect --format '{{.HostConfig.NoNewPrivileges}}' <container_id>

   
   

Implementation Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   

2. Ensure that the --no-new-privileges flag is applied to all containers either by default or during container runtime. To add it to container execution:
   

   docker run --no-new-privileges <other-options> <image-name>

3. Alternatively, you can configure it in Docker's default settings for all containers by modifying the /etc/docker/daemon.json file to include:
   

4. {
     "security-opt": ["no-new-privileges"]
   
   }

5. Restart Docker to apply the configuration:
   

   sudo systemctl restart docker

   
   

Using AWS CLI:

1. Use SSM to ensure the --no-new-privileges flag is added to all containers by modifying the default Docker daemon settings:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"security-opt\": [\"no-new-privileges\"]}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'

   
   

Backout Plan:

Using AWS Console:

1. Log in to the EC2 instance.
   

2. Remove the --no-new-privileges flag from the container or Docker configuration by modifying the /etc/docker/daemon.json file:
   

   {
     "security-opt": []
   }

3. Restart Docker:
   

sudo systemctl restart docker

Using AWS CLI:

1. Use SSM to remove the --no-new-privileges flag and restart Docker:
   

   aws ssm send-command --document-name "AWS-RunShellScript" --targets "Key=instanceIds,Values=instance_id" --parameters 'commands=["echo \'{\"security-opt\": []}\' > /etc/docker/daemon.json && sudo systemctl restart docker"]'

   
   

References:

• Docker Security Documentation